SOC reporting services background

SOC Reporting

SOC 2 Interactive Checklist Your Free Gap Assessment

SOC 2 is not prescriptive: there is no official list of required controls. The right checklist maps to the processes your company already runs, so this one asks 23 questions about your environment first, then builds your list from the answers, with the evidence your auditor will ask for.

Get Your Free Gap Assessment

What your results look like

No score and no letter grade. You get a checklist built from your answers: every item marked likely ready, partial, or gap, with the evidence your auditor will ask for spelled out under each one. Gaps sort to the top so the work is obvious.

Print it, email it to yourself, or bring it straight to a quote conversation. Answers you mark as unsure get flagged too, because in an audit an unknown behaves like a gap until someone owns the answer.

What the interactive checklist covers

The checklist above walks through the same ground our partners cover in a first readiness conversation: report strategy and Trust Services Category scoping, where your customer data lives, access control, change management, HR processes, governance, and the operational controls auditors test in every engagement. There is no email gate. Your answers stay in your browser, and you can print the results or email them to yourself when you finish.

How the results are organized

  • Likely ready. Controls that appear to be in place. Your auditor will still test them, but you are not starting from zero.
  • Partial. Practices that exist but need formalization: documentation, consistency, or the evidence trail that turns a habit into a testable control.
  • Gap. Items to build before your observation period starts, because a gap found during fieldwork costs more than one found now.

Every item names the evidence an auditor will request, down to the access review sign-off with a reviewer and a date on it. If you have not been through an audit before, our guide to what a SOC 2 report is and why it matters is a good place to start, and the five Trust Services Categories explain how scope gets set.

What to do with your gap assessment

A gap assessment is only useful if it changes what you do next. If your results show foundational gaps, close them before you start a Type 2 observation period; the most common ones show up so often that we wrote about the 10 most common SOC 2 gaps and how to close them. If your results are mostly partial items, the work ahead is formalization rather than control building, and our post on practical steps for SOC 2 audit readiness lays out that path.

Scoping questions deserve real attention too. Companies routinely over-scope their first report, and Privacy is the usual culprit; before you commit to it, read whether you need Privacy or just Confidentiality. And if you are still deciding between report types, the differences between Type 1 and Type 2 come down to timing and what your customers are asking for.

Not sure you need SOC 2 at all? Start a step earlier with our two-minute "Do I need SOC 2?" assessment, or see what an audit costs with the pricing calculator.

Ready for a quote?

If your results say you are closer than you thought, or the gaps are clear and you want a plan, book a free 30-minute meeting with a licensed CPA. We will walk through your checklist together and put real numbers on your audit. No obligation, and no follow-up sequence if you decide it is not time yet.

Book a Free 30-Minute Meeting

Looking for a SOC 1 or SOC 2 Audit Firm?

Sage Audits LLP is an independent US-based CPA firm that provides SOC 1 and SOC 2 assurance reports. We deliver third-party audit opinions that help you build trust with your customers and business partners.

Contact us to learn more

Latest from Sage Audits

View All Posts