Skip to content
Home/ Standards/ SOC 2
AICPA Attestation SOC 2 Type I & Type II

SOC 2 examinations, delivered end to end.

The baseline trust attestation for US and India–based SaaS and IT service providers. Verigo takes you from first gap analysis to a clean SOC 2 opinion — and keeps the evidence engine running so every annual examination is a non–event.

Start a Conversation
At a glance
Scope
United States & India
Criteria
5 Trust Services Criteria
Report types
Type I & Type II examinations
Type II window
3–12 month observation
76%Adoption among audited orgs (2025)
5Trust Services Criteria
Type I & IIPoint–in–time & period reports
12 moTypical report validity window
What a SOC 2 examination is

An independent opinion, not a checklist.

SOC 2 is an attestation examination performed by a licensed CPA firm under AICPA standards. The firm examines the controls relevant to your selected criteria and issues an independent report stating its opinion on them.

The examination is built on the five Trust Services Criteria. Verigo’s Compliance by Design approach embeds those controls into how you already operate — so the evidence the examination needs is generated by the process, not assembled in a panic before each window.

Security is mandatory; the other four criteria are selected to fit your commitments
Type I examines design; Type II examines design and operating effectiveness
The natural hub for ISO 27001, HIPAA, and NIST evidence reuse
The five Trust Services Criteria

One required. Four by choice.

Security

Required

The mandatory Common Criteria — logical and physical access, change management, risk mitigation, and monitoring. Every SOC 2 examination includes it.

Availability

Optional

Whether the system meets the uptime and performance commitments made to customers, including capacity, backup, and recovery.

Processing Integrity

Optional

Whether processing is complete, valid, accurate, timely, and authorized — the data goes in and comes out correctly.

Confidentiality

Optional

How information designated as confidential is protected across its lifecycle, from collection through disposal.

Privacy

Optional

How personal information is collected, used, retained, disclosed, and disposed of in line with your privacy notice.

Type I & Type II examinations

Two examinations. Two questions.

A SOC 2 report comes in two forms. The difference is not the controls you build — it is what the examination is asked to prove about them.

SOC 2
Type I

Design, at a point in time.

A Type I examination reports on whether your controls are suitably designed to meet the selected Trust Services Criteria as of a single date — a snapshot of how the system is built.

Point–in–time opinionAssesses control design on one specific date.
Faster to issueNo multi–month observation window required.
A natural first stepOften used to enter the market before a Type II.
Best when you need a credible report quickly, or are publishing your first SOC 2.
SOC 2
Type II

Operating effectiveness, over time.

A Type II examination reports on whether those controls were not only designed well but operated effectively across an observation window — typically three to twelve months of evidence.

Period–of–time opinionTests controls across a 3–12 month window.
Evidence of operationAuditor samples real activity, not just policy.
The market expectationWhat most enterprise buyers now require.
Best when customers and vendor–risk teams expect proof your controls actually run.
How Verigo delivers SOC 2

Four service lines, mapped
to the SOC 2 examination lifecycle.

Engage any single stage or move through the whole journey with one accountable, senior–led team — coordinating the independent examination, with a peer–review quality gate on every deliverable.

01
Assess

Readiness Assessment

Scope the examination and find the gaps before the auditor does.

We help you define the right system boundary and Trust Services Criteria, then benchmark your current controls against them — scoring gaps by risk and effort and handing you an independent remediation roadmap.

About readiness assessments
What you receive
Scope & criteria selection
Control gap analysis against the TSC
Risk–scored remediation roadmap
Type I vs Type II recommendation
02
Implement

Implementation Toolkit

Build the controls and the evidence engine the examination will test.

A practitioner–led program that stands up the policies, controls, and procedures behind each criterion — and the evidence–collection routines that make a Type II observation window run quietly in the background.

Explore the toolkits
What you receive
Policy & control implementation
Evidence collection procedures
Vendor & access review cadence
Control owner enablement
03
Prepare

Pre–Examination Preparation

Walk into the examination knowing the opinion will be clean.

A mock examination run by a lead reviewer independent of your implementation team — testing evidence against the criteria, surfacing exceptions while there is still time to remediate, and coaching your control owners for auditor walkthroughs.

About pre–audit preparation
What you receive
Mock examination & evidence test
Exception log & corrective actions
Control–owner walkthrough coaching
Auditor–request (PBC) readiness
04
Examine & Sustain

Examination & Renewal Support

Get the report issued — and keep earning it every year.

We coordinate with the licensed CPA firm that performs the independent examination, manage the evidence and exceptions through to a clean opinion, then keep your evidence engine running so each annual renewal is a non–event.

Talk to a practitioner
What you receive
CPA examination coordination
Evidence & exception management
Report review & remediation
Annual renewal support
The SOC 2 process, in alignment

From readiness to a clean opinion.

Here is how a SOC 2 engagement runs in practice — with the observation window that sets a Type II examination apart, and indicative durations.

2–4 wks
Readiness
Gap analysis against the chosen Trust Services Criteria.
2–4 mo
Remediate
Build controls, policies, and the evidence routine.
2–4 wks
Prepare
Mock examination and auditor–request readiness.
3–12 mo
Observation
Type II window — controls operate and evidence accrues.
3–6 wks
Examination
Independent CPA firm tests controls and evidence.
Report issued
SOC 2 opinion delivered; renew on an annual cycle.
What a SOC 2 examination delivers

The outcomes, in detail.

A SOC 2 report is the visible artifact — but the value compounds well beyond the PDF. Here is what the examination actually returns to your business.

A shareable independent report

The deliverable is a licensed CPA firm’s opinion on your controls — a report you can share under NDA to answer security due diligence in one document instead of a hundred emails.

Faster, unblocked sales

Security review is one of the most common reasons enterprise deals stall. A current SOC 2 report removes that blocker and shortens the path from interest to signature.

Less vendor–risk friction

Procurement and vendor–risk teams accept a SOC 2 report in place of bespoke questionnaires, so your team answers diligence once rather than for every prospect.

A repeatable evidence engine

Because controls are embedded into how you operate, each annual renewal draws on evidence the business already generates — the second examination is far lighter than the first.

A foundation you can reuse

The controls behind your SOC 2 map directly onto ISO 27001, HIPAA, and NIST — so the work you do here accelerates every framework that comes next.

A genuinely stronger posture

Beyond the report, the discipline of continuous evidence and monitoring leaves your organization measurably more resilient — not just certified on paper.

SOC 2 questions

Good to know before we start.

Questions on scope, criteria, or the difference between a Type I and Type II examination? A senior practitioner will walk you through it.

Start a Conversation

SOC 2 is an attestation examination performed by a licensed CPA firm under AICPA standards. The firm examines the controls relevant to your selected Trust Services Criteria and issues an independent report containing its opinion. It is an examination and opinion — not a pass/fail certification or a checklist audit.

It depends on your timeline and what customers are asking for. A Type I examination reports on control design at a point in time and can be issued quickly, which is useful for entering the market. A Type II examination tests operating effectiveness over a 3–12 month window and is what most enterprise buyers ultimately expect. Many clients publish a Type I first, then move into a Type II observation window.

Security (the Common Criteria) is mandatory in every SOC 2 examination. Availability, Processing Integrity, Confidentiality, and Privacy are optional — you select the ones that match the commitments you make to customers. We help you scope the right set in the readiness assessment so the examination is neither thin nor needlessly broad.

No — and that independence is the point. The examination and opinion must be issued by an independent licensed CPA firm. Verigo guides you through readiness, implementation, and preparation, and coordinates the examination, but we keep our pre–examination reviewer independent of your implementation team to protect the integrity of the result.

A SOC 2 report covers a stated period and customers generally expect one issued within the last twelve months. That is why we build a continuous evidence engine: rather than scrambling each year, your controls keep producing the evidence the next examination needs, making annual renewal routine.

Ready for your SOC 2 examination?

Tell us where you are — scoping your first Type I, moving into a Type II window, or renewing an existing report. We’ll come back with a scoped plan, fixed pricing, and the fastest path to a clean opinion.

Start a Conversation