A month-by-month view of how a 110-person SaaS firm walked from no formal controls to a clean Type II report — built from a real VSERV engagement.
Month 1–2: Scoping and Readiness Assessment
Before engaging an auditor, you need to know what you are auditing. Scoping determines which Trust Services Criteria (TSC) apply to your service: Security is always included; Availability, Confidentiality, Processing Integrity, and Privacy are optional based on client contractual commitments. A readiness assessment — typically performed by an advisory firm, not your eventual auditor — identifies gaps against your chosen TSC. Budget 6-8 weeks for a thorough readiness assessment of a 100-150 person company. The output is a gap list, not a score.
Month 3–5: Control Implementation
The readiness gap list drives your remediation sprint. Common gaps for SaaS companies at this stage: access review process (formally reviewing who has access to production and removing unnecessary access every quarter), vendor management (a documented process for assessing third-party service providers), change management (evidence that code changes were reviewed and tested before production deployment), and incident response (a documented and tested IR plan). These are not technically complex — they require process discipline and documentation.
Month 6: Evidence Collection Begins
SOC 2 Type II covers a period of time — typically 6 months for the first audit. Month 6 marks the start of your observation window. From this point, every control must be operating as documented and leaving evidence: access review screenshots, change approval tickets, vendor assessment records, incident log. Your compliance tool (Vanta, Drata, or Secureframe) automates much of this evidence collection but cannot substitute for the underlying process running correctly. Month 6 is when the paper trail begins.
Month 7–9: Audit and Report
Your auditor will request evidence for each control sampled across the observation period. Expect 150-300 evidence items for a Security-only Type II at a 100-person company. The fieldwork phase takes 4-6 weeks. Exceptions — controls that did not operate as designed during the period — are negotiated with the auditor: some result in a qualified opinion, some are accepted as low-risk. Clean reports at first Type II audit are achievable with thorough readiness work upfront. First-time qualified opinions are common when remediation work was compressed.
- A readiness assessment before engaging an auditor identifies gaps and focuses your remediation — do not skip it
- The most common gaps are process-based, not technical: access review, vendor management, change management, incident response
- Type II audit covers a period of time — your observation window must start before you engage the auditor
- Compliance tools (Vanta, Drata, Secureframe) automate evidence collection but cannot substitute for well-run processes