SOC
Field notes on SOC 1, SOC 2, and SOC 3 reporting — structure, process, and what buyers actually read.
SOC 3 reports: the public-use version of your SOC 2
SOC 3 is the publicly distributable version of a SOC 2 Type II. Here is what it contains, how it is produced, and when it is worth adding to your audit.
Dev Agarwal6 min readSOC 1 Type 1 vs Type 2: which one your buyer is asking for
SOC 1 Type 1 vs Type 2 explained: point-in-time design versus operating effectiveness over 3 to 12 months, and which report a user auditor actually wants.
Dev Agarwal7 min readThe SOC 2 audit process, phase by phase
The SOC 2 audit process in real phases with honest timelines: scoping, readiness, observation window, fieldwork, draft, management review, issued report.
Dev Agarwal9 min readSOC 2 Type I vs Type II: which one to run first
A SOC 2 Type 2 audit tests operating effectiveness over months, not a single day. Here is when Type I is the right first step and when to skip it.
Dev Agarwal7 min readSOC 2 compliance requirements: the practical checklist
SOC 2 compliance requirements are not a fixed control list. The policies, controls, evidence, and observation-window mechanics auditors actually expect.
Dev Agarwal7 min readTrust Services Criteria, explained for SOC 2 scoping
The Trust Services Criteria are the AICPA categories a SOC 2 tests against. Here is what each one means and how to pick the right scope for your report.
Dev Agarwal6 min readWhat Is a SOC 1 Report? ICFR, Examples, and Who Asks
A SOC 1 report is an auditor's attestation on a service organization's controls relevant to its customers' financial reporting. Here is what's in one.
Dev Agarwal7 min readWhat is SOC 2 compliance? A founder's primer
What is SOC 2 compliance, who issues the report, why enterprise buyers ask for it, and how long it actually takes. A CPA firm's plain-English primer.
Dev Agarwal8 min read