Back to Blog
SOC 2 6 min read

SOC 2 Self-Assessment: Can You Do It Without an Auditor?

A SOC 2 self-assessment can prepare you for audit, but it cannot replace one. Understand what self-assessment covers, its limitations, and when it is useful.

Key Takeaways
  • A SOC 2 self-assessment cannot produce an official SOC 2 report — only a licensed CPA firm can issue a SOC 2 attestation.
  • Self-assessments are valuable for gap analysis, preparation, and pre-audit review.
  • Some companies use a self-assessment phase before engaging a formal auditor to reduce audit fees.
  • Self-assessment tools (AuditPath) provide structured frameworks for evaluating control coverage.
  • Do not represent a self-assessment as a SOC 2 report to customers — it is an internal preparation tool, not an independent attestation.

In this guide

  1. What Is a SOC 2 Self-Assessment?
  2. What a Self-Assessment Covers
  3. What It Cannot Do
  4. When Self-Assessment Is Useful
  5. Self-Assessment Tools
  6. From Self-Assessment to Formal Audit

What Is a SOC 2 Self-Assessment?

A SOC 2 self-assessment is an internal evaluation of your security controls against the Trust Services Criteria. You (or your team) systematically review each criterion, assess whether your controls are suitably designed and operating, identify gaps, and produce a readiness score or report.

A self-assessment is conducted by the service organisation itself, not by an independent auditor. It produces internal documentation — not an official SOC 2 report and not an independent attestation.

What a Self-Assessment Covers

A thorough self-assessment mirrors the gap analysis phase of formal audit preparation. For each criterion: describe your current control, evaluate whether it meets the criterion requirement, identify design gaps and operating gaps, and document supporting evidence.

Self-assessment using a compliance tool (AuditPath) is more structured than a spreadsheet-based approach. The tool maps your evidence to criteria automatically, surfaces gaps based on integration data, and tracks remediation progress.

What It Cannot Do

A self-assessment cannot produce a SOC 2 report. AICPA standards require that SOC 2 reports be issued by a licensed CPA firm operating under AT-C Section 205. No self-assessment tool, no internal compliance review, and no consulting engagement (unless conducted by a licensed CPA firm in an independent capacity) can produce a report that enterprise buyers will accept as a SOC 2 report.

Self-assessment lacks independence. When you assess your own controls, you are subject to confirmation bias — you may unconsciously evaluate your controls more favourably than an independent auditor would. Evidence that might raise questions in an independent audit may not raise questions in a self-assessment.

When Self-Assessment Is Useful

Use case 1: Pre-audit gap analysis. Before engaging a CPA firm, conduct a self-assessment to identify major gaps. Closing gaps before the formal audit reduces audit fees (auditors charge for finding and documenting gaps).

Use case 2: Pre-audit readiness review. 6–8 weeks before fieldwork begins, conduct a self-assessment to verify evidence completeness. This is the pre-audit evidence review described in the audit preparation articles.

Use case 3: Interim compliance monitoring. Between annual audits, conduct quarterly self-assessments to verify controls are still operating effectively. This is continuous monitoring that supports your annual programme.

Use case 4: Early-stage signal to prospects. Some early-stage companies share a self-assessment output with prospects as evidence that a formal audit is underway. This is acceptable if presented accurately ("we have completed a self-assessment and are currently engaged with [CPA firm] for our formal SOC 2 audit").

Self-Assessment Tools

AuditPath provides a structured self-assessment framework that maps to SOC 2 Trust Services Criteria. The tool evaluates your control coverage based on integration data (AWS, GitHub, Okta) and flags gaps automatically. You can use it as your primary gap analysis and readiness tracking tool.

Spreadsheet-based: a well-designed spreadsheet with criteria, current state description, gap assessment, and evidence tracking is a viable self-assessment tool for companies not yet using a compliance automation platform.

AICPA resources: the AICPA provides public guidance documents on the Trust Services Criteria that can serve as the basis for a structured self-assessment without a paid tool.

From Self-Assessment to Formal Audit

Self-assessment to formal audit path: (1) Complete a thorough self-assessment using AuditPath or a structured spreadsheet. (2) Address all design gaps identified. (3) Begin collecting evidence for operating effectiveness. (4) Engage a CPA firm for formal engagement. (5) Provide your self-assessment documentation as context for the auditor (not as a formal input, but as background on your programme).

The value proposition: companies that complete a thorough self-assessment before engaging an auditor typically have 30–50% fewer gaps discovered during fieldwork. Fewer fieldwork gaps = faster fieldwork = lower audit fees and faster report delivery.

Frequently Asked Questions

Can we share a self-assessment report with customers instead of a SOC 2 report?
Only if you clearly represent it as a self-assessment, not as a SOC 2 report. Label it 'Security Self-Assessment — Not an Independent Audit.' Some early-stage prospects accept this as an interim measure. Enterprise procurement security teams will not accept it as a substitute for an independently audited SOC 2 report.
Is a readiness assessment by a consulting firm the same as a SOC 2 audit?
No, unless the consulting firm is conducting an actual audit engagement under AT-C Section 205. Many consulting firms offer "SOC 2 readiness assessments" — these are gap analysis services, not audits. They are valuable for preparation but do not produce a SOC 2 report.
How often should we conduct internal self-assessments?
Quarterly self-assessments are a best practice during the observation period. This maintains continuous visibility into control effectiveness and prevents the end-of-period scramble to find missing evidence. Monthly for high-risk controls (access management, logging) is even better.
Can we use our self-assessment results to brief a new auditor?
Yes. Sharing your internal gap analysis and self-assessment documentation with a new auditor during the engagement planning phase helps them understand your programme quickly. This can reduce planning time and help the auditor tailor their testing to areas of genuine risk.
What software does AuditPath use for self-assessment?
AuditPath's compliance platform provides a control library, gap analysis dashboard, evidence tracking, and integration-based automated scanning — all of which function as a structured self-assessment tool. It connects to your AWS, GitHub, and Okta environments to automatically surface configuration gaps and evidence coverage.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

SOC 2

SOC 2 Gap Analysis: How to Find and Fix Every Gap

SOC 2

SOC 2 Audit Prep Checklist: 60 Items Before Field Work

How-To

How to Prepare for a SOC 2 Audit: 90-Day Plan