RectifyCloud
Back to Blog
Compliance

How to Run a SOC 2 Internal Audit Before Your External Auditor Arrives

Learn how to run a structured SOC 2 internal audit that mirrors external auditor testing — covering scope, control walkthroughs, evidence collection, gap analysis, and remediation planning before fieldwork begins.

June 11, 202610 min read

Introduction

Most SOC 2 surprises are preventable. The exception finding that appears in your final report because a quarterly access review was never completed, the re-request that stalls fieldwork because your evidence does not cover the full observation period, the extended audit duration because your external auditor cannot locate documentation that should have been organized weeks earlier — these are not auditor problems. They are preparation problems.

A SOC 2 internal audit is the mechanism that eliminates them. It is a structured, self-directed review of every in-scope control that deliberately mirrors what your external auditor will test. You walk through each control, collect the same evidence the auditor will request, test it against the same criteria, and document what you find before the external observation window closes. When gaps exist, you find them yourself — and you have time to remediate them before they become exceptions in a report that your customers and prospects will read.

Organizations that run a rigorous internal audit before fieldwork consistently reduce external audit duration, reduce evidence re-requests, and eliminate the category of finding that comes from discovering a control failure after it is too late to fix. This guide explains how to do it.

What a SOC 2 Internal Audit Actually Is

A SOC 2 internal audit is not a compliance checklist or a policy review. It is a systematic control testing exercise that mirrors the methodology your external auditor will use during fieldwork.

External auditors test controls by selecting samples from the audit period, requesting specific evidence for each sample, and evaluating whether the evidence demonstrates the control operated as described. They are not testing whether your policies say the right things — they are testing whether your controls actually operated effectively, consistently, throughout the review period.

Your internal audit does the same thing. For each in-scope control, you identify what the control is supposed to do, determine what evidence would demonstrate it worked, collect that evidence, and evaluate whether it holds up. When it does not, you document the gap, determine the root cause, and build a remediation task before the external auditor sees the same control.

The key distinction from a casual readiness review is rigor. A readiness review might ask "do you have an access review process?" and accept a policy document as evidence. An internal audit asks "show me the completed access review records from the last three quarters, including sign-off documentation and evidence that access changes were made for identified exceptions." The latter is what your external auditor will ask. Your internal audit should be the dress rehearsal.

Scoping Your Internal Audit

The scope of your internal audit should match the scope of your SOC 2 engagement exactly. If your external audit covers the Security, Availability, and Confidentiality trust service categories, your internal audit covers the same three. If your system description includes five services, your internal audit tests controls across all five.

Define Your Control Universe

Start by building or refreshing your control inventory. This is the complete list of controls your organization has implemented to address the Trust Services Criteria in scope. For each control, document:

  • The control description — what the control does and how it operates
  • The criteria it addresses — which CC, A, or C sub-criterion it satisfies
  • The control owner — the person or team responsible for operating it
  • The frequency — whether it is continuous, daily, weekly, monthly, quarterly, or annual
  • The evidence type — what artifact demonstrates the control ran

If you are using a compliance platform, this inventory may already exist. If not, building it is the first deliverable of your internal audit process and becomes a permanent asset for future audit cycles.

Identify the Observation Period

Your internal audit should cover the same time window your external auditor will examine. For a SOC 2 Type 2 engagement, that is typically six or twelve months. If your audit window runs from January through December, your internal audit should test evidence from that full period — not just the most recent month.

This is one of the most common preparation mistakes: organizations review their current state and assume it represents the full audit period. An external auditor sampling quarterly access reviews will request evidence from every quarter in the window. If Q1 records are missing because the internal review only looked at Q3 and Q4, you will have a finding.

Prioritize by Risk and Frequency

Not all controls carry equal audit risk. Controls that run at high frequency — daily backup jobs, continuous monitoring alerts, automated access provisioning — generate large evidence populations from which auditors will sample multiple times. Controls that operate quarterly or annually — access reviews, vendor assessments, penetration testing — have smaller populations where a single missed instance is a higher proportion of the total.

Prioritize your internal audit effort on high-frequency controls where evidence gaps are most likely, and on annual controls where a single failure represents a critical gap. Automated controls with tooling-generated logs are lower risk; manual controls that depend on human execution are higher risk and deserve more scrutiny.

Phase One: Control Walkthroughs

The first phase of your internal audit is the control walkthrough — a structured conversation with each control owner that confirms the control is operating as documented.

A walkthrough is not a test. It is a verification that the control description in your inventory matches reality. Control descriptions drift over time. The policy says access reviews run monthly using a specific report pulled from your identity provider, but in practice the team switched to a different tool six months ago and the policy was never updated. The walkthrough surfaces this before the auditor discovers the discrepancy.

How to Structure a Walkthrough

For each control, schedule a working session with the control owner. Walk through the control description together and ask the owner to demonstrate the control as it currently operates — not as it was originally designed. Specific questions to cover:

  • Walk me through exactly how this control runs today. What triggers it, who executes it, and where does the output go?
  • Has anything changed about how this control operates in the last twelve months? Tool changes, team changes, process changes?
  • Where is the evidence stored? Show me the most recent instance.
  • What happens when this control identifies an exception? Walk me through the last time that happened.

Document the walkthrough results in your internal audit workpapers. Note any discrepancies between the documented control and the actual operating procedure. These discrepancies are not automatically findings — they may represent undocumented improvements — but they require resolution before fieldwork.

Common Walkthrough Findings

The most common issues surfaced during walkthroughs are control descriptions that reference tools or processes no longer in use, controls that have been informally delegated to a team member without formal ownership assignment, exception handling procedures that exist in policy but have never been tested in practice, and evidence storage locations that are ad hoc and inconsistent across control owners.

Each of these is easier to resolve in the walkthrough phase than in the evidence testing phase, and far easier than explaining them to an external auditor.

Phase Two: Evidence Collection and Testing

Once walkthroughs are complete, move to evidence collection and testing. This phase is where you actively replicate what your external auditor will do during fieldwork.

Sampling Methodology

External auditors use defined sampling methodologies to select evidence for testing. For a twelve-month audit period, an auditor testing a monthly control will typically request evidence from every month — twelve samples. For a daily control, they will select a statistical sample of twenty-five or more instances. For a quarterly control, they will request all four quarters.

Your internal audit should use the same approach. Do not cherry-pick the most recent or most accessible evidence. Pull samples that span the full audit period, including periods when the team was under-staffed, during product launches, and over holiday periods. These are exactly the periods where controls are most likely to have lapsed, and exactly where an external auditor's sample is statistically likely to land.

Evidence Testing Criteria

For each evidence sample, evaluate it against three questions:

Is it complete? Does the evidence cover everything the control is supposed to demonstrate? An access review log that lists users but does not show sign-off by an authorized reviewer is incomplete evidence. A backup completion log that shows the job ran but does not show whether it succeeded is incomplete.

Is it accurate? Does the evidence reflect what the control description says should happen? If your control says terminated employees have access revoked within 24 hours, does the evidence show the actual timestamps for termination notification and access removal? If there is a gap, is it within the defined window?

Is it consistent? Does the control appear to have operated the same way throughout the audit period, or is there evidence of inconsistency — gaps in log coverage, months where the format changed, periods where ownership appears to have been unclear?

Building Your Evidence Package

As you collect and test evidence, organize it into a structured evidence repository that mirrors how you will present it to the external auditor. Group evidence by control, include metadata that identifies the time period covered and the control it satisfies, and maintain a log of what was collected, when, and by whom.

This organization is not just an audit convenience — it is a control in itself. As noted in our guide on Beyond Screenshots: How Cryptographic Audit Logs Replace Manual SOC 2 Evidence Collection, the shift from manual screenshot-based evidence to structured, tamper-evident log exports significantly reduces both collection time and auditor scrutiny of evidence integrity. Where your current evidence consists of screenshots and manual exports, your internal audit is an opportunity to identify which controls could be automated and which evidence sources could be standardized before the external auditor arrives.

Phase Three: Gap Analysis and Finding Documentation

Once evidence testing is complete, compile your findings into a formal gap analysis. A finding is any instance where a control did not operate as described, evidence cannot be produced for a required period, or the evidence produced does not meet the completeness or accuracy criteria you applied.

Classifying Findings by Severity

Not all gaps carry equal audit risk. Classify each finding by the severity of its likely impact on your external audit:

Critical findings are gaps that, if found by an external auditor, would likely result in a qualified opinion or a significant exception in the audit report. These include access reviews that were skipped entirely, monitoring controls that were disabled for an extended period, or security incidents that were not documented or responded to within your defined SLA. Critical findings require immediate remediation and should be escalated to engineering and security leadership.

Significant findings are gaps that would likely result in an exception or a noted deficiency but would not by themselves qualify the opinion. A single missed quarterly access review, a backup job that failed once and was not investigated, or a patch that exceeded your SLA by a small margin falls into this category. These require remediation before fieldwork and a documented explanation of what occurred and how it was corrected.

Observations are documentation gaps, control description inconsistencies, or minor process deviations that do not represent control failures but would generate auditor re-requests or questions. These can often be resolved during the internal audit without impacting the external audit outcome.

Finding Documentation Format

Each finding should be documented with sufficient detail for a remediation owner to act on it without additional context. At minimum, document the control affected, the specific gap identified, the time period impacted, the potential audit impact, the root cause, and the recommended remediation action with a target completion date.

This documentation becomes the input to your remediation tracking process and, if remediation is complete before fieldwork, evidence that your organization identified and addressed the issue proactively.

Phase Four: Remediation Planning and Execution

The internal audit's value is realized in remediation. Finding gaps is only useful if they are closed before your external auditor tests the same controls.

Building the Remediation Plan

Convert your gap analysis findings into a structured remediation plan with assigned owners, specific action items, and deadlines that account for your external audit start date. Work backward from fieldwork: if your external auditor begins evidence collection in eight weeks, any control that requires a full quarterly cycle to demonstrate operating effectiveness needs remediation within the first two weeks to allow time for evidence to accumulate.

For each finding, the remediation action should address both the immediate gap and the root cause. If a quarterly access review was missed because the task was not assigned to a specific owner, remediating the finding means completing the missed review and assigning a named owner with a calendar reminder for future cycles. Fixing the symptom without fixing the process means the same gap will recur in your next audit cycle.

What Can and Cannot Be Remediated Before Fieldwork

Some gaps can be fully remediated before the external auditor arrives. A missing access review can be completed. An undocumented change management procedure can be written and approved. A monitoring alert that was disabled can be re-enabled and its configuration documented.

Some gaps cannot be fully remediated retroactively, and attempting to backfill evidence after the fact is a serious audit integrity issue. If your backup logs from Q1 are genuinely missing because the logging configuration was broken, you cannot recreate them. What you can do is document the gap honestly, demonstrate that you detected it through your internal audit process, show what you did to fix the underlying issue, and provide forward-looking evidence that the control is now operating correctly. External auditors respond far better to disclosed and remediated gaps than to gaps that surface during fieldwork without prior acknowledgment.

Tracking Remediation Progress

Maintain a live remediation tracker that shows the status of every finding through the completion of external fieldwork. Review it weekly in the period between your internal audit and the start of external testing. Escalate any items at risk of missing their deadline early enough for the audit timeline to absorb the delay.

Before fieldwork begins, conduct a brief internal review to confirm that every critical and significant finding has been remediated and that updated evidence has been collected to demonstrate the remediated control operating effectively.

Operationalizing Internal Audits as a Continuous Practice

The most mature SOC 2 programs do not treat the internal audit as a one-time pre-audit sprint. They integrate continuous control testing into their quarterly operating cadence so that internal audit findings are surfaced and remediated on a rolling basis rather than in a compressed window before external fieldwork.

This means assigning a control testing calendar that staggers testing across the year — access controls tested in Q1, change management tested in Q2, vendor management tested in Q3, monitoring and incident response tested in Q4. By the time the external audit cycle begins, each control domain has been self-tested within the prior quarter and evidence gaps have already been closed.

This approach also changes the nature of the pre-audit preparation period. Instead of a six-week sprint to collect evidence and identify gaps, the pre-audit period becomes a consolidation exercise — organizing evidence that has already been collected throughout the year, reviewing the remediation log to confirm all findings are closed, and preparing the evidence package for handoff to the external auditor.

Conclusion

A SOC 2 internal audit is the single highest-leverage activity you can complete in the weeks before external fieldwork begins. It surfaces the control gaps, evidence deficiencies, and documentation inconsistencies that would otherwise become exceptions in your final report — at a point when you still have time to fix them.

The process requires genuine rigor. A meaningful internal audit mirrors what your external auditor will test: sampling the full audit period, testing evidence against completeness and accuracy criteria, documenting findings formally, and executing a remediation plan with named owners and firm deadlines. A surface-level policy review that confirms documents exist will not surface the gaps that matter.

Organizations that build this practice into their compliance operating cadence — rather than treating it as a one-time pre-audit scramble — stop experiencing audit surprises entirely. Their findings are self-identified, their evidence packages are organized before fieldwork begins, and their external audits close faster with fewer re-requests and no critical exceptions.

For teams looking to move beyond manual evidence collection entirely and build the kind of tamper-evident, continuously generated audit log infrastructure that makes both internal and external audits dramatically more efficient, read our guide on Beyond Screenshots: How Cryptographic Audit Logs Replace Manual SOC 2 Evidence Collection.

This content was generated by AI.