SOC 2 Audit-Ready SOPs Without a Documentation Sprint
A SOC 2 auditor does not want pretty Notion pages. They want proof a control was executed. Owner-recorded guides with timestamped clicks are the cleanest evidence most auditors see all year.
- Library rebuild
- 6 weeks
- Audit coverage
- 100%
- Audit follow-ups
- 0
- Audit close
- 2 weeks early
The short version.
A SOC 2 audit fails most often on documentation, not on controls. Teams have the controls. They cannot prove the controls run. The fix is owner-driven SOPs with screen evidence built in: each process owner records the workflow once, the recording carries timestamps and screenshots, and the artefact ships as both SOP and evidence pack at audit time. This is a six-week pattern that has produced 100% control coverage at a 38-person UK B2B fintech without writing a single new doc from scratch. AICPA publishes the [SOC 2 Trust Services Criteria](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html) auditors test against.
The SOC 2 documentation gap nobody warns you about
Most early-stage UK companies prepare for SOC 2 by hiring a compliance vendor (Vanta, Drata, Secureframe) and spending six weeks on policies. Policies are the easy part. The vendor templates ninety percent of them.
The gap shows up in the audit fieldwork. The auditor asks for evidence that a specific control was executed in the audit period. Not the policy. The execution.
For Access Review (CC6.3), the auditor asks: "Show me your last quarterly access review, the list of users reviewed, and the actions taken." The team has done access reviews. The evidence is a screenshot from someone's Google Drive that may or may not match the policy timing.
For Change Management (CC8.1), the auditor asks: "Walk me through how a code change gets reviewed and deployed." The team has the process. The walkthrough is a senior engineer at a whiteboard for thirty minutes during the audit.
For Vendor Management (CC9.2), the auditor asks: "Show me how you onboard a new sub-processor." The team has done it. The evidence is a Notion page with five tabs, half describing the previous vendor.
These are not policy gaps. They are evidence gaps. The cost of closing them in audit week is roughly forty hours of senior leadership time per control. For a small team prepping for SOC 2, that is the bill that surprises everyone.
The fix that most teams reach for, "rewrite the SOPs", makes things worse. Eighteen SOPs at two hours each is thirty-six hours of writing for documentation that ages out two months later. AICPA's framework is clear: evidence is the artefact of the work, not a written description of the work.
A second wrinkle for UK-domiciled firms: where SOC 2 controls touch personal data, the ICO expects the same evidence under UK GDPR and the Data Protection Act 2018. An auditor reviewing CC6.7 and a regulator reviewing Article 32 want the same artefact. One artefact, two regulators, zero rewrites.
What auditors actually want, versus what teams write
An auditor's evaluation of evidence runs against three tests.
1. Was the process followed during the audit period? Pretty Notion pages do not answer this. A timestamped recording does. A click log does. A screenshot from the live system, dated, does. NNG's research on how web users scan rather than read applies to auditors too: they triage evidence in seconds, and a wall of prose loses to a labelled screenshot every time.
2. Is the process repeatable? A one-off Loom from January 2024 is not repeatable evidence. A guide that says "Owner: Linda; Last refresh: April 2026; Q1 access review attached" is. The auditor wants to know the same process ran in Q1, Q2, Q3, and Q4 of the audit period.
3. Can the process be operated without the author? The CFO recorded the SOP, then left, and the CFO who replaced her does not run the process the same way. Auditors call this "key-person dependency" and flag it under CC1.4.
The pretty Notion page passes none of these tests. The owner-recorded guide passes all three. After watching a 38-person UK B2B fintech rebuild its SOP library in six weeks for SOC 2, the auditor's note read: "the cleanest SOC 2 evidence I have seen this year." The library was twenty-one guides, recorded by the process owners, with timestamps and screenshots embedded in each one. The full SOC for Service Organizations suite lays out exactly which control categories require this kind of operational evidence.
| Auditor question | Wrong answer | Right answer |
|---|---|---|
| Show me how you reviewed user access in Q1 | "Here is the policy" | "Here is the recorded review with timestamps, the user list as it was on 31 March, and the deprovisioning actions taken" |
| How does a code change get deployed? | "Senior engineer walks the auditor through it" | "Here is the recorded SOP with screen evidence of CI checks, the PR review, and the deploy step" |
| What happens when a sub-processor is added? | "Here is the Notion page" | "Here is the recorded vendor-onboarding guide and the evidence of the last three assessments" |
The owner-driven SOP pattern
The pattern that produced 100% control coverage at a 38-person UK fintech runs on a single rule: the process owner records the SOP, not a central documentation team.
Three reasons this works.
1. The recording captures the actual process. A central writer interviewing the owner produces a description. The owner recording the workflow produces the workflow. The difference matters more than it sounds. The auditor can tell.
2. The maintenance loop is shorter. When the process changes (a new tool, a new approver, a new threshold), the owner re-records the affected step in two minutes. A central writer is a bottleneck that breaks the maintenance loop within a quarter.
3. Ownership is auditable. SOC 2 CC1.4 (defined within the SOC for Service Organizations suite) requires defined responsibilities. An SOP with a named owner who can be asked to demonstrate the process satisfies CC1.4 directly. An ownerless Notion page does not. The same logic carries over to UK GDPR Article 5(2) accountability.
The setup is straightforward.
Step 1. List the controls in scope. Most companies have between fifteen and thirty for a Type 2 audit. Each needs an owner and an SOP.
Step 2. Assign one owner per control. The person who runs the process today, not the person who wrote the policy. For Access Review, usually the IT lead (Trevor), not the CISO. For Vendor Management, usually Operations (Susan), not Legal.
Step 3. Each owner records the SOP once. The first one takes twenty-five minutes. The third takes ten. The owner runs the process as they would on a normal day, talks through the reasoning, and stops when the process ends.
Step 4. Re-record on process change. Change a step, re-record that step. The library stays current without a documentation sprint.
The tool used in the case study was a Chrome-extension capture flow that records clicks and screenshots automatically. Other tools work; the operating model matters more than the tool. What stops working is monolithic Notion pages that nobody owns.
How to record evidence as you go
The pattern above produces SOPs. The audit-week ask is for the SOP plus the evidence of recent execution. The trick is to make those the same artefact.
1. Timestamp the run. Every recording produces a timestamped artefact. When the access review runs in Q1, the owner records the run. The same recording is the SOP for Q2 and the evidence for Q1. Auditors love this because the SOP and the evidence are the same artefact, traceable to a date.
2. Capture the data view, not the code path. The evidence the auditor wants is the data the operator saw. A recording of the access review captures the user list as displayed in the IDP, the role assignments, and the deprovisioning actions. That is the evidence. The click sequence is the SOP.
3. Export as branded PDF for the evidence pack. Most audit platforms ingest PDF or HTML. Capture and similar tools export branded PDFs with timestamps, click counts, and step-by-step screen captures. The owner uploads each guide to the audit folder. No separate evidence compilation. NNG's work on legibility, readability and comprehension is a useful sanity check: an auditor reading on a second screen should not need a magnifying glass.
The compounding effect is the surprise. The first audit takes more work because the library is being built. The second audit takes a fraction of the time. One UK fintech running Monzo Business and GoCardless for treasury told us their second-year audit cost roughly £18,000 versus £42,000 the prior year. The library did the work.
If your team has not yet picked the documentation tool, the best Scribe alternatives 2026 roundup covers the seven candidates auditors most often see in evidence packs. The customer-facing pattern is in the customer onboarding documentation guide.
The audit-week checklist
By audit week, the library should answer every standard auditor question without senior leadership writing new content. The checklist below is what closes the audit two weeks early.
- Every control has a named owner in the SOP metadata. The auditor asks "who runs this", the answer is in the artefact, not in someone's head.
- Every SOP has been refreshed in the last six months. Six months is the auditor's expected freshness. Older than that and the auditor pushes back.
- The most recent run is timestamped and matches the audit period. A Q1 access review recorded in Q2 is fine. A January recording with no Q3 update is not.
- The SOP and the evidence are the same artefact. The PDF in the evidence pack is the same guide the team uses to run the process. No discrepancy between policy and practice.
- Recording metadata is auditable. Click counts, timestamps, narrator audio if requested. The auditor can verify the recording is from the live system, not a recreation.
- The library has a single index page. "Start here" is a real page with twenty-one entries. One URL, one master list.
The audit-week pattern that does not close on time usually has at least four of these missing. Most commonly, items 3 and 4.
The three-line summary the COO used to scope the SOC 2 effort: ownership is auditable, screen evidence is auditable, and one re-recorded step is faster than rewriting a wiki page. Those three lines, applied to twenty-one controls, closed an audit two weeks ahead of schedule. For UK firms, the same library doubles as the operational record an ICO inspector would ask for under the Data Protection Act 2018.
Frequently asked questions.
- Does this approach work for SOC 2 Type 1 or only Type 2?
Both. Type 1 is a point-in-time test, so SOPs need to be recorded as-of the test date. Type 2 is a period test, which is where the timestamped pattern compounds: each quarterly run becomes evidence for the previous period and SOP for the next. Most UK teams build the library for Type 2 because the per-control investment amortises across the audit period.
- How does this differ from using Vanta, Drata, or Secureframe?
The compliance platforms handle the policy templates, the control monitoring, and the evidence collection from connected systems (cloud, IDP, ticket system). They do not generate the SOPs themselves. The recording-first method fills that gap. UK teams typically run a compliance platform for monitoring and a guide tool for SOPs.
- How does SOC 2 evidence overlap with UK GDPR and ICO expectations?
Heavily. UK GDPR Article 32 (security of processing) and Article 5(2) (accountability) both require dated evidence that controls run. The same recorded SOP that satisfies CC6.3 for SOC 2 typically satisfies the ICO ask for an Article 32 record. UK firms post-Brexit operate under UK GDPR and the Data Protection Act 2018, not EU GDPR. One library, two regulators.
- How do we handle SOPs that involve sensitive data (PII, financial)?
Two approaches. First, redaction: most guide tools support blurring selected screen regions before the recording is published. Second, sandbox capture: record against a staging environment with synthetic data. Auditors and the ICO accept either as long as the SOP matches the production process and the redaction or sandbox is documented.
- How long does it take to build the library from scratch?
The 38-person UK fintech in the case study built twenty-one SOPs in six weeks with one owner per SOP and one recording session per week. The pattern scales: a 60-person team with thirty SOPs runs the same window because work is parallel across owners. The bottleneck is owner availability, not recording time. Twenty-five minutes per SOP for the first attempt, ten by the third.
Ready to record SOPs that double as audit evidence?
Capture records the SOP, captures the screen evidence, and exports a branded PDF for the audit pack. Free Chrome extension, no signup. Each owner records once, the library updates one step at a time.
Tango Alternative for IT Operations Teams in 2026
A scaled-up IT team turned its top twenty repeat tickets into Capture guides and dropped Tier-1 volume 35% in eight weeks. The seat maths is most of the difference.
How to Document a Customer Onboarding Workflow in 2026
Most onboarding documentation goes stale in eight weeks because nobody re-records it when the UI ships an update. The fix is not better writers. It is a recording-first method that takes ten minutes per refresh.
The 12-Step Rule: Why Length Predicts Documentation Failure
Almost every documentation team writes longer guides than they should. Length compounds against you, and 12 steps is the working ceiling above which completion collapses.
Record one workflow.
Free Chrome extension. No signup required.