SOC 2 Control Self-Test Worksheet

Pre-audit self-test worksheet for verifying that SOC 2 Trust Services controls are designed, operating, and supported by evidence before auditor testing.

Inspection Scope & Readiness

• Control scope matches the in-scope system and Trust Services Criteria
  Verify the worksheet is limited to the scoped services, locations, and Trust Services Criteria in the audit period.
• Evidence period covers the audit window
  Confirm evidence dates fall within the period under review.
• Control owner identified for each in-scope control
  Each control has a named owner responsible for operation and evidence retention.
• Evidence repository is accessible and organized
  Assess whether evidence can be retrieved quickly and consistently during auditor testing.

Security Controls

• User access reviews completed on schedule
  Verify periodic access reviews were performed and exceptions were remediated.
• Privileged access is restricted and approved
  Confirm elevated access is limited to authorized users with documented approval.
• Change management evidence exists for sampled changes
  Check that sampled production changes have request, approval, testing, and deployment evidence.
• Security logging and monitoring alerts are reviewed
  Confirm logs are generated, retained, and reviewed for suspicious activity.
• Security incidents are tracked and investigated
  Verify incident records show triage, investigation, containment, and closure.

Availability & Resilience Controls

• Backups are performed and monitored
  Verify backup jobs ran successfully and failures were remediated.
• Restore test evidence is available
  Confirm a recent restore test was completed and documented with results.
• Availability monitoring thresholds are defined
  Check that uptime or service health thresholds are documented and monitored.
• Business continuity or disaster recovery plan is current
  Verify the plan has been reviewed within the required cycle and reflects current dependencies.

Processing Integrity Controls

• Input validation rules are documented and operating
  Confirm key data validation checks are defined and functioning as intended.
• Exception handling and reprocessing are evidenced
  Verify exceptions are logged, reviewed, and reprocessed where appropriate.
• Output reconciliations are performed
  Check that output totals or reconciliations are reviewed for completeness and accuracy.

Confidentiality & Privacy Controls

• Data classification and handling requirements are documented
  Verify confidential and personal data handling rules are defined for the scoped environment.
• Encryption at rest and in transit is implemented where required
  Confirm encryption controls are enabled for systems and data in scope.
• Data retention and disposal controls are followed
  Check retention schedules and secure disposal evidence for records in scope.
• Privacy requests or incidents are tracked to closure
  Verify privacy-related requests, complaints, or incidents are documented and resolved.

Evidence Quality, Exceptions & Sign-Off

• Exceptions and deficiencies are documented with owners and due dates
  Record any non-conformance, deficiency, or missing evidence discovered during the self-test.
• Corrective actions have been assigned
  Confirm remediation owners and target dates are assigned for all open issues.
• Inspector attestation
  Inspector confirms the worksheet was completed based on available evidence and observed results.