SOC 2 audit preparation prompts

Conduct a comprehensive SOC 2 readiness assessment for [organization name]. We're targeting [Type I/Type II] for [criteria in scope: Security, Availability, etc.].

Current state:
- Controls implemented: [describe current controls]
- Policies and procedures: [list what you have]
- Evidence collection: [describe current documentation practices]
- Known gaps: [list any known weaknesses]

Provide:
- Readiness score by Trust Services Criterion
- Critical gaps that would prevent audit success
- Medium and low-priority gaps
- Prioritized remediation plan with estimated effort
- Recommended timeline to audit readiness

Create a mock audit checklist for a SOC 2 [Type I/Type II] examination covering [criteria]. Include:
- Document requests auditors will make
- Control walkthroughs they'll conduct
- Sample selections for testing (Type II)
- System access they'll need
- Interview topics and likely participants

Help me prepare by identifying:
- What we should have ready on day one
- Common audit pitfalls to avoid
- Questions auditors typically ask
- Red flags that delay audits

Create an evidence collection plan for our SOC 2 Type [I/II] audit covering [date range if Type II].

Controls requiring evidence:
[List your key controls or upload your control matrix]

For each control, specify:
- Evidence type (screenshots, reports, logs, tickets, meeting minutes)
- Evidence source (system or tool)
- Collection frequency (point-in-time for Type I, population for Type II)
- Responsible person for collection
- Storage location for audit evidence

Organize by Trust Services Criterion for easy auditor access.

Review my control matrix and identify evidence gaps:

[Paste your control matrix or describe your controls]

For each control, analyze:
- Is the described evidence sufficient to demonstrate control operation?
- Are there alternative evidence sources if primary evidence is unavailable?
- For automated controls, do we log evidence of automation execution?
- For manual controls, do we have approval trails and completion documentation?
- Are there evidence retention issues (logs aged out, tickets deleted)?

Provide recommendations for closing evidence gaps before the audit.

Create a SOC 2 system description for [service/system name] covering [Type I date or Type II period]. Include all required sections:

1. Overview of Operations
- Nature of service: [describe what your service does]
- Principal service commitments and system requirements

2. System Components
- Infrastructure: [cloud/on-prem, providers, locations]
- Software: [applications, databases, key technologies]
- People: [organizational structure, key roles]
- Data: [types of data processed, data flows]
- Processes and procedures: [key operational processes]

3. Trust Services Criteria and Controls
- Criteria in scope: [Security, Availability, etc.]
- High-level control environment description

4. Complementary User Entity Controls (CUECs)
- Controls that require customer implementation

5. Complementary Subservice Organization Controls (if applicable)
- Vendor dependencies and their controls

Our organization:
- Service type: [SaaS, PaaS, infrastructure]
- Technology stack: [key technologies]
- Organization size: [employees, customers]
- Data centers/regions: [locations]

Identify and document Complementary User Entity Controls (CUECs) for our SOC 2 scope. These are controls our customers must implement for our service to be secure.

Our service: [describe service]
Customer responsibilities: [what customers configure or manage]

For each CUEC, provide:
- Control description
- Related Trust Services Criterion
- Why customer action is required
- Recommended customer implementation
- Risks if not implemented

Examples might include: user access management, data backup responsibilities, MFA enrollment, secure credential management.

Generate detailed control narratives for my SOC 2 controls addressing [specific Trust Services Criterion or all criteria in scope].

For each control, provide a narrative that includes:
- Control objective (what risk it mitigates)
- Control activity (what specifically is done)
- Control frequency (continuous, daily, monthly, etc.)
- Control owner (role responsible)
- How the control operates (step-by-step process)
- Evidence generated (logs, reports, tickets, approvals)
- Exception handling (what happens when control identifies an issue)

My control matrix:
[Paste control descriptions or upload control matrix]

Write narratives suitable for inclusion in the auditor's workpapers and final report.

Review my control narrative for accuracy and completeness:

[Paste your control narrative]

Assess:
- Does it clearly describe what the control does and how it operates?
- Is the frequency and responsibility clearly stated?
- Does it align with the related Trust Services Criterion's points of focus?
- Will auditors be able to test this control based on the narrative?
- Are there ambiguities or gaps?

Provide specific suggestions to improve the narrative for audit purposes.

Create an inventory of subservice organizations for our SOC 2 scope covering [service description].

Third-party services we use:
[List vendors/cloud providers and what they do for you]

For each subservice organization, document:
- Service provided and criticality to our operations
- Data shared or processed by the vendor
- Applicable Trust Services Criteria (which criteria rely on this vendor)
- Vendor's SOC 2/SOC 3 report status (Type I/II, date, criteria covered)
- Contract provisions (SLAs, security requirements, audit rights)
- Alternative evidence if no SOC 2 report available

Identify any vendors missing required reports or creating scope gaps.

Analyze this vendor SOC 2 report to determine if it adequately covers our reliance:

Vendor: [vendor name]
Service they provide: [describe service]
Their SOC 2 type and criteria: [from their report]
Our reliance on them: [what controls depend on this vendor]

Review:
- Does their report scope cover the services we use?
- Are the Trust Services Criteria we need included in their report?
- Are there any qualifications, exceptions, or findings?
- Do their controls align with our control assertions?
- Do we need to implement bridging controls for any gaps?

Provide a gap analysis and recommendations for addressing any vendor control gaps.

Prepare me for SOC 2 audit interviews. Generate likely questions and suggested responses for:

Interview participant: [role, e.g., CISO, DevOps Lead, HR Manager]
Topics covered in their interview: [e.g., access management, change control, incident response]
Relevant controls: [list controls this person owns or operates]

For each likely question, provide:
- The question auditors typically ask
- Key points to cover in the response
- Evidence to reference or provide
- Common mistakes to avoid

Include questions about:
- How controls operate day-to-day
- How exceptions are handled
- Recent changes or incidents
- Training and awareness
- Control effectiveness monitoring

For our SOC 2 Type II audit covering [date range], help me plan sample selections for manual controls.

Manual controls requiring sampling:
[List controls and their frequency, e.g., "Quarterly access reviews", "Daily backup verification"]

For each control, provide:
- Expected sample size based on frequency and industry standards
- Sampling approach (random, systematic, or targeted)
- Required attributes for samples (e.g., approval documented, timestamp, scope coverage)
- How to handle exceptions or deviations
- Documentation requirements for samples

Ensure I collect sufficient samples throughout the audit period, not just at year-end.

Create a testing plan to validate control effectiveness before the audit for:

Control: [describe the control]
Frequency: [how often it operates]
Evidence: [what evidence it generates]
Audit period: [date range]

Provide:
- Testing procedures to validate the control works as described
- Sample selection if applicable (how many, which dates)
- Pass/fail criteria
- How to document test results
- Remediation steps if testing reveals gaps

Help me conduct internal testing to catch issues before auditors do.

Create a risk register suitable for SOC 2 audit purposes addressing CC3 (Risk Assessment). Include:

Risk identification:
- Threat sources: [e.g., cyber attacks, system failures, insider threats, vendor risks]
- Vulnerabilities: [e.g., internet-facing systems, legacy applications, privileged access]
- Impact categories: [confidentiality, integrity, availability, privacy]

Risk analysis:
- Likelihood assessment (Low/Medium/High)
- Impact assessment (Low/Medium/High)
- Inherent risk rating

Risk response:
- Controls implemented to mitigate each risk
- Residual risk after controls
- Risk acceptance or treatment decisions

Our environment: [describe systems, data, threat landscape]

Format as a table suitable for auditor review and management approval.

Create a gap remediation plan and tracking mechanism for our SOC 2 preparation:

Identified gaps:
[List gaps from readiness assessment or prior audit findings]

For each gap, provide:
- Gap description and related Trust Services Criterion
- Risk/priority (Critical/High/Medium/Low)
- Remediation action required
- Responsible party
- Target completion date
- Status tracking (Not Started/In Progress/Complete)
- Validation method (how to confirm closure)

Create a project plan that sequences remediation logically and meets our audit timeline of [target audit start date].

Prepare materials and talking points for our SOC 2 audit kickoff meeting:

Audit details:
- Auditor: [firm name]
- Audit type: [Type I/Type II]
- Criteria: [Security, Availability, etc.]
- Timeline: [start date, expected duration]

Create:
- Kickoff meeting agenda
- Overview presentation of our organization, service, and control environment
- Key contacts and escalation paths
- Document sharing and access logistics
- Expected timeline and milestones
- Questions to ask the auditor about their process and expectations

Ensure we set the right tone and establish efficient communication protocols.

I received preliminary audit findings. Help me prepare management responses:

Finding description:
[Paste the finding from your auditor]

Our situation:
[Describe what actually happened and why]

Create a management response that:
- Acknowledges the finding professionally
- Provides context or explanation if appropriate
- Proposes specific remediation actions
- Commits to a realistic timeline
- Identifies who is responsible for remediation
- Describes how we'll validate closure

Ensure the response demonstrates strong governance and commitment to improvement.