Skip to main content
Image coming soon

The SOC 2 Type II Examination Playbook for Assurance Seniors

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The SOC 2 Type II Examination Playbook for Assurance Seniors

Run the full SOC 2 Type II examination cycle independently, from population design through the practitioner's report.

The population request for logical access came back with 37 rows when the client's IAM team said there were 12 active provisioners. Someone provisioned 25 accounts outside the quarterly review cycle. Now it sits as an open item, the fieldwork window closes in four days, and the engagement manager wants a classified exception in the workpaper, not another evidence request to the client.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Senior Assurance Associates executing SOC 2 engagements run into the same classification decision at the same place in every fieldwork cycle: is this exception a deviation, a design gap, a scope limitation, or a compensating-control situation? The AICPA guidance describes the categories. It does not tell you how to make the call in the workpaper when the client's access list disagrees with their HR system, or when a change was deployed by the same person who approved it, or when a backup restoration test was not performed because the backup vendor was mid-migration. Those are judgment calls. Most senior associates learn them by watching engagement managers make them and asking questions after the review notes come back. This course writes that judgment layer down.

What you walk away with

  • Design and validate populations for attribute sampling that meet AICPA completeness standards.
  • Classify exceptions as deviations, design gaps, or scope limitations before escalating to the engagement manager.
  • Write workpaper documentation for each Trust Services Criteria control family that holds up under AICPA peer review.
  • Navigate logical access and change management testing end to end, from evidence request through exception memo.
  • Draft the Type II practitioner's report and identify the conditions that require a qualified opinion.
  • Run the engagement wrap process including the deficiency conversation with management and the final billing checklist.

The 12 modules

Module 1. SOC 2 Engagement Architecture
The engagement letter and scope definition fix the examination boundaries before fieldwork starts. This module walks through the critical decisions made at engagement inception: system boundary determination, carve-out versus inclusive reporting, management's system description responsibilities, and the practitioner's planning documentation. You leave with a scope memo structure and a checklist of pre-fieldwork questions that prevent scope disputes after testing has begun.
Module 2. Trust Services Criteria Mapping
The five Trust Services Criteria categories are Security, Availability, Processing Integrity, Confidentiality, and Privacy. This module covers how to determine which categories are in scope for a specific service organization, how to map client controls to the applicable sub-criteria, and how to document the mapping in the planning workpaper. Includes worked examples across SaaS, infrastructure, and data processing service organizations with contrasting scope determinations.
Module 3. System Description Review
Management's system description is the reference document for everything in the examination. This module teaches how to evaluate completeness and accuracy: checking system components, subservice organizations, the system boundary, and complementary user entity controls. You learn the assertion categories the practitioner must evaluate, the evidence patterns that confirm management's representations, and the documentation structure that closes the system description review workpaper.
Module 4. Control Design Evaluation
A control that exists but cannot prevent or detect the relevant risk has a design gap, not an operating effectiveness gap. This module covers how to distinguish between the two, how to structure a control design evaluation note under COSO, how to identify the control's relationship to the relevant TSC sub-criterion, and when a design gap requires escalation before sampling begins. Worked examples from logical access and change management control families.
Module 5. Population Development and Completeness Testing
The sampling population must be complete before you can draw a valid sample. This module covers how to obtain the population from source systems, how to test completeness using reconciliation to independent records, what to do when the client's user directory and HR system disagree on headcount, and how to document the population completeness test. Includes a worked example for a logical access provisioning population with a 10 percent variance between source systems.
Module 6. Sampling Methodology under AICPA AT-C 205
Attribute sampling for SOC 2 requires a documented basis: tolerable deviation rate, expected deviation rate, and the resulting sample size. This module walks through the sampling decision tree under AICPA AT-C 205, the difference between judgmental and statistical sampling, how to justify your sample size in the workpaper, and what happens to the deviation rate calculation when exceptions appear mid-sample. Includes sampling calculators in the downloadable templates.
Module 7. Logical Access Controls Testing
Provisioning, deprovisioning, privileged access, and periodic access reviews are the four logical access control families tested in most SOC 2 engagements. This module provides evidence request templates for each family, testing procedures calibrated to TSC CC6.1 through CC6.3, and a worked walkthrough of a logical access exception from discovery through exception memo. Covers the documentation patterns that distinguish a deviation from a scope limitation in logical access testing.
Module 8. Change Management Controls Testing
Change management controls testing covers the full software development lifecycle from request through deployment. This module addresses how to test for unauthorized changes, how to verify segregation of duties in the deployment approval chain, and how to document emergency change exceptions. You work through the evidence request for a change management population, apply the sampling plan from Module 6, and write the exception classification when a deployer approved their own code.
Module 9. Computer Operations and Monitoring Controls
Backup and recovery, job scheduling, and incident response are the computer operations control families most frequently tested. This module covers the testing procedures for each family, the evidence types that support conclusions on availability and continuity commitments, and how to evaluate monitoring controls against TSC A1 and CC7 criteria. Includes a worked walkthrough of a backup restoration test exception and the correct workpaper language for documenting the evaluation conclusion.
Module 10. Exception Handling and Workpaper Closure
An exception discovered during testing requires a documented conclusion: is it a deviation, a control deficiency, or a scope limitation? This module covers the exception classification framework, the deviation rate calculation and tolerable deviation rate comparison, how to evaluate compensating controls, and how to write the exception memo the engagement manager and partner will review. You work through three scenarios with different outcomes and learn the workpaper language for each.
Module 11. The Type II Report and Opinion Drafting
The practitioner's report has four components: the system description, management's assertion, the practitioner's report on the description, and the practitioner's report on controls. This module walks through each component, required and optional language, the conditions under which a qualified opinion is required, and how testing results map to report conclusions. You draft a simplified Type II report from a fictional engagement's testing results with a documented evaluation file.
Module 12. Client Communication and Engagement Wrap
The final phase of a SOC 2 engagement involves the deficiency conversation with management, final evidence confirmation, late response handling, and the wrap checklist. This module covers how to structure the deficiency communication, how management's response affects the report, the final evidence review procedures, and the close-out documentation that confirms all open items are resolved before the report is issued and the engagement is billed and filed.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You have been assigned the IT controls section of a SOC 2 engagement and have never run a population completeness test without a more senior practitioner present.
Your exception memo was pushed back because the engagement manager disagreed with your deviation rate classification and you do not have a documented framework for making that judgment independently.
You are preparing for a peer review and need your workpapers to stand on their own without verbal explanation to the reviewer.
You have been asked to draft the Type II opinion section and are not confident about where the qualified versus unqualified threshold sits.

What you get with this course

  • 12 written modules with worked examples drawn from SOC 2 Type II engagement scenarios.
  • Downloadable templates: population tracking worksheets, attribute sampling calculators, exception memo structures, and evidence request templates for logical access and change management control families.
  • The hand-built SOC 2 implementation playbook, delivered alongside course access and tailored to your engagement cycle.

What you will have in hand by Day 1, Week 1, Month 1

Immediate access to all 12 written modules and downloadable templates on purchase.

Hand-built implementation playbook delivered within 24 hours alongside course access.

No scheduled sessions. Most practitioners complete one to two modules per day during a gap between engagements.

Before and after

Before

Judgment calls on exception classification go to the engagement manager because there is no written framework for making them independently, and every peer review comment that comes back on your workpapers requires a verbal explanation.

After

You run population development, sampling, testing, exception classification, and workpaper closure without escalating the judgment calls, and your documentation holds up under AICPA peer review without verbal supplementation.

What happens if you do not address this

The SOC 2 examination methodology gap surfaces at exactly the moment you are expected to be the senior voice on the engagement. Fielding a partner pushback on your deviation rate classification without a documented framework is a career conversation that does not need to happen.

Who it is for

Senior Assurance Associates and senior auditors in external audit practices who have been running controls testing sections for two to four years and are now expected to make independent judgment calls on exception classification, sampling design, and workpaper closure without escalating every decision. Specifically, practitioners executing SOC 2 Type I and Type II engagements who need to understand the examination mechanics well enough to own a controls testing section from planning through the practitioner's report.

Who this is NOT for. Partners and managers who review rather than execute fieldwork. Associates in their first engagement who have not yet run a controls testing section independently. Internal auditors working under IIA standards rather than AICPA AT-C 205 and SSAE 18. Professionals seeking CPE credit who are not currently executing SOC 2 examinations in their role.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Eight to ten hours across the 12 modules, structured for working practitioners who complete one to two modules per day during a slow period or over a long weekend between engagements.

Why $199 is the right number

AICPA guidance and the SOC for Service Organizations publications give you the standards but not the practitioner judgment layer. Firm-internal training covers the mechanics but rarely documents the exception classification decisions that generate partner review notes. This course covers the gap: the judgment calls between the standard and the signed workpaper.

FAQ

Is this for SOC 2 only or does it cover SOC 1 as well?
The judgment framework modules covering population development, sampling, and exception classification are directly transferable to SOC 1 and ISAE 3402 engagements. Modules 2 and 11 are SOC 2 specific. The remaining ten modules apply to both.
Does this assume a specific firm's methodology or does it work across firm types?
The methodology is based on AICPA AT-C 205 and SSAE 18, which govern all SOC examinations regardless of firm. Firm-specific workpaper formats vary. The judgment framework in this course is standard-based and applies across firm types.
How is this different from reading the AICPA SOC 2 guide?
The AICPA guide describes what the standard requires. This course shows how to execute the required procedures and document the judgment calls the guide does not spell out, including exception classification, deviation rate comparison, and the workpaper structures that hold up under peer review.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!