AICPA Trust Services Criteria — What Your Auditor Actually Tests
CC1.4 — Commitment to Competence. Management must ensure personnel are trained to perform their responsibilities securely. Auditors look for documented training completion rates across all employees — not just IT.
CC2.2 — Internal Communication. Security policies and awareness must be communicated throughout the organisation. Training logs, phishing simulation results, and policy acknowledgment records are direct evidence auditors test under CC2.2.
Why Type II is Different. Type I reports assess control design at a point in time. Type II reports assess whether controls operated effectively over 6–12 months. Enterprise buyers increasingly demand Type II specifically because Type I tells them controls existed on paper, not that they worked in practice. Your training programme must run across the full observation period.
The 87% Statistic. 87% of B2B buyers require SOC 2 before signing a contract (Drata 2025). If you're pursuing enterprise sales, a Type II report is table stakes — not a nice-to-have. Start the checklist now.