Version 1

# /cs:soc2-audit-prep — SOC 2 Type II Forcing Questions **Command:** `/cs:soc2-audit-prep <scope>` The SOC 2 Type II auditor pressure-tests any SOC 2 work. Six observation-period-disciplined questions before any Type II cycle. ## When to Run - Pre-observation period (months 1-2 of cycle) - Mid-observation period (month 6 checkpoint) - Pre-field-test (month 10) - Post-report (planning next cycle) - After scope change (adding TSC category) - After major incident during observation period ## The Six SOC 2 Type II Questions ### 1. What's the scope, and which TSC categories are in? **Security always required; others elective based on customer ask.** - Common Criteria (CC1-CC9) under Security always - Availability (A1): for SaaS with SLA commitments - Processing Integrity (PI1): for systems processing transactional / financial data - Confidentiality (C1): for systems handling proprietary / confidential data - Privacy (P1-P8): for systems handling personal data (overlap with GDPR if applicable) - AICPA AT-C 205 description of system: complete + accurate + boundaries clear ### 2. Did any control skip a cycle during observation period? **Type II requires consistent operation — single skipped cycle = likely exception.** - Quarterly controls (e.g., access reviews): all 4 quarters covered - Monthly controls (e.g., vulnerability scans): all months covered - Continuous controls (e.g., logging): no gaps during period - Annual controls (e.g., BCP exercises, training): completed within period ### 3. Show me the change-management evidence for any control implemented mid-period. **Mid-period changes = high audit risk.** - New controls implemented during observation: documented with change-management - Modified controls: rationale + effective date + impact on prior samples - Removed controls: rationale + customer impact assessment - Strategy: avoid mid-period changes; defer to next cycle ### 4. Where's the exception log, and what's the materiality assessment? **Real-time exception logging — not retroactive.** - Each exception logged when discovered, not at audit time - Per exception: what / when / impact / remediation / owner - Materiality assessment: does the exception affect overall control operation? - Audit firm threshold: typically 1-2 exceptions per control acceptable; 3+ = finding ### 5. Show me sample evidence from each TSC criterion in the FIRST month of observation. **Not the last week — the first month.** - Audit firm samples across the observation period - Front-loaded evidence demonstrates operational discipline - Back-loaded evidence (last 30 days) = "scrambling" signal - Sample IDs should be reproducible from operational systems ### 6. What's the cross-walk to ISO 27001, and which evidence reuses? **75% control overlap — the canonical pair.** - Run `cross_framework_mapper.py` for HIGH-confidence overlap themes - Each shared artefact cited by both audits (one collection, two reports) - Coordinate audit calendar with cs-ciso-iso27001 - Avoid producing duplicate evidence files for same control ## Workflow ```bash # 1. Scoping + gap analysis (pre-observation) python ra-qm-team/skills/soc2-compliance/scripts/gap_analyzer.py current_state.json # 2. Control matrix with ISO 27001 cross-walk python ra-qm-team/skills/soc2-compliance/scripts/control_matrix_builder.py program.json # 3. Continuous evidence tracking (during observation) python ra-qm-team/skills/soc2-compliance/scripts/evidence_tracker.py evidence_log.json # 4. Mock audit (pre-field-test month 10) python ../../skills/compliance-os/scripts/audit_simulator.py soc2_scope.json ``` ## Output Format ```markdown # SOC 2 Type II Audit Prep: <scope> **Date:** YYYY-MM-DD **Observation Period:** YYYY-MM-DD to YYYY-MM-DD ## The Decision Being Made [scoping | pre-observation | observation-status | pre-field | report-response] ## TSC Scope - Security: included - Availability: <yes/no> - Processing Integrity: <yes/no> - Confidentiality: <yes/no> - Privacy: <yes/no> ## Observation Period Status - Months elapsed: N / 12 - Controls operated consistently: % of total - Cycle skips identified: <list> - Mid-period control changes: N (each documented with change-mgmt: yes/no) ## Exception Log - Total exceptions logged: N - Per-control max exceptions: M (audit firm tolerance: typically 1-2) - Material exceptions (overall control affected): <list> - Remediation status per exception: complete/in-progress ## Sample Evidence Coverage - Month 1-3 evidence: complete/gaps - Month 4-6 evidence: complete/gaps - Month 7-9 evidence: complete/gaps - Month 10-12 evidence: complete/gaps (only for pre-report status) ## ISO 27001 Cross-Walk Reuse - HIGH-confidence overlap themes: N - Shared artefacts in evidence pool: <count> - Duplicate evidence collection avoided: % savings ## Audit Firm Readiness - Scoping discussion: complete/pending - Description of system per AT-C 205: complete/pending - Walkthrough rehearsal: complete/pending - Sample preparation: complete/pending ## Verdict 🟢 ON-TRACK | 🟡 NEEDS-ATTENTION | 🔴 MATERIAL-RISK ## Top 3 Actions [3 concrete next steps with owner + observation-period timing] ``` ## Routing - `/cs:compliance-readiness` — for multi-framework view - `/cs:iso27001-audit-prep` — for ISO 27001 cross-walk pair (75% overlap) - `/cs:gdpr-audit-prep` — for Privacy TSC overlap - `/cs:ciso-review` — for executive cybersecurity strategy ## Related - Agent: [`cs-soc2-auditor`](../../agents/cs-soc2-auditor.md) - Skill: [`soc2-compliance`](../../../ra-qm-team/skills/soc2-compliance/SKILL.md) - Playbook: [soc2_audit_playbook.md](../../../ra-qm-team/skills/soc2-compliance/references/soc2_audit_playbook.md) - Adjacent: `../iso27001-audit-prep/`, `../gdpr-audit-prep/`, `../compliance-readiness/` --- **Version:** 1.0.0