Back to Blog
SOC 2 7 min read

SOC 2 Auditor Field Work: What Happens During the Audit

SOC 2 auditor fieldwork is the testing phase. Understand what auditors do, how they test your controls, and how to respond to evidence requests efficiently.

Key Takeaways
  • Auditor fieldwork typically takes 4–6 weeks for a Type II engagement.
  • The PBC (Provided by Client) list is your primary deliverable during fieldwork — respond within 2 business days.
  • Control walkthroughs are brief interviews where the auditor asks you to explain how a control operates.
  • Auditors sample evidence from across the observation period — consistency throughout the period matters.
  • Timely, complete responses to evidence requests are the single biggest factor in fieldwork efficiency.

In this guide

  1. Fieldwork Overview
  2. PBC Request Process
  3. Control Walkthroughs
  4. How Auditors Sample Evidence
  5. How Exceptions Are Identified
  6. Fieldwork Completion

Fieldwork Overview

Auditor fieldwork is the testing phase of a SOC 2 engagement. For Type I, it tests whether controls are suitably designed at the as-of date. For Type II, it tests whether controls operated effectively throughout the observation period.

Fieldwork phases: (1) kickoff and system description review, (2) PBC evidence requests, (3) control walkthroughs and interviews, (4) additional evidence requests and follow-up, (5) exception discussion and management response, (6) draft report review.

Duration: Type I fieldwork — 2–4 weeks. Type II fieldwork — 4–6 weeks. The longer Type II duration reflects the need to test controls across the full observation period.

PBC Request Process

PBC (Provided by Client) list: within the first week of fieldwork, your auditor sends a list of evidence items they need to test specific controls. A typical PBC list contains 40–80 items covering all criteria in scope.

Response discipline: assign a dedicated person to manage PBC responses. Their only job during fieldwork is receiving requests, routing them to owners, collecting responses, and uploading to the auditor portal.

Response timeline: respond to each item within 2 business days. Longer delays extend fieldwork, potentially pushing report delivery by weeks. For time-sensitive requests (the auditor is blocking on a specific item), same-day response is appropriate.

Control Walkthroughs

A control walkthrough is a 15–45 minute session where an auditor asks a control owner to explain how a specific control operates. Questions: "Walk me through your access review process." "Who approves access requests?" "How do you handle access for contractors?" "What happens when an employee is terminated?"

Walkthrough preparation: brief every control owner on their specific controls 1–2 weeks before fieldwork. The owner should be able to describe the control clearly, reference supporting evidence, and answer follow-up questions without hesitation.

Key rule for walkthroughs: answer questions accurately and specifically. Do not describe an ideal process that does not reflect reality. Auditors cross-reference walkthrough answers against evidence — inconsistencies create exceptions.

How Auditors Sample Evidence

For Type II, auditors test whether controls operated throughout the observation period. They do this by sampling: selecting a subset of the population of control occurrences and testing each sample for effectiveness.

Sample sizes: AICPA sampling guidance (AU-C 530) varies by population size. For quarterly access reviews (4 occurrences in a 12-month period): the auditor may test all 4. For daily automated security scans (365 occurrences): the auditor may sample 15–25 days at random intervals.

The auditor selects sample dates independently — they are not limited to the dates you pre-selected. This is why consistent evidence throughout the observation period is critical. Gaps in the middle of the period will be found.

How Exceptions Are Identified

An exception occurs when the auditor's testing reveals that a control did not operate as described. Common causes: a quarterly access review was skipped for one quarter, a production deployment bypassed the required PR review, a terminated employee's access was not revoked within the documented timeframe.

When the auditor identifies a potential exception: they will discuss it with you before including it in the report. This gives you the opportunity to provide additional context (e.g. the evidence exists but was not provided, or there was a documented exception with compensating control) or to agree that an exception occurred.

Management response: for confirmed exceptions, you write a management response explaining root cause, remediation action taken, and preventive measures implemented. This appears in the final report alongside the exception description.

Fieldwork Completion

Fieldwork is complete when the auditor has tested all controls and resolved all open evidence requests. The auditor then drafts the report — typically 2–4 weeks after fieldwork close.

Before the final report, you receive a draft for review (typically 5–7 business days to review). Check: the system description accurately describes your service and infrastructure, control descriptions match what you actually implemented, exception descriptions are accurate, and your management responses are included correctly.

Frequently Asked Questions

Can we speed up auditor fieldwork?
Yes — the main levers are response speed to PBC requests and completeness of evidence pre-loaded in your compliance tool. Auditors who can access well-organised evidence without waiting for responses move faster. Pre-loading evidence before fieldwork begins is the single highest-impact preparation step.
Can the auditor test controls they were not notified about in advance?
Yes. Auditors can request evidence for any control relevant to the criteria in scope. They are not limited to controls you have described in your control matrix. Undocumented controls that exist operationally can be tested — but undocumented controls that do not operate cannot be evidenced.
What if we cannot find evidence the auditor requests?
Communicate immediately: explain why the evidence is unavailable and what compensating evidence exists. If evidence genuinely does not exist (the control was not operating), acknowledge it — the auditor will note it as an exception. Attempting to reconstruct or fabricate evidence is a serious professional and legal risk.
How many people from our team will be interviewed during fieldwork?
For a typical 20–50 person company: 3–8 people across control walkthrough interviews. The programme owner (for overview and governance controls), engineering lead (for technical controls), HR or operations lead (for people controls), and potentially one or two engineers for specific control areas.
Can we decline to answer auditor questions?
You can, but declining creates an exception. Your engagement letter commits you to providing information necessary for the audit. Refusing to provide evidence or answer questions means the auditor cannot test the control, which will result in a scope limitation note or exception in the report.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

SOC 2

SOC 2 Testing Procedures: How Auditors Test Your Controls

SOC 2

SOC 2 Auditor Questions: 40 Questions You'll Be Asked

How-To

How to Collect SOC 2 Evidence: Tools and Process