A rigorous pre-audit assessment that runs the same tests your formal auditor will run — identifying every remaining gap, confirming every control is operating as designed, and ensuring your team is fully prepared for fieldwork day.
Timeline 1–2 weeks (standalone) · Weeks 9–10 of a full programme
Delivery Readiness report + all remaining gaps closed before audit
Assigned to Senior advisor — not a junior
First pass rate 98% of clients who complete readiness assessment pass first attempt
Fixed fee — agreed upfront
A SOC 2 Readiness Assessment is an independent pre-audit review of your security programme, conducted by your advisory team before your formal CPA audit begins. It tests every control in your SOC 2 scope for both design adequacy and operating effectiveness — the two dimensions your formal auditor will test during fieldwork.
A Readiness Assessment is not the same as a Gap Assessment. A Gap Assessment happens at the beginning of your SOC 2 programme, before any implementation work — it tells you where your gaps are. A Readiness Assessment happens after implementation, just before your formal audit — it confirms that all gaps have been properly closed, that evidence is complete, that controls are operating as designed, and that your team is prepared for the specific questions an auditor will ask. Most clients who pass their SOC 2 audit on the first attempt have completed a Readiness Assessment first.
We test every control in your SOC 2 scope for operating effectiveness — not just design. For each control, we review the evidence that would be submitted to an auditor, test the control as a CPA firm would test it, and identify any control that would generate a finding or exception. Controls that are documented but not genuinely operating are the most common cause of SOC 2 audit failures — and the most common thing a Readiness Assessment catches before it becomes a problem.
SOC 2 auditors work from evidence — screenshots, log exports, configuration records, access review documentation, change management tickets. An otherwise well-designed and well-operated control fails an audit when the supporting evidence is incomplete, inconsistent, or impossible to produce on the timescale an auditor requests. We review every evidence item for completeness and accessibility before your auditor engages.
We simulate the auditor fieldwork experience — asking your team the same questions a CPA firm would ask, in the same format, reviewing the same evidence. For most teams, this is the first time they have been through an audit-style process. The experience of running through it once, safely, before the real thing eliminates the anxiety and preparation gaps that cause unnecessary exceptions.
Your policies must accurately describe how your controls operate. Policies that describe controls that are not actually in place — or that are out of date and describe how things worked before your last infrastructure change — are a consistent source of audit findings. We review every policy document against the actual operating state of your controls and correct any discrepancy before your auditor arrives.
A Readiness Assessment gives you three to four weeks to close every remaining gap. It is the last line of defence between your current state and a qualified audit report — and it is the most important investment you can make in the final weeks before fieldwork begins. Talk to us now.
We confirm the full list of controls in your SOC 2 scope and issue a complete evidence request — every document, screenshot, log export, and configuration record your auditor will ask for. We give you the list in advance so your team can prepare without scrambling.
We test every control for operating effectiveness, review every evidence item for completeness and accuracy, and simulate the auditor interview process with your technical and operational stakeholders. Controls that have design or operating gaps are identified, classified by severity, and assigned to your team for immediate remediation.
Every gap identified in testing is addressed before we conclude the assessment. We work with your team to close all remaining gaps — updating documentation, correcting policy discrepancies, and verifying that evidence can be produced on the timescale an auditor would request. We do not issue a readiness report until every material gap has been closed.
We deliver a written Readiness Assessment report confirming your audit-ready status, documenting every control tested, and providing your team with a briefing on what to expect during fieldwork — including the types of questions your auditor will ask, how to organise evidence submissions, and how to respond to auditor requests efficiently.
A Gap Assessment is the right engagement if you are starting your SOC 2 programme and need to understand where your current controls stand before implementation begins. It produces a gap inventory, a remediation roadmap, and a timeline for your programme. Most organisations do a Gap Assessment 4–6 months before their intended audit date.
A Readiness Assessment is the right engagement if you have completed implementation and are 2–4 weeks away from starting your formal audit. It confirms that your controls are operating correctly, your evidence is complete, and your team is prepared. It is not a substitute for a Gap Assessment — it is the final validation step that protects the investment you have already made in your programme.
Most clients who complete our full advisory programme benefit from both — a Gap Assessment at the beginning and a Readiness Assessment before the audit. The Gap Assessment establishes your programme. The Readiness Assessment validates it. The combination is what produces our 98% first-attempt pass rate across all engagements.
If your question is not here, just email us — we will give you a straight answer.
A Readiness Assessment should be conducted 2–4 weeks before your formal audit begins — after implementation is complete but with enough time to close any remaining gaps before fieldwork starts. Starting a Readiness Assessment less than two weeks before audit is possible but leaves very little time to address gaps. Starting more than four weeks before audit means some evidence periods may not yet be complete.
A Gap Assessment happens at the beginning of your SOC 2 programme — before implementation, to tell you what needs to be built. A Readiness Assessment happens at the end of your programme — after implementation, to confirm everything is working correctly before your auditor arrives. They are sequential steps in the same programme, not alternatives.
Yes — but we strongly recommend against it. The most common cause of SOC 2 audit findings is controls that were implemented but are not operating correctly, or evidence that was not organised and producible on the timescale an auditor requires. A Readiness Assessment identifies these issues with enough time to fix them. Without it, you are finding out the hard way — during your audit.
If we identify material gaps during a Readiness Assessment, we work with you immediately to close them before the audit begins. In cases where gaps are significant enough to require delaying the audit start date, we will give you that advice clearly and early — before you have committed your CPA firm to a fieldwork window that cannot be met. Honest advice at this stage is always better than a qualified opinion at the end.
Yes. We conduct Readiness Assessments for ISO 27001 Stage 2 audits, HITRUST validated assessments, and HIPAA compliance reviews. The structure is the same — pre-audit control testing, evidence review, gap closure, and team preparation. If you are approaching a formal assessment for any of these frameworks, a Readiness Assessment reduces the risk of findings significantly.
Book a free 30-minute consultation. A senior advisor will review your current state and tell you honestly whether you are ready for your audit — and what needs to happen before fieldwork begins.
A Readiness Assessment at the end of your program is most effective when it builds on a Gap Assessment at the beginning. If you have not yet started your SOC 2 program, the Gap Assessment is your first step.
We stay with you through the formal audit — managing auditor requests, reviewing evidence, and handling every question until your report is issued.
For background on the full SOC 2 certification process — including what a Readiness Assessment fits into the overall program timeline — see our main SOC 2 page.
