Assisting With SOC 2 Audit Preparation

Overview

Automate SOC 2 Type I and Type II audit preparation by assessing controls across the five AICPA Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Inventory existing controls and evidence, perform gap analysis against each Common Criteria point (CC1-CC9), and produce an audit-ready evidence package with a readiness score and remediation backlog.

Prerequisites

• Policy and procedure documentation accessible in ${CLAUDE_SKILL_DIR}/docs/ (information security policy, incident response plan, BCP/DR plan, vendor management procedures)
• Infrastructure-as-code and configuration files available for control verification
• Cloud provider audit logs accessible (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) or exported
• Employee onboarding/offboarding and security awareness training records available
• Change management and access review logs accessible
• Write permissions for audit workspace in ${CLAUDE_SKILL_DIR}/soc2-audit/

Instructions

1. Define audit scope: confirm in-scope services, systems, data stores, and audit period (Type I: point-in-time; Type II: observation window, typically 3-12 months). Identify applicable Trust Service Categories beyond the required Security criteria.
2. Assess CC1 -- Control Environment: verify organizational structure documentation, security policy, board oversight, and security role/responsibility matrix. Check for gaps in documented accountability.
3. Assess CC6 -- Logical and Physical Access Controls: verify MFA implementation, RBAC policies, password policy enforcement, access review cadence, and automated deprovisioning. Flag privileged access without monitoring.