Assisting With SOC 2 Audit Preparation
Overview
Automate SOC 2 Type I and Type II audit preparation by assessing controls across the five AICPA Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Inventory existing controls and evidence, perform gap analysis against each Common Criteria point (CC1-CC9), and produce an audit-ready evidence package with a readiness score and remediation backlog.
Prerequisites
- Policy and procedure documentation accessible in
${CLAUDESKILLDIR}/docs/ (information security policy, incident response plan, BCP/DR plan, vendor management procedures)
- Infrastructure-as-code and configuration files available for control verification
- Cloud provider audit logs accessible (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) or exported
- Employee onboarding/offboarding and security awareness training records available
- Change management and access review logs accessible
- Write permissions for audit workspace in
${CLAUDESKILLDIR}/soc2-audit/
Instructions
- Define audit scope: confirm in-scope services, systems, data stores, and audit period (Type I: point-in-time; Type II: observation window, typically 3-12 months). Identify applicable Trust Service Categories beyond the required Security criteria.
- Assess CC1 -- Control Environment: verify organizational structure documentation, security policy, board oversight, and security role/responsibility matrix. Check for gaps in documented accountability.
- Assess CC6 -- Logical and Physical Access Controls: verify MFA implementation, RBAC policies, password policy enforcement, access review cadence, and automated deprovisioning. Flag privileged access without monitoring.
- Assess CC7 -- System Operations: check monitoring and alerting configurations, backup procedures and testing records, incident response logs, and capacity planning documentation.
- Assess CC8 -- Change Management: review change approval workflows, deployment pipelines, rollback procedures, and change logs for the audit period.
- Collect evidence artifacts: organize evidence into the standard directory structure under
${CLAUDESKILLDIR}/soc2-audit/ with subdirectories per criteria (CC1-control-environment/, CC6-access-controls/, CC7-system-operations/, etc.).
- Test control effectiveness: for each control, verify design adequacy (properly designed?) and operating effectiveness (working as intended during the audit period?). Document test results with screenshots, log excerpts, or configuration exports.
- Perform gap analysis: classify findings as missing controls (critical gap), partially implemented controls (needs im
