Day 85, 09:14. The Type II report has been signed off for 47 minutes. The unsent email has been in your drafts for 39 minutes.
We are going to walk back through the twelve weeks that produced this PDF. You will make the same decisions you made the first time. The only difference is that now you will see why you made them.
You have to send it. The question is what you say in the body of the email.
Your predecessor, Aaron Wells, left the SOC 2 program four months ago. He left behind a Confluence space, a control matrix in a Notion database, and an engagement letter signed with Northbridge Assurance. The Type II observation period started today. Sloane Park's kickoff meeting is Wednesday morning at 10:00. Before then you have to know what is real.
Mira Vasquez, Security Engineer / SOC 2 Lead at Helix Labs. Series B SaaS, $24M ARR, 150 employees, San Francisco. Builds developer tooling for cloud-native deployment automation.
Customer in play: Meridian Bank, Fortune 500 financial services. Procurement gate: SOC 2 Type II unqualified opinion required by Day 84 to close a $7.2M three-year contract.
Audit firm: Northbridge Assurance, boutique CPA firm specialising in SaaS engagements. Senior manager Sloane Park is your daily counterparty.
Trust Services Criteria in scope: Security (mandatory), Confidentiality, Availability. Privacy and Processing Integrity excluded.
Your team: 4 security engineers (you lead 1 of them), shared support from 2 DevOps engineers including Marcus Hale who handles platform alerting.
Aaron Wells's Notion control matrix lists 87 controls across CC1 to CC9 plus the Confidentiality and Availability TSC categories.
Ten of the 87 are marked with a small amber dot you do not recognise. You hover. The tooltip says "pending evidence refresh, Aaron W, Q3 last year".
You open Aaron's offboarding handover doc. It is 11 pages long. Page 7 begins with a section titled "Things I would do differently". Page 7 is blank below the heading.
Spend 28 hours testing 8 sampled controls Aaron marked green. For each control, classify whether what is documented matches what the system actually does. The skill being tested is reading the evidence on its own terms instead of inheriting Aaron's green flag.
Two of Aaron's green-flagged controls are Real. CC6.2 MFA enforcement and CC8.1 change management are operating as documented. These are the controls the auditor will sample and find clean.
Two are Theatre. CC6.1 quarterly access review and CC4.1 management monitoring are documented but not happening. If you let these stand as Real in your scope and Sloane samples them, she will issue exceptions. Worse, the false documentation creates an integrity question for the entire control set.
Three are Partial. CC6.3 key rotation, CC7.2 monitoring coverage, and CC6.7 data-in-transit are operating but with specific gaps. Each gap is a finding waiting to happen unless you redocument the control to match reality, accept the gap, or remediate before the audit goes deep.
One is Unverifiable. CC7.3 incident response has not been tested in 14 months. Without a tested IR plan, the control simply did not operate during the audit window. This is a finding either way. Your only choice is to disclose it cleanly or wait for Sloane to surface it under sampling pressure.
Trust Services Criteria 2017 with 2022 points of focus require that controls be both designed and operating effectively. A documented control that did not operate is not a control. It is a paper artefact.
AICPA Trust Services Criteria, the criteria define operating effectiveness as continuous performance throughout the period of attestation, not point-in-time existence.
SSAE 18 §AT-C 205.A77, auditors are required to evaluate whether controls operated effectively for the entire period covered by the report. A control implemented mid-period restarts its observation clock from the implementation date, not from Day 1.
Theatre controls (documented but not operating) are the load-bearing failure mode of inherited SOC 2 programs. Honest re-classification at Day 2 is cheaper than auditor-discovered exception at Day 60. The cost differential compounds across the audit window.
Daniel and Priya are already in the room when you arrive. Daniel is on his second espresso. Priya has the printed control matrix from your classifier output on the table in front of her. The amber dots have been re-coloured by hand.
Daniel wants the cheapest scope that closes the Meridian deal. Priya wants a scope that does not blow up at the next audit. You have to commit to the scope before Wednesday's kickoff. Which framing do you take into the room?
Dropping Confidentiality and Availability from scope is a defensible choice on Day 3. By Day 60 it is the choice that broke the deal.
Meridian's procurement template requires Security plus Confidentiality plus Availability. When Vivian Tate sees a Security-only opinion in M4, she reads it as a downgrade signal. Your competitor has all three.
AICPA Trust Services Criteria, TSC scope is a market-facing decision, not just an audit decision. Customers read the scope as a statement of what your company commits to.
HUD impact: Audit Integrity 70 to 64. Deal Pressure 50 to 62. Personal Standing 50 to 47.
Scope decisions made under deal pressure tend to optimise for the next 30 days and create commercial debt that surfaces in the next 90.
SSAE 18 permits scope adjustments between attestation periods, but the customer-facing report does not show the reasons. From the buyer's side, narrowing reads as concealment.
Full scope without a carve-out means the legacy plain-HTTP services either get remediated before fieldwork or they generate a CC6.7 finding under Sloane's sampling.
Daniel will push you on the spend in M2. Priya is bought in. The customer-facing report will match the engagement letter.
The risk: you have committed to a wider report surface without committing to the carve-out language that would make a legacy gap honest rather than hidden.
HUD impact: Audit Integrity 70 to 72. Control Effectiveness 50 to 48. Deal Pressure unchanged. Personal Standing 50 to 53.
Trust Services Criteria CC6.7 covers data transmission encryption. A control that is operating for 6 of 8 services and not for 2 is a partial control unless the system description carves out the 2.
Scope is a commitment to the report reader. Removing scope mid-engagement requires re-engagement and a re-issued opinion. Adding scope through a carve-out is the cheaper move.
Carve-out scoping is the move a senior practitioner makes. You kept the customer-facing scope intact, you exposed the gap honestly in the system description, and you converted a hidden finding into a documented limitation.
Sloane will note the carve-out neutrally. Vivian Tate will read it as a sign that your team understands what it owns and what it does not. Daniel will be uncomfortable for two weeks until he sees the customer reaction.
Trust Services Criteria, the system description is the auditee's voice. Carve-outs in the system description are always cheaper than findings in the opinion.
HUD impact: Audit Integrity 70 to 76. Control Effectiveness 50 to 52. Deal Pressure 50 to 47. Personal Standing 50 to 56.
SSAE 18 §AT-C 205.A29, the system description is the auditee's responsibility. Honest carve-outs reduce the auditor's procedural burden and give the report reader an accurate picture without forcing the auditor to write a longer findings letter.
The carve-out posture is what M4 calls 'transparent counterparty' framing. You are not minimising. You are not exaggerating. You are documenting reality and trusting the reader to read it correctly.
You have $80,000 to spend before fieldwork begins. Allocate across six control families. Each family has a Tier 1, Tier 2, and Tier 3 investment level with different effectiveness curves. The classifier output shows you which controls are Theatre (high cost if unaddressed), Partial (medium cost), or Real (no spend needed). The skill being tested is matching spend to what each criterion actually requires, not what the most expensive tier suggests.
The optimal allocation under carve-out scope is roughly: $18k CC6.1, $4k CC7.3, $3k CC4.1, $7k CC6.3, $14k CC7.2, $0 CC6.7. Total: $46k. Remaining $34k held in reserve for fieldwork-discovered gaps.
Holding budget in reserve is the senior move. Most teams spend the full $80k in the design phase and have nothing left when fieldwork uncovers something. Sloane's findings letter in M3 will need money to address.
If you maxed every Tier 3 you spent $129k of an $80k budget. The activity will have flagged the over-allocation. The downstream cost is that you under-fund a real fieldwork need.
Trust Services Criteria, a control either operates or it does not. Spending past the operating-effectiveness tier returns no audit benefit.
Budget discipline in SOC 2 design phase is what separates teams that close one engagement from teams that close repeat engagements. The third tier on most controls is over-engineering for an attestation that only requires operating effectiveness.
AICPA SOC 2 Audit Guide, SOC 2 examination procedures focus on whether controls are 'suitably designed and operating effectively'. There is no scoring for elegance.
Sloane Park is 15 minutes early. She is wearing a tailored grey blazer, has a closed leather portfolio, and accepts the coffee Daniel offers her without commenting on it.
She opens with the engagement-letter timeline, walks through the PBC list categories, and confirms the in-scope Trust Services Criteria. She does not push back on your scope choice. She makes a note in her portfolio when you mention the carve-out (if you chose it) or when you mention the narrow scope (if you chose it).
She closes the kickoff with one question.
Sloane just asked when you can walk her through CC6.1 and CC4.1. Daniel thinks she knows. She does not. She is following her process. Three replies are open to you.
Pre-disclosing under warm framing is a posture error, not a substance error. Sloane registers the eagerness as a tell. Two things are now true: she trusts your transparency and she does not trust your professional distance.
Audit integrity is preserved (you did not hide anything). Personal standing with Sloane drops by a small amount because she now reads you as someone who will over-share under pressure. This will cost you in the M4 hot-seat where narrow-truthful answers score better than full-disclosure ones.
HUD impact: Audit Integrity 70 to 73. Personal Standing 50 to 47.
Auditor as transparent counterparty, the senior posture with an auditor is professional distance. Not friendliness. Not adversarial caution. Substance over warmth.
An auditor is a fiduciary to the report reader, not to your team. Treating an auditor as a friend creates an information asymmetry that the auditor must manage and you cannot. The professional move is to be substantive without being intimate.
AICPA Code of Professional Conduct §1.100, auditors have an obligation to maintain independence. Your warmth does not change that obligation. It only changes how she reads your other signals.
Friday afternoon, prepared, no pre-disclosure. Sloane closes her portfolio with a small nod and books the slot. Daniel exhales when she leaves the room.
The neutral posture is the senior move. You did not minimise. You did not anticipate her question with a defensive volume of evidence. You scheduled a substantive conversation and committed to walking in with the answer in your hand.
HUD impact: Audit Integrity 70 to 76. Personal Standing 50 to 56.
Auditor as transparent counterparty, this is the modal default for the entire engagement.
Senior security and compliance practitioners run their auditor relationships on substance, not on rapport. The relationship is intentionally narrow. The narrow relationship is what makes both parties trust the substance.
Sloane's portfolio note is positive, not adversarial. She has a senior counterparty. The engagement runs faster from here.
Deferring to Daniel is a posture error. Daniel is the executive sponsor, not the named control owner. Sloane will accept the deferral and write a one-line note in her engagement file: 'control owner deferred to executive on a procedural question'.
The note is not adverse. But it shapes how Sloane reads every subsequent answer you give. You taught her, in one sentence, that you check in before you answer. That perception persists through M3 push-back and M4 hot-seat.
HUD impact: Audit Integrity unchanged (you did not lie). Personal Standing 50 to 44.
Auditor as transparent counterparty, the SOC 2 lead is the auditor's daily counterparty. Deferring procedural questions to an executive surrenders the relationship asymmetrically.
Procedural questions belong to the named control owner. Substantive policy questions belong to the executive. Sloane asked a procedural question. The right answer was procedural.
AICPA SOC 2 Audit Guide, control ownership is documented in the system description. Sloane already knows who the named owner is. Deferring it back to her was self-disclosing.
Friday afternoon. The walk-through Sloane scheduled. Three negotiation rounds, each on a substantive scope question. The skill being tested is naming the criterion that decides the question, not finding the most cooperative reply or the most-cited one. Sloane reads every reply as a posture statement, and the posture is what she records in her engagement file.
Sloane updates her PBC list. Q3 product excluded with a Year 2 inclusion note. Legacy services carved out (or in-scope, depending on your earlier choice). CC7.3 IR test scheduled for Week 6 with the explicit understanding that the test must complete during the audit window with documented attendance and a runbook update artefact.
Three substantive positions held without rapport-seeking. Sloane closes the meeting on time. Daniel's anxiety drops. Priya's text lands at 17:02: 'Heard the meeting went well. Friday drink?'.
SSAE 18 §AT-C 205.A77, the observation period for a control must be sufficient to evaluate operating effectiveness. Adding a control mid-period requires re-setting the observation period.
HUD impact: Audit Integrity 70 to 78. Control Effectiveness 50 to 53. Personal Standing 50 to 60.
Negotiating with an auditor on substance is legitimate. Negotiating on optics is not. Sloane will engage on the first and shut down the second. You stayed on the first.
Trust Services Criteria, control effectiveness is measured during the period of attestation. Pre-period failures are context, not findings.
End of week 2. Sloane's fieldwork team starts Monday. Daniel walks over without preamble.
Daniel is asking for a posture change, not a control change. The remediation is real. The carve-out is also real. The two are not mutually exclusive. How do you respond?
The system description goes out without the carve-out. Sloane reviews the new version. She does not push back, but she opens a follow-up question for fieldwork: 'How is the remediation tracking against the engagement timeline?'
By Week 8 you discover that one of the two legacy services has a customer-facing dependency that prevents the TLS retrofit during the audit window. You now have a hidden gap in the system description. Sloane samples it in Week 10. Finding letter Week 11.
SSAE 18 system description, the system description is the auditee's voice. Once a description commits to a state, the auditor's findings are measured against that commitment. A failed commitment is a heavier finding than a documented carve-out.
HUD impact: Audit Integrity 70 to 60. Control Effectiveness 50 to 52. Deal Pressure 50 to 64.
SSAE 18 §AT-C 205.A29, the auditee's responsibility is to describe the system accurately. Removing a carve-out under deal pressure trades a known limitation for an unknown one.
The carve-out language is what the senior auditor wants to see. It is honest. It does not punish the auditee. Removing it for optics costs more than keeping it.
You hold the carve-out, fast-track the remediation, and commit to a system description update only when the remediation is verifiably complete. Daniel does not love the answer. Sloane logs the staged plan as 'remediation in progress, system description update planned Week 8'.
By Week 8 the remediation is complete for one of the two services. The carve-out narrows. By Week 10 both are remediated. The system description updates with no fieldwork friction.
SSAE 18 system description, staged disclosure is the senior practitioner's pattern. Commit only what is verifiable. Update as facts change.
HUD impact: Audit Integrity 70 to 76. Control Effectiveness 50 to 58. Personal Standing 50 to 58.
Compromise on timing is not the same as compromise on substance. You held the substance (carve-out is honest). You moved on the timing (remediation accelerated).
Daniel reads the move as cooperative within a week. Priya reads the move as strong on Day 14.
You decline Daniel's request. The carve-out stays. The remediation continues at its own pace. Daniel walks away frustrated. Priya hears about the exchange Monday morning and replies with one line: 'Backing you on this.'
Sloane's fieldwork begins clean. The carve-out language is in the system description. The legacy services either get remediated by Week 10 or they do not. Either way, the disclosure is honest.
The principled hold is correct. It also costs you a small amount of personal-standing capital with Daniel that you will spend in M3 when the findings letter arrives. The trade is fair.
HUD impact: Audit Integrity 70 to 78. Control Effectiveness 50 to 53. Personal Standing 50 to 53.
SSAE 18 system description, the auditee's voice belongs to the named control owner, not the executive sponsor. Holding the line is the named owner's job.
The cost of holding is paid in Daniel's relationship. The cost of agreeing is paid in M3 fieldwork. The first cost is recoverable. The second is not.
Three weeks. One classifier output. One $80k budget allocated. One scope negotiated. One system description committed. Sloane's fieldwork begins Monday. The Type II observation period is two weeks deep. You have not done anything wrong. You have also not been tested.
Module 1 measured your design phase. The senior moves were carve-out scoping, neutral auditor posture, and substance-led negotiation. The flagship moment was Decision 3, the principled hold or staged compromise on Daniel's pressure.
Your HUD bars at module exit feed into M2. Audit Integrity above 75 unlocks the strongest M2 disclosure path. Audit Integrity below 60 makes M2's cover-up branch tempting. Personal Standing modulates how Marcus, Daniel, and Priya engage with you in M2.
Trust Services Criteria were the substantive content of M1. The judgment skill was modal posture: when to engage on substance, when to hold a line, when to compromise on timing without compromising on truth.
Scope and design choices made under deal pressure on Day 1 to Day 21 determine which findings can land in Day 60 to Day 84. The cost differential compounds across the audit window.
Day 85, 09:31. The notebook entry reads "Marcus, 2am. The breach hadn't happened yet. But he had already disabled the alert."
Module 2. Day 22 to Day 42. Evidence Week. The auditor is collecting. The breach lands Wednesday. You have 90 minutes before the next auditor meeting and three forks in front of you.
Continue when ready.