SOC 2 Certification in George Town

George Town, the capital of Penang state, has developed into one of Malaysia’s most significant technology and business services hubs. The city hosts a concentration of multinational corporations, regional shared services centers (SSCs), and technology companies that process data on behalf of international clients. This commercial profile creates direct demand for SOC 2 Certification in George Town, as service organizations in this environment routinely face customer requirements for independent attestation of their data security practices.

Penang’s digital economy strategy has attracted investment from semiconductor manufacturers, financial technology firms, healthcare technology providers, and cloud infrastructure companies. Many of these entities provide services — software as a service (SaaS), data processing, cloud hosting, and managed services — that place them squarely within the scope of a SOC 2 examination. Their clients in North America, Europe, and the Asia-Pacific region contractually require access to current SOC 2 reports as part of vendor risk management programs. SOC 2 Certification in George Town is therefore not merely a compliance exercise — it is a prerequisite for commercial access to international markets.

Regulatory Alignment: Malaysia PDPA and International Frameworks

Malaysia’s Personal Data Protection Act (PDPA) 2010 establishes obligations for organizations processing personal data of Malaysian individuals. While SOC 2 is not a Malaysian regulatory requirement, the controls evaluated under the SOC 2 Privacy and Confidentiality criteria intersect substantially with PDPA obligations — including requirements for data access controls, retention policies, and incident response procedures. Organizations in George Town that complete a SOC 2 examination often find that the process simultaneously strengthens their posture against PDPA requirements.

SOC 2 compliance in George Town also intersects with international frameworks including the European Union’s General Data Protection Regulation (GDPR) and ISO 27001. For George Town-based organizations serving European data subjects or holding ISO 27001 certification, a SOC 2 engagement provides an additional layer of independently attested assurance. The SOC 2 audit process in George Town evaluates controls that frequently overlap with ISO 27001 Annex A controls, making it practical for organizations already operating within one framework to extend their attestation coverage through the other.

Industries in George Town Requiring SOC 2 Attestation

Demand for SOC 2 Certification in George Town’s financial services sector is driven by the presence of regional banking technology firms, fintech operators, and offshore financial services companies. Fintech organizations pursuing SOC 2 compliance in George Town require attestation to demonstrate to institutional clients that their platforms maintain adequate controls over financial data. Beyond financial services, Cayman Islands-connected entities — including hedge funds, asset managers, and investment vehicles with operational infrastructure in Penang — rely on SOC 2 reports to satisfy investor due diligence requirements.

Healthcare technology firms, e-commerce platforms, logistics software providers, and human resources information systems (HRIS) vendors based in George Town also pursue SOC 2 examinations. These organizations handle categories of data — health records, payment card information, employee personal data, and supply chain information — that are subject to heightened scrutiny from enterprise clients. A completed SOC 2 engagement removes a significant friction point in enterprise sales cycles and vendor qualification processes for organizations operating across George Town’s diverse technology sector.

The five Trust Service Criteria (TSC) form the evaluative foundation of every SOC 2 examination. Auditors assess the design and — in Type II engagements — the operating effectiveness of controls mapped to each applicable criterion. The selection of criteria is determined by the service organization’s commitments to its users, the nature of the data it processes, and the system boundaries defined at the outset of the SOC 2 engagement. Each criterion contains mandatory common criteria and additional criterion-specific requirements.

The Security criterion, formally referred to as the Common Criteria (CC), is required in every SOC 2 audit regardless of which additional criteria are selected. The Common Criteria are organized into nine logical groupings: CC1 (Control Environment), CC2 (Communication and Information), CC3 (Risk Assessment), CC4 (Monitoring Activities), CC5 (Control Activities), CC6 (Logical and Physical Access Controls), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation). Each grouping contains specific points of focus that define what auditors evaluate during the examination.

During a SOC 2 audit in George Town, auditors evaluate the Common Criteria by reviewing policies, interviewing personnel, inspecting system configurations, and testing a sample of control activities over the audit period. For George Town-based technology organizations, the Common Criteria examination typically covers access management systems, vulnerability management programs, incident response procedures, change control workflows, and vendor management processes. The Common Criteria are comprehensive enough that many organizations begin their SOC 2 engagement with Security-only scope and expand to additional criteria in subsequent audit cycles.

The Availability criterion evaluates whether a service organization’s systems are available for operation and use as committed or agreed. This criterion is relevant for cloud infrastructure providers, SaaS vendors, and managed service providers in George Town whose service level agreements include defined uptime commitments. Auditors examine monitoring systems, incident management procedures, capacity planning records, and business continuity documentation when assessing Availability controls.

Processing Integrity evaluates whether system processing is complete, valid, accurate, timely, and authorized. This criterion is typically selected by organizations that process financial transactions, payroll data, or other high-volume data streams where errors carry material consequences. Confidentiality controls address the protection of information designated as confidential — including trade secrets, business plans, and professional client data. Privacy criteria are distinct from confidentiality and specifically address how personal information is collected, used, retained, disclosed, and disposed of in conformance with the organization’s privacy commitments and applicable regulations, including Malaysia’s PDPA and the AICPA’s generally accepted privacy principles.

• ✓Security — The Common Criteria
• ✓Availability, Processing Integrity, Confidentiality, and Privacy Criteria

SOC 2 engagements produce two distinct report types, differentiated by the temporal scope of the examination and the nature of the auditor’s opinion. Understanding the difference between SOC 2 Type 1 and Type 2 is essential for George Town organizations deciding which report to pursue — and for their clients interpreting the reports they receive. The two report types serve different purposes and carry different levels of assurance.

SOC 2 Type 1 Certification in George Town

A SOC 2 Type 1 engagement in George Town examines whether a service organization’s controls are suitably designed to meet the applicable Trust Services Criteria as of a specific point in time — the report date. The auditor issues an opinion on whether the description of the system is fairly presented and whether the controls described are suitably designed. A Type 1 report does not evaluate whether controls operated effectively over a period; it evaluates only the design of controls at a single moment.

SOC 2 Type 1 reports are appropriate for organizations that have recently implemented their control environment and need to demonstrate initial compliance to clients before accumulating the operational history required for a Type II examination. For newly established George Town technology companies or recently launched services, a Type 1 examination provides a credible starting point. Most enterprise clients, however, eventually require a Type 2 report for ongoing vendor qualification — as Type 1 assurance is limited to design adequacy rather than sustained operational effectiveness.

SOC 2 Type 2 Certification in George Town

SOC 2 Type 2 Certification in George Town represents the standard of assurance that enterprise clients, institutional investors, and regulated-industry buyers demand. A Type 2 examination covers a defined review period — typically six to twelve months — during which auditors evaluate whether controls not only were suitably designed but also operated continuously and effectively throughout the entire period. The SOC 2 audit process for Type 2 in George Town involves sampling of control activities, review of evidence across the full observation period, and testing of systems at multiple points during the audit window.

Offshore companies and hedge funds operating through George Town typically require SOC 2 Type 2 reports as a condition of ongoing service contracts. The hedge funds sector in particular relies on Type 2 attestation to demonstrate to limited partners and institutional investors that fund administrators and technology service providers maintain sustained, independently verified data security controls. Organizations must complete annual audit cycles to maintain current report status and meet customer expectations — which is why the Type 2 report remains the authoritative deliverable in the SOC 2 framework.

The SOC 2 audit process follows a structured sequence of stages defined by AICPA attestation standards. Each stage has specific inputs, activities, and outputs. Understanding the full sequence enables George Town service organizations to plan internal resource allocation, manage timelines, and engage effectively with the examining CPA Firm. The following stages apply to both Type 1 and Type 2 engagements, with differences in the depth and duration of certain stages.

1. Scope Definition: The service organization and the examining CPA Firm establish the system boundaries, applicable Trust Services Criteria, and the services and infrastructure included within the SOC 2 examination scope. This stage produces the system description that will appear in the final report.
2. Audit Program Determination: The auditor develops the audit program — the specific procedures, sampling methodologies, and evidence requirements that will govern the examination. The audit program is calibrated to the organization’s system description and selected criteria.
3. Stage 1 Audit (Design Review): Auditors review the organization’s control documentation, policies, procedures, and system architecture to assess whether controls are suitably designed to meet the applicable Trust Services Criteria. Findings from this stage inform the evidence collection plan for Type 2 engagements.
4. Type I or Type II Assessment Decision: Following the Stage 1 review, the examination proceeds along the Type I pathway (opinion issued on design as of the report date) or continues into the Type II observation period, during which auditors collect evidence of controls operating over time.

1. Control Testing: Auditors execute the audit program by testing samples of control evidence across the observation period. Testing methods include inquiry, observation, inspection of documentation, and re-performance of control procedures. SOC 2 auditors do not just verify that safeguards exist on paper — they examine how controls functioned across the full audit period.
2. Nonconformity Review: Any deviations, exceptions, or control failures identified during testing are documented and communicated to the service organization. The auditor evaluates whether exceptions are isolated or indicative of systemic control failures that affect the overall opinion.
3. Certification Decision: The examining CPA Firm formulates its opinion based on the totality of evidence gathered. The opinion may be unqualified (controls are suitably designed and/or operating effectively), qualified (exceptions noted with specific impact), or adverse in rare cases of pervasive control failure.
4. Issuance of Attestation Report: The formal SOC 2 report is issued. It contains the auditor’s opinion letter, the management assertion, the system description, and — for Type 2 reports — the detailed results of control testing including any noted exceptions.
5. Surveillance and Recertification: SOC 2 does not involve continuous surveillance in the same manner as ISO 27001. However, organizations must undergo annual SOC 2 examinations to maintain current report status. Most enterprise contracts require that the SOC 2 report cover a period ending no more than twelve months prior to the date of reliance.

During the SOC 2 examination, the quality and organization of evidence is a determining factor in audit outcomes. Poor evidence collection is the most common challenge organizations face during the SOC 2 audit process. CertPro’s structured SOC 2 engagement methodology establishes clear evidence requirements at the outset of each examination, enabling George Town service organizations to understand exactly what documentation, system logs, access reviews, and configuration records auditors will request at each stage.

• ✓Stage 1 through Stage 4: Scope, Program, and Initial Assessment
• ✓Stage 5 through Stage 9: Testing, Review, and Issuance

The SOC 2 report is the formal deliverable of a completed SOC 2 examination. It is a restricted-use document, meaning it is intended for the service organization and its existing or prospective customers — not for general public distribution. The report’s structure and content are defined by AICPA standards and are consistent across all SOC 2 engagements, making it interpretable by any qualified enterprise risk or procurement professional regardless of geography.

Components of a SOC 2 Report

• ✓Independent Service Auditor’s Report: The CPA Firm’s opinion letter, stating the basis for the examination, the criteria applied, and the auditor’s conclusion regarding control design and/or operating effectiveness.
• ✓Management’s Assertion: A written statement from the service organization’s management asserting that the system description is fairly presented and that controls meet the applicable Trust Services Criteria.
• ✓System Description: A detailed narrative of the service organization’s system, covering infrastructure, software, people, procedures, and data within the defined scope boundaries.
• ✓Description of Tests of Controls and Results (Type 2 only): A detailed listing of each control tested, the testing procedures applied, and the results of testing, including any identified exceptions.
• ✓Other Information Provided by the Service Organization: Supplementary information that management may include, which is not covered by the auditor’s opinion.
• ✓Complementary User Entity Controls (CUECs): Controls that the service organization specifies must be implemented by its customers to achieve the stated control objectives.
• ✓Complementary Subservice Organization Controls (CSOCs): Controls relevant to subservice organizations (e.g., cloud infrastructure providers) within the carve-out or inclusive method scope.

Who Uses SOC 2 Reports and Why

SOC 2 reports are used by enterprise procurement teams, vendor risk management functions, chief information security officers (CISOs), and compliance officers at organizations that engage service providers. When a potential customer asks ‘Can you provide your SOC 2 report?’ during a vendor qualification process, a current, clean Type 2 report from a reputable Licensed CPA Firm answers that question definitively — and removes a primary barrier to contract execution. For George Town-based service organizations targeting Fortune 500 clients, US financial institutions, or European enterprises, the SOC 2 report is a standard commercial document.

Investors in technology companies, hedge fund limited partners reviewing fund administrator controls, and regulators overseeing financial market infrastructure also rely on SOC 2 reports. Offshore companies in George Town use SOC 2 reports for investor relations purposes — typically covering the fund administrator’s or technology service provider’s controls rather than the fund itself. In the context of SOC 2 Certification for George Town hedge funds and related entities, the report provides institutional-grade assurance that the technology and operational infrastructure supporting fund operations meets independently evaluated control standards.

SOC 2 compliance requirements for George Town organizations are defined by the AICPA Trust Services Criteria and operationalized through an organization’s specific system commitments. There is no single fixed list of required controls — the applicable controls are determined by the criteria selected, the system in scope, and the service commitments the organization has made to its customers. However, certain categories of controls are present in virtually every SOC 2 examination and can be described as baseline requirements for any George Town organization pursuing SOC 2 Certification.

SOC 2 audit engagements in George Town require organizations to maintain comprehensive, current documentation of their control environment. Auditors review documentation as primary evidence during both Stage 1 and control testing phases. Inadequate or outdated documentation is among the most frequently cited sources of audit exceptions. Required documentation categories include information security policies, access management procedures, incident response plans, change management records, business continuity and disaster recovery plans, vendor management policies, and risk assessment documentation.

For George Town organizations subject to both SOC 2 and Malaysia’s PDPA, documentation requirements intersect in areas including data processing notices, consent records, data subject access request procedures, and data breach notification protocols. Organizations that maintain consistent, audit-ready documentation across both frameworks reduce duplication of effort and create a more efficient examination process. CertPro’s SOC 2 examination process identifies the specific documentation requirements applicable to each organization’s scope at the outset of every engagement.

• ✓Logical access controls: Role-based access management, multi-factor authentication enforcement, privileged access reviews, and access provisioning and deprovisioning workflows
• ✓Network security controls: Firewalls, intrusion detection and prevention systems, network segmentation, and encrypted data transmission protocols
• ✓Vulnerability management: Regular vulnerability scanning, penetration testing schedules, patch management procedures, and risk-ranked remediation workflows
• ✓Audit logging and monitoring: Comprehensive system and application log collection, log retention meeting audit requirements, and automated alerting for security events
• ✓Encryption: Encryption of data at rest and in transit using industry-standard algorithms, with key management procedures documented and implemented
• ✓Change management: Formal change request, review, approval, testing, and implementation procedures covering application and infrastructure changes
• ✓Business continuity and disaster recovery: Documented recovery objectives, tested recovery procedures, and evidence of periodic BCP/DR exercises
• ✓Vendor and third-party management: Risk-based vendor assessment procedures, contractual data security requirements, and periodic vendor performance reviews
• ✓Incident response: Documented incident classification, escalation, investigation, containment, and post-incident review procedures with records of actual incidents and responses

SOC 2 examinations evaluate not only technical controls but also organizational and people-related controls. Auditors assess the control environment — the tone from the top, organizational structure, assignment of authority and responsibility, and commitment to competence — as foundational elements of the Common Criteria. For George Town organizations, this means the SOC 2 audit will examine board and management oversight of data security, the information security function’s authority and resources, and the organization’s approach to employee awareness and accountability.

Personnel-related controls evaluated in a SOC 2 examination include background screening procedures, security awareness training with documented completion records, acceptable use policies, confidentiality agreements, and procedures for managing personnel transitions including access revocation upon termination. These controls are tested through review of HR records, training completion logs, and access management system evidence. Organizations that treat personnel controls as secondary to technical controls frequently encounter exceptions in these areas during SOC 2 examination fieldwork.

• ✓Documentation Requirements
• ✓Technical Control Requirements
• ✓Organizational and Personnel Requirements

The benefits of SOC 2 Certification in George Town extend across commercial, operational, and risk management dimensions. For service organizations operating in George Town’s competitive technology and financial services markets, a current SOC 2 report functions as a credentialing document that directly influences enterprise sales outcomes, contract terms, and vendor qualification decisions. The following list summarizes the principal benefits that George Town organizations realize through a completed SOC 2 engagement.

• ✓Commercial access: A SOC 2 Type 2 report satisfies vendor risk requirements from enterprise clients in North America, Europe, and Asia-Pacific, removing a primary barrier in the sales qualification process
• ✓Competitive differentiation: SOC 2 Certification in George Town distinguishes attested organizations from competitors that rely on self-declared compliance, particularly in financial technology, healthcare technology, and cloud services markets
• ✓Risk reduction: The control evaluation process identifies weaknesses in access management, change control, incident response, and data protection before they manifest as security incidents
• ✓Investor and partner confidence: SOC 2 reports provide institutional investors, strategic partners, and board members with independently verified assurance of control effectiveness
• ✓Regulatory alignment: Controls evaluated under SOC 2 Trust Service Criteria address obligations that overlap with Malaysia’s PDPA, GDPR for organizations processing EU personal data, and sector-specific regulations
• ✓Operational discipline: The documentation and evidence requirements of the SOC 2 examination process create structured, repeatable control activities that improve operational consistency
• ✓Insurance and contractual positioning: Some cyber liability insurance programs and enterprise master service agreements (MSAs) include SOC 2 attestation as a requirement or favorable factor in risk assessment
• ✓Annual improvement cycle: Each annual SOC 2 Type 2 examination cycle provides a structured opportunity to identify and remediate control deficiencies, producing a continuously improving control environment
• ✓Trust infrastructure for growth: Organizations that hold current SOC 2 reports can enter new markets, onboard enterprise clients, and scale operations without repeatedly re-demonstrating security posture through custom questionnaires

For George Town-based SaaS vendors, cloud providers, and data processing firms targeting international markets, SOC 2 Certification in George Town directly reduces the length of enterprise sales cycles. Procurement security questionnaires — which often number in the hundreds of questions — can frequently be satisfied by reference to a current SOC 2 Type 2 report, eliminating weeks of back-and-forth between the vendor’s security team and the prospective client’s risk function. The commercial value of this acceleration is material for organizations with multiple concurrent enterprise procurement processes.

Fintech organizations pursuing SOC 2 compliance in George Town benefit additionally from the report’s role in satisfying bank and financial institution vendor due diligence requirements. Financial institutions operating under regulatory frameworks — including Bank Negara Malaysia’s Risk Management in Technology (RMiT) guidelines and the Monetary Authority of Singapore’s Technology Risk Management (TRM) Notice — require formal third-party security assurance from technology vendors. A SOC 2 report issued by a Licensed CPA Firm meets these requirements in a way that self-assessed compliance documentation cannot.

• ✓SOC 2 as a Sales Accelerator for George Town Technology Companies

CertPro is a Licensed CPA Firm with direct experience conducting SOC 2 examinations for service organizations across Southeast Asia, including George Town and the broader Penang technology corridor. CertPro’s engagement structure is built on AICPA attestation standards and applies a rigorous, evidence-based examination methodology across all SOC 2 audit engagements in George Town. The firm issues SOC 2 Type I and Type II attestation reports for service organizations in technology, financial services, healthcare technology, and shared services sectors.

CertPro’s SOC 2 Examination Methodology

CertPro structures each SOC 2 engagement with defined phases: scope establishment, audit program development, Stage 1 design review, evidence collection period (for Type 2), control testing and sampling, exception evaluation, report drafting, management review, and final report issuance. This sequenced methodology ensures that every SOC 2 examination proceeds with clear milestones, defined evidence requirements, and transparent communication of findings. Organizations undergoing their first SOC 2 audit benefit from CertPro’s structured approach to evidence collection, which specifies exactly what documentation and system evidence auditors require at each phase.

CertPro’s technical expertise spans the full range of Trust Services Criteria, including security architecture review, cloud infrastructure evaluation, access management system testing, and privacy control assessment. The firm’s examiners have direct experience with common technology stacks deployed by George Town service organizations — including Amazon Web Services, Microsoft Azure, Google Cloud Platform, and hybrid infrastructure environments. This technical depth enables CertPro to conduct substantive control testing rather than surface-level document review, producing SOC 2 reports that carry credibility with sophisticated enterprise clients.

Institutional Authority and Report Credibility

SOC 2 reports are only valid when issued by a Licensed CPA Firm with attestation authority under AICPA standards. Reports produced by non-CPA entities — including IT consultancies, security firms, or advisory practices without CPA licensure — do not constitute valid SOC 2 attestations and will not be accepted by enterprise clients or institutional investors performing vendor due diligence. CertPro’s status as a Licensed CPA Firm is the foundational credential that gives its SOC 2 reports legal and professional standing under AICPA standards.

For George Town organizations targeting North American clients, the CPA credential is particularly important. US-based enterprise procurement teams and their legal counsel verify that SOC 2 reports are issued by licensed CPA Firms as a standard step in vendor qualification. CertPro’s position as a Licensed CPA Firm — with both regional knowledge of George Town’s business environment and command of AICPA attestation standards — makes it the right choice for SOC 2 audit services that George Town organizations need to compete in international markets.

SOC 2 vs. ISO 27001: Choosing the Right Framework for George Town Organizations

George Town organizations frequently ask whether to pursue SOC 2 or ISO 27001 first. The answer depends on customer requirements and target markets. SOC 2 Certification is the standard demanded by North American enterprise clients and financial institutions; ISO 27001 has broader global recognition and is frequently required in European and Asia-Pacific procurement processes. A SOC 2 audit tests specific controls based on Trust Service Criteria, service commitments, and contractual requirements, while ISO 27001 establishes a systematic information security management system (ISMS) framework. Many mature organizations in George Town hold both — using ISO 27001 to demonstrate global ISMS capability and SOC 2 to provide the detailed, controls-tested assurance that North American clients require.

SOC 2 Certification fees in George Town vary depending on organizational size, system complexity, the number of Trust Service Criteria selected, and whether the engagement is a Type 1 or Type 2 examination. Every company has unique circumstances that affect the scope and therefore the cost of the SOC 2 engagement. Larger organizations with extensive data systems, multiple service offerings, complex cloud infrastructure, and numerous subservice organizations face higher examination costs than smaller, focused technology firms with a single product and limited infrastructure scope.

Cost Factors for SOC 2 Examinations in George Town

• ✓Scope of Trust Service Criteria: Engagements covering only the Security (Common Criteria) criterion are less extensive than those covering all five criteria; each additional criterion adds testing requirements and examination time
• ✓Organization size and complexity: Number of employees with system access, volume of infrastructure components in scope, number of applications, and geographic distribution of operations all affect audit complexity
• ✓Type 1 vs. Type 2: Type 2 examinations require evidence collection and testing across a six-to-twelve month observation period, making them more resource-intensive than point-in-time Type 1 examinations
• ✓Subservice organization carve-outs: The treatment of third-party providers (inclusive vs. carve-out method) affects the scope and depth of the examination
• ✓Existing documentation maturity: Organizations with well-documented, consistently maintained control evidence require less audit effort than those whose documentation is incomplete or inconsistent
• ✓Industry-specific requirements: Organizations in regulated sectors (financial services, healthcare technology) may require examination of additional controls tied to industry-specific obligations
• ✓Report period length: Longer audit periods (12 months vs. 6 months) require proportionally greater evidence sampling and testing effort

Typical SOC 2 Examination Timelines

A SOC 2 Type 1 examination typically requires four to eight weeks from scope establishment to report issuance, depending on organizational responsiveness to evidence requests and the complexity of the control environment. A SOC 2 Type 2 examination requires a minimum six-month observation period — during which the organization operates its controls under the auditor’s defined testing schedule — followed by four to eight weeks of fieldwork and report drafting. The total elapsed time from engagement initiation to Type 2 report issuance is typically eight to fourteen months for first-time engagements.

For George Town organizations with time-sensitive commercial requirements — such as an enterprise contract requiring a SOC 2 report within a defined period — the engagement timeline must be planned carefully. CertPro works with organizations to establish examination schedules that align with commercial milestones. Organizations that have previously completed a SOC 2 Type 1 examination may be positioned to transition more efficiently to a Type 2 engagement, as the control design documentation from the Type 1 review provides a solid foundation for the Type 2 audit program.

Obtaining SOC 2 Certification in George Town requires a defined sequence of steps to establish, document, operate, and have independently examined an organization’s control environment. The following steps represent the structured pathway through which George Town service organizations progress — from initial SOC 2 engagement planning through to the receipt of a formal attestation report from CertPro as a Licensed CPA Firm.

1. Determine applicable Trust Service Criteria: Identify which of the five TSC categories apply based on the organization’s service commitments, data types processed, and customer requirements. Security is always included; additional criteria are selected based on scope.
2. Define the system boundary: Establish which infrastructure components, applications, data flows, personnel roles, and third-party services fall within the SOC 2 examination scope. The system description produced in this step forms the basis of the management assertion.
3. Engage a Licensed CPA Firm: Initiate the formal SOC 2 engagement with CertPro. The engagement letter establishes the examination scope, criteria, audit period (for Type 2), fee structure, and timeline.
4. Implement and document controls: Ensure that all controls relevant to the selected Trust Service Criteria are implemented, documented, and operating. This includes policies, procedures, technical configurations, and training records.
5. Establish evidence collection processes: Implement systematic processes for collecting, retaining, and organizing evidence of control operation — including access review records, system logs, change tickets, training completion records, and vendor assessment documentation.
6. Stage 1 design review: CertPro auditors review the system description, policies, and control documentation to assess design suitability. Findings from this review are communicated and addressed before control testing begins.
7. Observation period (Type 2): For Type 2 examinations, controls operate under the defined audit program for the agreed observation period (minimum six months). Evidence is collected systematically throughout this period.
8. Control testing and fieldwork: CertPro auditors execute the audit program, testing samples of control evidence, conducting personnel interviews, and inspecting system configurations. Exceptions are documented and communicated in real time.
9. Report drafting and management review: The draft SOC 2 report is prepared and provided to management for review and response. Management prepares its assertion and any responses to noted exceptions.
10. Final report issuance: CertPro issues the final SOC 2 attestation report. The report is made available to the service organization for distribution to existing and prospective customers under appropriate non-disclosure arrangements.