OPS ONLINETHREAT LEVEL: ELEVATEDSECTOR 04 · ACTIVE WATCHUPLINK NOMINAL · 99.997%MISSION CLOCKT+ 00:00:00DOCTRINE FM-26.A
Passed SOC 2 Audits

SOC 2 Technical Readiness

The infrastructure work required before a SOC 2 audit — access control, logging, encryption, and monitoring — from a team with a track record of taking that work through to a passed audit, not just advising on theory.

What this covers

The Trust Services Criteria your SOC 2 auditor evaluates map directly to specific infrastructure controls: access management, logging and monitoring, encryption, and change management. This is the same engineering work behind engagements ACS has taken through to a passed audit — implemented and documented before your audit window opens.

The audit itself

SOC 2 reports are issued by a licensed CPA firm following formal assessment — that relationship sits with your auditor or compliance platform, not with ACS. This engagement is the infrastructure work underneath that assessment, coordinated directly with whoever holds that relationship.

SOC 2 READINESS — FAQ

Does ACS issue SOC 2 reports?

No — SOC 2 reports are issued by a licensed CPA firm following formal audit. ACS does the infrastructure engineering that determines whether that audit finds gaps — with a track record of taking organizations through to a passed audit.

Has ACS actually taken an organization through a SOC 2 audit?

Yes — ACS has prepared infrastructure for and passed a SOC 2 audit as part of prior engagement work.

Type I or Type II — does this differ?

The underlying technical controls are the same; Type II additionally requires demonstrating those controls operated effectively over a period of time. We scope readiness work around whichever you're pursuing.

What infrastructure work does this typically involve?

Access control and least-privilege enforcement, audit logging sufficient for evidence collection, encryption configuration, and change-management processes — the technical substance behind the Trust Services Criteria your auditor evaluates.

Can you work with our existing SOC 2 auditor or compliance platform?

Yes — this is the common setup. We handle infrastructure implementation; your auditor or compliance platform (Vanta, Drata, etc.) handles evidence collection and the formal audit relationship.

How long before an audit should this start?

Ideally well before your audit window opens — implementing controls after evidence collection has started creates gaps in the evidence period. Tell us your timeline and we'll advise honestly on whether it's realistic.

Discuss SOC 2 Readiness

Tell us your audit timeline and current infrastructure state. We'll scope what's realistic.