// SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit pe
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.
UI/UX best practices for web interfaces. Use when reviewing animations, CSS, audio, typography, UX patterns, prefetching, or icon implementations. Covers 11 categories from animation principles to typography. Outputs file:line findings.
Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity and device posture verification with Cedar policy language.
Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.
Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs.
Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement.
| name | performing-soc-2-type-ii-audit-preparation |
| description | SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit pe |
| domain | cybersecurity |
| subdomain | compliance-governance |
| tags | ["compliance","governance","soc2","audit","trust-services-criteria","aicpa"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit period (typically 6-12 months). Unlike Type I which assesses control design at a point in time, Type II evaluates whether controls operated effectively throughout the entire examination period.
Five categories, with Security (Common Criteria) being mandatory:
| Criteria | Description | Required |
|---|---|---|
| Security (CC) | Protection against unauthorized access | Mandatory |
| Availability (A) | System availability for operation and use | Optional |
| Processing Integrity (PI) | System processing is complete, valid, accurate, timely, authorized | Optional |
| Confidentiality (C) | Information designated as confidential is protected | Optional |
| Privacy (P) | Personal information collected, used, retained, disclosed per notice | Optional |
Security is organized into 9 series based on COSO principles:
| Series | Focus Area | COSO Principle |
|---|---|---|
| CC1 | Control Environment | Integrity and ethical values |
| CC2 | Communication and Information | Quality information for controls |
| CC3 | Risk Assessment | Identify and assess risks |
| CC4 | Monitoring Activities | Monitor and evaluate controls |
| CC5 | Control Activities | Select and develop controls |
| CC6 | Logical and Physical Access | Restrict access to authorized users |
| CC7 | System Operations | Detect and respond to system anomalies |
| CC8 | Change Management | Authorized, tested, approved changes |
| CC9 | Risk Mitigation | Risk mitigation through business processes |
| Aspect | Type I | Type II |
|---|---|---|
| Scope | Control design at a point in time | Control effectiveness over a period |
| Audit Period | Single date | 6-12 months (typically 12) |
| Evidence | Design documentation | Operating evidence throughout period |
| Assurance | Lower | Higher |
| Market Value | Initial baseline | Industry standard expectation |
