SOC 2 audit firms are regulated by the AICPA, and they are required to be independent CPAs. The SOC 2 auditor you choose to work with will examine your controls (which will include evidence collection) to determine whether they are functioning properly. Documents that the auditor may review include:
- Organizational charts
- Inventory of assets
- Processes for onboarding and offboarding
- Processes for managing change