SOC 2 gap analysis: finding deficiencies before the auditor does
A gap analysis (often called a readiness assessment) measures your current controls against the Trust Services Criteria so you can fix problems before a CPA puts them in an audit report. Here is what it covers, who performs it, and the deliverables to expect.
What a gap analysis actually is
A SOC 2 gap analysis is a structured comparison of your organization's current control environment against the AICPA Trust Services Criteria you intend to be examined against. The terms "gap analysis" and "readiness assessment" are used almost interchangeably in practice, though some consultants reserve "readiness assessment" for a broader engagement that also defines scope and builds a remediation roadmap. The exercise looks at three things at once: whether a required control exists at all, whether it is documented in policy, and whether you can actually produce evidence that it operates. It is diagnostic work, not an opinion, so the output is a punch list of deficiencies rather than a report you can hand to a customer. Done early, it turns the audit from a stressful discovery process into a confirmation exercise.
How it differs from the formal audit
The most important distinction is independence and output. A SOC 2 audit is performed by a licensed CPA firm and culminates in an attestation report containing the auditor's opinion on whether your controls are suitably designed (Type 1) and, for Type 2, operating effectively over a defined period. A gap analysis produces no opinion and no report you can share externally; it is an internal-facing diagnostic that can be run by your own team, a GRC consultant, or surfaced automatically by a compliance platform. Critically, the firm that performs your gap analysis can advise you on remediation, whereas your audit firm must preserve independence and cannot design the controls it later attests to. Treating the two as the same thing is a common and expensive mistake.
What the assessment covers
A thorough gap analysis begins by confirming scope: which Trust Services Criteria apply (Security is mandatory; Availability, Confidentiality, Processing Integrity, and Privacy are optional) and where the system boundary sits, including which products, environments, and supporting vendors are in play. From there it works through the Common Criteria and any selected categories, checking access management, change management, risk assessment, monitoring, incident response, and vendor oversight. For each requirement it classifies the state of play: control missing, control present but undocumented, documented but unenforced, or operating but with no retrievable evidence. The last category catches teams off guard most often, because a control that works but leaves no audit trail will still draw a Type 2 exception. The assessment also flags overlapping or redundant controls that can be consolidated.
Who performs it and the typical outputs
You have three broad options, and they are not mutually exclusive. An internal team that knows the environment well can run it cheaply but risks blind spots and optimistic self-grading. An independent GRC consultant or advisory CPA brings auditor-aligned judgment about what evidence will actually satisfy a reviewer. Compliance platforms such as Vanta, Drata, Secureframe, or Sprinto generate a continuous readiness view by mapping integrated systems to control tests, though they tend to be stronger on technical, automatable controls than on judgment-heavy policy work. A good engagement produces four deliverables: a gap report with each finding mapped to a specific criterion, a scope statement, a prioritized remediation roadmap, and an estimate of the time and effort to reach audit-ready.
Why it de-risks the audit and who needs it most
The economic case is straightforward: deficiencies caught in a gap analysis become quiet remediation items, while the same deficiencies caught during fieldwork become documented exceptions in a report your customers read. For a Type 2 in particular, finding a gap before the observation window starts means you can implement the control and accumulate a clean evidence trail across the full period, rather than producing only a few weeks of history. First-time filers and companies that have changed materially since their last report (new products, acquisitions, a cloud migration) benefit most. Organizations with a mature, platform-monitored program may compress the exercise into a continuous readiness check rather than a discrete project, but skipping it entirely before a first audit is rarely wise.