SOC 2 Readiness Assessment: Scope of Work

Stage 1: SOC 2 Audit Scoping

We define the scope of the SOC 2 assessment by identifying the systems, services, processes,
commitments, and Trust Services Criteria relevant to your organization.

• Services Provided: Identification of the products and services delivered to customers and supported by the in-scope environment.
• Service Commitments: Review of customer contracts, service-level agreements, policies, and public commitments relevant to control design.
• System and Requirements Analysis: Evaluation of infrastructure, applications, people, procedures, and data supporting service delivery.
• Risk Assessment: Identification of internal, external, operational, and third-party risks that could affect control effectiveness.
• Trust Services Criteria Selection: Determination of applicable criteria, including Security, Availability, Confidentiality, Processing Integrity, and Privacy.
• Project Workgroup Definition: Establishment of internal stakeholders, control owners, and audit preparation responsibilities.

Deliverable: A clearly defined SOC 2 audit scope, including in-scope systems,
applicable Trust Services Criteria, key stakeholders, and readiness priorities.

Stage 2: SOC 2 Gap Assessment

We perform a detailed SOC 2 gap assessment to identify where existing controls,
documentation, and operational practices do not yet align with the applicable Trust Services Criteria.

• Control Review: Assessment of current administrative, technical, and operational controls against SOC 2 requirements.
• Documentation Review: Evaluation of policies, procedures, standards, risk registers, vendor management records, and supporting evidence.
• Control Mapping: Mapping of existing controls to the relevant Trust Services Criteria to identify strengths, overlaps, and deficiencies.
• Gap Identification: Identification of missing controls, weak processes, documentation deficiencies, and evidence gaps.
• Corrective Action Plan: Development of a practical remediation roadmap with priorities, owners, and recommended timelines.

Deliverable: A SOC 2 Corrective Action Plan outlining identified gaps,
remediation priorities, and recommendations for readiness improvement.

Stage 3: SOC 2 Remediation Support

We support your organization in implementing and strengthening the controls required to meet
SOC 2 expectations and prepare for the formal audit period.

• Control Implementation Support: Assistance with designing, enhancing, and documenting controls aligned with the applicable Trust Services Criteria.
• Process Alignment: Support for aligning business processes, governance activities, and operational practices with SOC 2 requirements.
• Policy and Procedure Development: Guidance on creating or refining core security and compliance documentation.
• Evidence Readiness: Help in organizing audit evidence and ensuring controls can be demonstrated consistently.
• Ongoing Advisory Support: Resolution of control issues and practical guidance during remediation activities.

Deliverable: Implementation and refinement of the key SOC 2 controls
necessary to support audit readiness.

Stage 4: SOC 2 Audit Assistance

During the formal SOC 2 Type I or Type II audit, we assist your team in preparing for auditor requests,
validating evidence, and addressing issues efficiently throughout the review process.

• Pre-Audit Consulting: Final preparation of key staff, control owners, and supporting documentation before auditor fieldwork begins.
• Audit Coordination Support: Assistance with organizing requests, evidence submissions, and communication with the audit firm.
• Onsite or Remote Support: Practical support during the auditor’s review to help your team respond accurately and efficiently.
• Mitigation Guidance: Support for addressing identified deficiencies or follow-up questions during the audit process.

Deliverable: Professional SOC 2 audit assistance to help your organization
navigate the audit process efficiently and with confidence.

Note: A formal SOC 2 audit must be performed by an independent
Certified Public Accountant (CPA) firm authorized to issue attestation reports
under AICPA standards.

SOC 2 Trust Services Criteria

SOC 2 assessments are based on the Trust Services Criteria (TSC), which define
the control areas used to evaluate the design and operating effectiveness of your organization’s systems.

• Security: Protection of systems and information against unauthorized access, disclosure, and misuse.
• Availability: Ensuring systems and services remain operational and accessible as committed or agreed.
• Confidentiality: Protection of confidential information throughout storage, processing, and transmission.
• Processing Integrity: Ensuring system processing is complete, valid, accurate, timely, and authorized.
• Privacy: Proper collection, use, retention, disclosure, and disposal of personal information in accordance with commitments and applicable requirements.