SOC 2 Type 1 + Type 2 Audit
The single artefact every US enterprise customer asks for.
Full SOC 2 Type 1 + Type 2 readiness, internal audit and CPA-coordination. We implement the five Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) as a system that operates — and produces evidence — for the entire 12-month observation window.
- AICPA SOC 2 — 2017 Trust Services Criteria (revised)
- AICPA SOC 1 (financial reporting — separate engagement)
- ISO 27001 (mapped — 60% control overlap)
- PCI-DSS (where in scope)
Compliance is leverage, not paperwork.
If your buyers are US enterprises, a SOC 2 Type 2 report is the single most-requested artefact in security questionnaires. Type 1 (point-in-time) gets you in the door; Type 2 (12-month operating effectiveness) closes deals. Macksofy delivers Type 1 in 6–8 weeks and prepares for Type 2 across the observation window — coordinated with a US CPA firm for the final attestation.
- B2B SaaS targeting US + global enterprise
- BPO / KPO with US customer accounts
- Cloud-hosted services handling customer data
- Fintechs serving US institutional clients
- Healthtech (paired with HIPAA)
Aligned to the regulations that matter.
How we run a SOC 2 engagement.
Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.
1 · TSC scoping
- Security (mandatory) + optional categories
- System description authoring
- Sub-service organisation mapping
- 011 · TSC scoping
- Security (mandatory) + optional categories
- System description authoring
- Sub-service organisation mapping
- 022 · Control implementation
- Common Criteria (CC1–CC9) build-out
- Availability / Confidentiality / PI / Privacy controls (where in scope)
- Evidence collection workflow + automation
- 033 · Type 1 readiness audit
- Macksofy internal audit (point-in-time)
- Findings + remediation
- Coordination with CPA for Type 1 attestation
- 044 · Type 2 observation window
- 12-month evidence collection (typically 6 + 6)
- Quarterly check-ins + control sampling
- Annual control testing
- 055 · Type 2 attestation
- Auditor walkthrough + sample testing
- Findings closure
- SOC 2 Type 2 report issuance
Everything you need to satisfy auditors.
- System description + control matrix
- Common Criteria + optional category control evidence
- Type 1 readiness audit report
- Type 2 evidence dashboard
- CPA-firm attestation coordination
- Annual SOC 2 cycle playbook
First-time SOC 2 Type 1 → Type 2
Outcome: Type 1 in 7 weeks; Type 2 issued at month 13; closed three US enterprise deals tied to attestation
The shape of a SOC 2 engagement.
Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.
What we actually examine.
Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.
- Trust Service Criteria scoping3 pts
- Common Criteria controls3 pts
- Trust Services — availability3 pts
- Trust Services — confidentiality & privacy3 pts
- Type 1 vs Type 2 readiness3 pts
- Auditor handover pack3 pts
Pick the right criteria — most SaaS in India over-scope and over-pay.
- Security (common criteria) — mandatory baseline
- Availability / Confidentiality / Privacy as relevant
- System description aligned to your customer commitments
The 100+ control points every SOC 2 audit hinges on.
- Control environment + risk-assessment posture
- Logical & physical access controls
- System operations + change management
If you sell uptime SLAs, this is the criteria your customers want evidenced.
- Capacity-management + monitoring evidence
- Backup, replication, DR test artefacts
- Incident-response playbooks linked to SLOs
Cross-border data flows + DPDP / GDPR overlap covered in one pass.
- Encryption-at-rest / in-transit posture
- Data-retention & disposal policy evidence
- Sub-processor + DPA management
Most Indian SaaS go Type 1 first — we tell you when Type 2 is realistic.
- Type 1 — point-in-time design assessment
- Type 2 — 3 to 12-month evidence window
- Sampling-strategy alignment with your CPA / AICPA-licensee
Everything your independent CPA needs, in the format they prefer.
- Walk-through narratives + control matrix
- Population lists + sampling artefacts
- Management assertion + remediation log
From kick-off to regulator-ready report.
The horizontal flow below shows the typical week-by-week shape of a SOC 2 engagement. Click any station for detail in the methodology section above.
Rated 4.9 ★ from 612 client reviews.
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
Things compliance leads ask before signing.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements