SOC 220 June 2026 7 min read

SOC 2 Testing Procedures: How Auditors Test Your Controls

SOC 2 auditors use five testing procedures to evaluate your controls. Understand what they are looking for and how to prepare evidence for each test type.

Key Takeaways

SOC 2 auditors use five testing procedures: inquiry, observation, inspection, re-performance, and analytical procedures.
Inquiry (interviews) without corroborating evidence is the weakest form of testing — auditors combine inquiry with inspection.
Re-performance — the auditor independently performs the control — is the strongest testing procedure.
Inspection of evidence is the most common testing procedure for automated controls.
Prepare evidence that makes inspection straightforward: structured files with clear labels, dates, and context.

In this guide

The Five Testing Procedures
Inquiry (Interviews)
Inspection (Evidence Review)
Re-Performance
Observation
Analytical Procedures
Preparing for Each Procedure Type

The Five Testing Procedures

AICPA auditing standards define five types of testing procedures: (1) Inquiry — asking personnel how controls operate. (2) Inspection — reviewing documents, records, and system configurations. (3) Observation — watching a process or control being performed. (4) Re-performance — independently performing the control to verify it produces the expected result. (5) Analytical procedures — evaluating relationships between data sets to identify unusual patterns.

For SOC 2, auditors typically combine multiple procedures for each control. Inquiry alone is insufficient — auditors must corroborate oral statements with evidence. The combination provides stronger assurance than any single procedure.

Inquiry (Interviews)

Inquiry is used for: understanding how controls operate (walkthrough interviews), obtaining explanations for unusual results in data, and confirming management's awareness of control environment conditions.

Inquiry limitations: people can describe processes inaccurately (intentionally or not). Auditors always corroborate inquiry with inspection or re-performance. If you say "we require PR reviews before production deployment," the auditor will inspect GitHub PR history to verify.

Prepare for inquiry by: briefing all control owners, ensuring answers are consistent with policies and evidence, and having specific examples ready (the last access review date, the last terminated employee offboarding ticket).

Inspection (Evidence Review)

Inspection is the most commonly used SOC 2 testing procedure. The auditor reviews documents, records, and system configurations to verify that controls exist and operated as described.

What auditors inspect: policy documents (dated, approved, distributed), access review spreadsheets, change management tickets, vendor SOC 2 reports, penetration test reports, system configuration screenshots, and automated report exports.

Evidence quality for inspection: well-labelled files with dates, structured spreadsheets rather than unstructured screenshots, and context notes explaining what each piece of evidence demonstrates.

Re-Performance

Re-performance is the strongest testing procedure: the auditor independently performs a control (or a step in a control) to verify that it produces the expected result. For SOC 2, common re-performance tests include: independently running an IAM credential report to verify MFA status, running a Security Hub CIS check to verify compliance score, and independently reviewing a change ticket to verify required approvals were present.

Re-performance evidence preparation: ensure that the control produces the same result when an auditor runs it independently as when you run it. If your IAM credential report shows all MFA enabled when you run it but shows some users without MFA when the auditor runs it, that is an immediate finding.

Observation

Observation involves the auditor watching a control being performed in real time. For SOC 2, observation is less common than inspection, but may be used for: watching a deployment process to verify change management gates are enforced, observing an access review meeting, or observing a security incident response tabletop exercise.

Observation is more common in on-site audits. Remote audits (now common post-2020) typically use screen sharing for real-time observation of system configurations.

Analytical Procedures

Analytical procedures look for unusual patterns or anomalies in data. For SOC 2, auditors may: compare the count of employees against the count of active accounts to identify orphaned accounts, review the frequency of security alerts over the observation period for unusual spikes or gaps, or compare change management ticket counts against deployment records to identify undocumented changes.

Analytical testing is particularly effective at finding operating gaps that are not visible in individual evidence items. A sudden drop in Security Hub findings mid-period (when Security Hub was temporarily disabled) or a month with zero change management tickets (when deployments clearly happened) are flagged by analytical procedures.

Preparing for Each Procedure Type

For inquiry: brief all control owners, ensure consistent answers, prepare specific examples. For inspection: organise evidence with clear labels, dates, and context. Structure evidence in your compliance tool by criterion. For re-performance: ensure controls produce consistent, verifiable results when independently run.

For observation: make control processes accessible to remote observation (screen sharing, system demos). For analytical: ensure data is complete and consistent throughout the observation period — gaps in evidence cadence will be noticed.

Frequently Asked Questions

How does an auditor decide which testing procedures to use for each control?

Auditors assess the nature of the control (automated vs. manual, continuous vs. periodic) and select procedures that provide sufficient evidence of operating effectiveness. Automated controls are typically tested via inspection and re-performance. Manual controls require inquiry corroborated by inspection of records.

Can an automated control be tested only through inspection?

Often yes, for Type II. If the automated control's configuration is inspectable (e.g. AWS GuardDuty enabled in all regions, verified via Config), the auditor may test the configuration plus a sample of the automated outputs without re-performing the control. Continuous automated controls are often tested via configuration inspection plus output sampling.

What happens if re-performance produces a different result than our evidence?

This is a red flag. If the auditor independently runs an IAM credential report and finds MFA disabled for a user, but your evidence shows MFA enabled, the auditor will investigate. Possible explanations: the evidence is outdated, the control regressed since evidence was collected, or the evidence was falsified. All three require investigation.

How many samples does an auditor typically test per control?

AICPA sampling guidance suggests sample sizes of 15–60 items for populations of 100–500 occurrences (12 months of daily events). For quarterly controls (4 occurrences): typically all 4. For annual controls (1 occurrence): the single occurrence is inspected. Auditors may adjust sample sizes based on risk and prior engagement experience.

Does the audit firm have a standardised set of testing procedures for each criterion?

Most established SOC 2 audit firms have standardised test programs that define testing procedures for each Trust Services Criterion. These are tailored to your specific controls during the engagement planning phase. Ask your auditor to share their test program (or a summary) at the start of fieldwork so you know what to prepare.