SOC 2 Closing Meeting: What Happens at End of Audit

What Is the Closing Meeting?

The closing meeting (also called a wrap-up or exit conference) is a meeting between the audit team and your management team at the conclusion of fieldwork. The auditor presents their preliminary findings — the exceptions and other observations they have identified during testing — before drafting the final report.

This is a professional discussion, not a formal proceeding. The purpose is to ensure findings are accurately described, provide management with an opportunity to correct factual inaccuracies, and collect management responses for inclusion in the report.

Closing Meeting Agenda

Opening: the audit manager summarises the engagement scope, observation period, and testing approach.

Preliminary findings: for each exception or observation, the auditor describes: the criterion, the control, what was tested, the sample or test performed, and the deviation found.

Discussion: management has the opportunity to clarify, provide additional context, or present additional evidence that the auditor may not have received.

Management response: the auditor explains the process for providing written management responses that will be included in the report.

Next steps: draft report timeline, review process, and final report delivery.

Responding to Preliminary Findings

When the auditor presents a preliminary finding, listen carefully before responding. Understand specifically: which criterion, which control, which test, which sample item, and what deviation was observed.

If the finding is factually inaccurate (e.g. the auditor tested the wrong entity, or a document was not included in the PBC response): provide the correct evidence immediately. Factual corrections are addressed before the report is drafted.

If the finding is accurate: acknowledge it. Do not argue the auditor's testing procedures or attempt to negotiate the finding away. Focus your response on demonstrating your programme's overall effectiveness and your remediation plan.

Writing Management Responses

For each exception, management provides a written response that is included verbatim in the final report. An effective management response: (1) Acknowledges the exception without making excuses. (2) Explains root cause briefly and factually. (3) Describes remediation action already taken. (4) Describes preventive measures to prevent recurrence.

Example response: "During the observation period, one access review was delayed due to a system migration that temporarily restricted HR access to user management tools. The review was completed retroactively within 3 weeks of the scheduled date. We have since implemented automated reminders for access review due dates and verified that all required access reviews have been completed. We are implementing an additional compensating control to prevent future delays."

Avoid: blaming team members, minimising the finding, making claims about future actions without specific timelines, or including information that is not verifiable.

What Comes After the Closing Meeting

After the closing meeting: the auditor drafts the report (typically 2–4 weeks). You receive the draft for review — typically 5–7 business days. Review the draft carefully: system description accuracy, control descriptions, exception descriptions, and your management responses as inserted.

After you approve the draft (with any factual corrections addressed): the auditor finalises and issues the report. The final report is delivered electronically and constitutes the completed SOC 2 engagement.

After report delivery: file the report securely, set up your NDA-based distribution process, and update your trust centre. Simultaneously, your next observation period has already begun — the compliance programme continues.