RectifyCloud
Back to Blog
Product

SOC 2 Type 2 Sampling: What Auditors Test & How to Prep

Learn how SOC 2 Type 2 auditors select samples for testing. Discover heavily sampled controls, the impact of missed instances, and how to build reliable evidenc

April 17, 202611 min read

Introduction

For many senior engineers and tech leads, the SOC 2 Type 2 audit is often viewed as a recurring seasonal tax on productivity. Unlike the Type 1 audit, which is essentially a point-in-time "snapshot" of your security posture, the Type 2 audit is a marathon. It evaluates the "operating effectiveness" of your controls over a specified observation period, typically ranging from six to twelve months. During this window, it is not enough to simply have a policy written down or a single configuration set correctly; you must prove that the control functioned as intended every single day of that period.

The most common misconception among engineering teams is that auditors will examine every single pull request, every onboarding ticket, and every server log generated during the year. In reality, auditors rely on a methodology known as sampling. Because reviewing 10,000 production changes or 500 new employee hires is manually impossible, auditors select a representative subset of events to determine if the system as a whole is reliable.

Understanding the mechanics of this sampling—how populations are defined, how sample sizes are calculated, and what happens when a single sample fails—is the key to moving from a reactive, "scramble-for-evidence" culture to a proactive, automated compliance posture. As modern infrastructure moves toward ephemeral environments and high-velocity deployments, the traditional method of providing "screenshots" is no longer sufficient. To survive a Type 2 audit without significant friction, tech leads must understand how to provide high-fidelity, sampled evidence that satisfies the rigorous demands of a modern auditor.

The Mechanics of Auditor Sampling

Auditors follow professional standards, primarily those set by the AICPA (American Institute of Certified Public Accountants), to determine how many items they need to test. This is governed by the concept of "statistical significance." The goal of the auditor is to obtain "reasonable assurance" that your controls are working.

Defining the Population

Before an auditor can sample, they need the "population." This is the complete list of every occurrence of a specific activity during the audit period. For example, if your control states that "all production changes must be peer-reviewed," the population is the list of every single merged Pull Request (PR) or deployment to the production environment between January 1st and December 31st.

If you cannot provide a complete and accurate population, the auditor cannot sample. This is often where engineering teams stumble first. If your Jira tickets don't match your GitHub logs, or if your AWS CloudTrail logs don't align with your deployment history, the auditor will flag a "completeness and accuracy" (C&A) issue.

Determining Sample Size

Once the population is established, the auditor determines the sample size based on the frequency of the control. While every audit firm has slightly different internal tables, the industry standard generally follows these patterns:

  • Annual Controls (e.g., Disaster Recovery Testing): Sample size of 1.
  • Quarterly Controls (e.g., Access Reviews): Sample size of 2 to 4.
  • Monthly Controls (e.g., Vulnerability Scanning): Sample size of 2 to 5.
  • Weekly Controls (e.g., Weekly Backup Checks): Sample size of 5 to 15.
  • Daily Controls (e.g., Log Monitoring): Sample size of 20 to 40.
  • Automated/Systemic Controls (e.g., MFA Enforcement): Often just 1, if the auditor can prove the system configuration is static and enforced via code.
  • Frequent/Transactional (e.g., Change Management, Onboarding): Usually 25 to 60 items, depending on the total population size and the perceived risk.

The "Rule of 25" is a common benchmark for senior engineers to keep in mind. For most manual or semi-automated processes that happen multiple times a week, you should expect the auditor to ask for roughly 25 to 40 specific examples.

The "Big Three" Sample Areas for Engineers

While SOC 2 covers many domains, there are three specific areas where technical leads bear the brunt of sampling requests. These areas are high-volume, high-risk, and require meticulous record-keeping.

1. Access Management (Joiners, Movers, Leavers)

This is the most frequent source of audit "exceptions." The auditor will ask for a list of all employees hired and terminated during the period. They will then cross-reference a sample of these names against your IAM systems (Okta, AWS, GitHub, GCP).

  • Onboarding: For a sampled new hire, did they sign the NDA? Did they complete security training within 30 days? Was their access level appropriate for their role?
  • Offboarding: For a sampled termination, was their access revoked within the timeframe specified in your policy (usually 24-72 hours)?

2. Change Management and CI/CD

Auditors want to see that your "standard" process was followed for every change. They will sample a list of production deployments and ask for the "trail" for each one. This typically includes:

  • The original ticket (Jira/Linear) describing the change.
  • The Pull Request (GitHub/GitLab) showing the code diff.
  • Evidence of a peer review (the "Approve" button).
  • Evidence of successful automated testing.
  • The timestamp of the merge and the subsequent deployment log.

3. Incident Response and Monitoring

If you had security incidents during the year, the auditor will sample them. They want to see that you followed your own Incident Response Plan. This includes the initial detection, the "war room" logs or Slack threads, the mitigation steps, and the final post-mortem/root cause analysis (RCA). Even if you had no major breaches, they will sample "alerts"—such as a GuardDuty high-severity finding—to ensure a human or automated process responded to it.

The Evidence Gap: Why Screenshots Fail

Historically, engineers satisfied auditors by taking screenshots of Jira tickets or AWS consoles. However, as we move beyond screenshots, the limitations of this method become glaringly obvious during a Type 2 audit.

Screenshots are inherently "point-in-time." They do not prove that a control was active throughout the year. Furthermore, screenshots lack metadata and are easily forged, which increases the auditor's skepticism and leads to larger sample sizes. If an auditor sees that you are manually capturing evidence, they assume the risk of human error is high, and they will sample more aggressively to compensate.

The modern approach is to provide structured data. Instead of a screenshot of a user list, provide a JSON export from an API or a signed log file. This allows the auditor to see the "system of record" directly.

Technical Example: Automated Evidence Collection

To avoid the manual labor of sampling, senior engineers should look toward automating the evidence trail. For example, rather than manually checking if MFA is enabled for every user when an auditor asks, you can use a script or a policy-as-code tool to generate a report.

Consider a scenario where the auditor samples your AWS IAM configuration to ensure no users have "Full Administrator" access without a business justification. Instead of screenshots, you can provide the output of a query. Below is an example of a structured JSON response that could be generated via the AWS CLI or a Lambda function to provide high-fidelity evidence for a population of users:

{
  "AuditPeriod": "2023-Q3",
  "ControlID": "AC-01",
  "ControlDescription": "MFA Enforcement and Least Privilege Check",
  "PopulationSize": 142,
  "SampleResults": [
    {
      "UserARN": "arn:aws:iam::123456789012:user/dev-ops-01",
      "MFAActive": true,
      "AttachedPolicies": ["PowerUserAccess"],
      "LastLogin": "2023-08-15T14:22:01Z",
      "ComplianceStatus": "PASS"
    },
    {
      "UserARN": "arn:aws:iam::123456789012:user/intern-04",
      "MFAActive": true,
      "AttachedPolicies": ["ReadOnlyAccess"],
      "LastLogin": "2023-08-12T09:10:45Z",
      "ComplianceStatus": "PASS"
    }
  ],
  "Metadata": {
    "GeneratedBy": "SecurityAutoAudit-Lambda",
    "Timestamp": "2023-09-01T00:00:00Z",
    "Signature": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
  }
}

By providing evidence in this format, you demonstrate to the auditor that your controls are not just "happening," but are being monitored programmatically. This often leads to a "test of one" for automated controls, where the auditor tests the code that generates the report rather than sampling 25 individual users.

What a "Missed Instance" Looks Like in the Final Report

One of the most stressful aspects of the Type 2 audit is the "Exception." An exception occurs when an auditor selects a sample and finds that the control was not followed. For example, if they pick 25 terminated employees and find that one of them still had access to the production database 10 days after leaving, that is an exception.

The Impact of an Exception

An exception does not necessarily mean you "fail" SOC 2. However, it will be documented in the final report (Section IV). There are two types of findings:

  1. A Deviation: A single failure in a sample. The auditor will usually expand the sample size (e.g., testing another 15 items) to see if the failure was an isolated incident or a systemic breakdown.
  2. A Qualified Opinion: If the auditor finds multiple deviations or a systemic failure, they may issue a "qualified" report. This is a red flag for enterprise customers and may require you to explain the failure to your sales prospects.

Management’s Response

If an exception is found, you will be given the opportunity to provide a "Management Response." This is where the tech lead’s expertise is vital. You must explain:

  • Root Cause: Why did this specific instance fail? (e.g., "A manual script failed to run due to an API timeout.")
  • Remediation: What did you do to fix it? (e.g., "We have since migrated to a native Okta integration that automates deprovisioning.")
  • Compensating Controls: Why does this single failure not represent a total security breakdown? (e.g., "The user’s VPN access was revoked, so even though the DB account was active, it was not reachable.")

Building an Evidence Cadence

To avoid the "empty sample period" trap, engineering teams must establish a consistent evidence cadence. An empty sample period occurs when an auditor asks for evidence from, say, the month of May, but you realized you forgot to perform your monthly access review that month. In a Type 2 audit, you cannot "backdate" evidence. If the review didn't happen in May, it’s a gap that cannot be filled.

Strategies for Maintaining Cadence

  • Automate the Population Generation: Set up a cron job that exports your "population" lists (users, PRs, logs) to an S3 bucket monthly. This ensures that when the audit starts, you aren't struggling to reconstruct history from a year ago.
  • Implement "Guardrails" instead of "Gates": Use tools like Terraform Cloud or GitHub Actions to enforce controls. If the control is "all PRs need an approval," don't just make it a policy; enforce it in the repository settings. The auditor can then test the setting rather than 40 individual PRs.
  • Centralize Evidence in a "Compliance-as-Code" Repository: Create a dedicated repository where automated scripts dump audit-ready artifacts. This creates a clear, immutable trail of evidence that spans the entire observation period.
  • Monthly Internal "Mini-Audits": Spend 30 minutes once a month picking 3 random samples from your own populations. If you can’t find the evidence easily, your auditor won’t be able to either.

Key Takeaways for Tech Leads

To summarize the sampling process, keep these points in mind during your next audit cycle:

  • Accuracy is paramount: If your population list is missing items, the auditor will lose trust in your data integrity immediately.
  • Sample sizes are predictable: Expect to provide 25-40 items for high-frequency controls.
  • Consistency beats perfection: A single miss can be explained, but a three-month gap in evidence is a systemic failure.
  • Move away from manual captures: The more you can provide API-driven, structured data, the less time you will spend in "evidence collection hell."

Conclusion

The SOC 2 Type 2 audit is a rigorous test of operational discipline. For a senior engineer, the goal is to make the audit a "non-event" by integrating compliance into the existing development lifecycle. By understanding how auditors use sampling to extrapolate the health of your security program, you can focus your efforts on the areas that matter most: maintaining clean populations, automating the evidence trail, and ensuring that controls operate consistently every month of the year.

Ultimately, the transition from manual screenshots to automated, sampled evidence is not just about passing an audit; it is about building more resilient and transparent systems. When you move beyond the "snapshot" mentality and embrace a continuous evidence cadence, you not only satisfy the auditor but also gain deeper visibility into your own infrastructure. This transparency is the hallmark of a mature engineering organization, turning a compliance requirement into a competitive advantage for your business.

Don't wait for the auditor to ask for your first sample. Start by identifying your most critical populations today, and ensure that the evidence for their operation is being captured, signed, and stored where it can be easily retrieved. In the world of SOC 2 Type 2, the best defense is a well-documented, automated offense.

This content was generated by AI.