An internal SOC 2 audit - often called a mock audit - is your last line of defense before the official examination. It tests your controls and evidence under audit conditions so you discover and fix problems on your own terms, rather than having the CPA firm surface them as exceptions on the report your customers will read. A strong internal audit is your best rehearsal for SOC 2 compliance.
This guide explains what an internal audit checks, how to run one, how it differs from the external audit, and why it so reliably leads to a clean result.
What an internal audit is
An internal SOC 2 audit is a self-conducted or advisor-led rehearsal of the official audit. It reviews each in-scope control against its criterion, samples evidence the way the CPA firm will, and confirms that policies match practice and that control owners can explain their work. It is not the official attestation - only a licensed CPA firm can issue that - but it mirrors the official process closely enough to reveal whether you are genuinely ready. Think of it as a full dress rehearsal performed before the audience arrives.
Why run an internal audit
The value of an internal audit is that it converts unknown risk into known, fixable findings while there is still time to act. Any gap it uncovers is one the external auditor will not, because you will have closed it first. Given that an exception on your report is visible to every customer who reviews it, the economics are compelling: a private rehearsal is far less expensive, in both cost and reputation, than a public finding. Companies that run a thorough internal audit are overwhelmingly the ones that pass the real audit cleanly.
Free resource
SOC 2 Readiness Kit
A practical checklist + policy starter pack to fast-track your audit.
What an internal audit checks
A thorough internal audit examines the same things the external auditor will. It verifies that your scope and applicable criteria are correct, that you have the expected policies and that they reflect real practice, that the core control families operate, and that each control produces complete, verifiable evidence across the period. It also checks that your risk assessment is documented and current and that ownership is clearly assigned. The aim is to leave no requirement untested before the official engagement begins.
How to run one
Use your control matrix as the test plan. For each control, pull the same evidence the auditor would sample, evaluate whether it demonstrates the control operated consistently, and log any shortfall as a finding with an owner and a due date. Interview your control owners as the auditor would, to confirm they can explain their controls clearly. Treat the exercise with the same seriousness as the real audit, because a perfunctory internal audit that overlooks problems provides false comfort rather than genuine assurance.
Acting on the findings
An internal audit is only valuable if you remediate what it finds. Turn each finding into a tracked task, prioritize by audit impact, and close the items before the external fieldwork begins. Confirm that any newly fixed control is actually generating evidence, since a control fixed late in the period may still produce a partial population. The discipline of working the findings to closure is what turns the internal audit from an interesting report into a genuine guarantee of readiness.
Internal versus external audit
The internal audit and the external audit play distinct roles. The internal audit is a rehearsal you control, run by your team or an advisor, with no formal output beyond your own findings. The external audit is the official examination by an independent CPA firm that produces the report your customers rely on. Crucially, independence means whoever runs your internal audit and remediation cannot be the firm that performs the external attestation. The internal audit's entire purpose is to make the external one uneventful.
Who should run the internal audit
An internal audit can be run by your own security or compliance team or by an external advisor, and there are trade-offs. An internal team knows the environment intimately but may have normalized its own gaps; an experienced advisor brings an outside perspective that catches issues the team has stopped seeing. Many companies use an advisor for the internal audit precisely because that fresh, audit-trained view is more likely to find the problems that matter, while leaving the official attestation to a separate independent firm.
Internal audits for renewals
Although internal audits are associated with first-time programs, a periodic internal check is valuable for renewals too. Environments drift over a year, so a lightweight internal audit before each renewal confirms that controls still operate and evidence is still complete before the next observation period is examined. For mature programs with automated evidence this is quick, but it remains the lowest-cost insurance against a renewal exception caused by a control that quietly lapsed during the year.
Documenting the internal audit
Even though the internal audit produces no formal external report, documenting it well pays off. Record which controls you tested, what evidence you sampled, what you found, and how each finding was remediated. This record demonstrates a functioning internal oversight process - itself something auditors view favorably - and it gives you a baseline to compare against in future cycles. It also protects institutional memory: when people change roles, the documented internal audit shows the next owner what was checked and what was fixed. Treating the internal audit as a documented, repeatable process rather than an informal once-over turns it into a durable part of your control environment rather than a one-time effort that leaves no trace.
Timing the internal audit
Timing matters as much as thoroughness. Run the internal audit far enough before external fieldwork that you have time to remediate what it finds, but late enough that the controls and evidence you test reflect the environment the auditor will examine. For a Type 2, this usually means conducting it in the latter part of the observation window, once controls have been operating long enough to produce meaningful populations, while still leaving a buffer before fieldwork begins. Running it too early tests controls that have barely operated; running it too late leaves no room to fix what it surfaces. Finding the right window - a few weeks before fieldwork - is what lets the internal audit do its job of making the external audit uneventful.
Using results to improve the program
The findings from an internal audit are most valuable when they feed back into how the program runs, not just into a one-time fix. A recurring gap - say, access reviews that are always slightly late - points to a process or ownership problem worth solving at the root rather than patching each cycle. Treating internal-audit findings as signals about where the control environment is weak, and adjusting the underlying processes accordingly, steadily reduces the number of issues each successive audit surfaces and moves the program toward genuine, self-sustaining reliability.
How ISpectra runs your internal audit
ISpectra conducts a thorough internal audit as the final readiness step - testing controls and evidence exactly as the CPA firm will, logging and remediating findings - so the official audit is a formality. This rehearsal is part of how we deliver a clean Type 1 within two months and a Type 2 within four, with fieldwork that rarely surfaces surprises.
Free consultation
Need help with SOC 2?
Talk to our certified compliance team — we’ve supported 200+ audits.