SOC 2 for BPOs: What Type II Actually Tests
SOC 2 Type II is now the procurement gate for almost every US enterprise client a BPO wants to win. The audit isn't about whether your controls exist on paper. It's about whether they ran consistently for the past twelve months. A 2026 operator read of the AICPA framework.
Sami Akhtar
Security & Compliance Advisor, FrontLine · Published May 23, 2026
A US healthcare client is six weeks into procurement with a 400-agent Canadian BPO (Business Process Outsourcing: a firm that runs contact-centre operations on behalf of other brands.). The technical evaluation is going well. The pricing is reasonable. Then the security review lands and the question comes back: "Please provide your most recent SOC 2 Type II report." The BPO has SOC 2 Type I from last year. The procurement team's response, polite but immovable: "We require Type II. We can revisit in twelve months once you have it."
This is how almost every enterprise procurement now ends for BPOs without SOC 2 Type II. The framework has effectively become the procurement gate for selling into regulated US enterprise. Understanding what it is, why Type II specifically, and what the audit actually tests is the difference between a six-month delay and a closed deal.
What SOC 2 is
SOC 2 is an attestation framework maintained by the AICPA (American Institute of Certified Public Accountants). It is performed under SSAE No. 18 , specifically AT-C Sections 105 (concepts common to all attestation engagements) and 205 (examination engagements).
The framework evaluates controls against the AICPA's Trust Services Criteria. The current version of the criteria is the 2017 TSC with a Points of Focus update in 2022: "2017 Trust Services Criteria With Revised Points of Focus, 2022" . The 2022 update revised the supporting points of focus only; the underlying criteria from 2017 were not changed.
A SOC 2 report is issued by an independent licensed CPA firm and attests to the design (Type I) or operating effectiveness (Type II) of an organisation's controls. It is not a certification, despite how it's frequently marketed. The AICPA does not certify anyone. The auditor issues an opinion that, in the auditor's judgment, the controls are designed and operating effectively against the criteria.
The full SOC Suite of Services landing page is the AICPA's own reference point for the framework, including the distinction between SOC 1 (financial reporting controls), SOC 2 (Trust Services Criteria, restricted-use report), and SOC 3 (general-use summary of a SOC 2).
The five Trust Services Criteria
Every SOC 2 report includes the Security criterion (also called the Common Criteria). It's not optional. The other four are elective based on the scope agreed between the audited entity and the auditor:
Security (Common Criteria, mandatory). Protection of system resources against unauthorised access, use, modification, and disclosure. Most of the audit work happens here. Covers logical and physical access, system operations, change management, and risk management.
Availability. The system is available for operation and use as committed or agreed. Relevant when the BPO's service-level agreements with clients include uptime commitments.
Confidentiality. Information designated as confidential is protected. Relevant when BPOs handle client trade secrets, proprietary data, or commercially sensitive information.
Processing Integrity. System processing is complete, valid, accurate, timely, and authorised. Relevant when the BPO's role includes data transformation or transaction processing where output correctness matters.
Privacy. Personal information is collected, used, retained, disclosed, and disposed of according to commitments and criteria. Relevant when the BPO handles consumer PII on behalf of an end client.
Common scoping for BPOs. AICPA doesn't publish scoping statistics by industry, but the industry pattern is well-established: BPOs almost always scope Security plus Availability plus Confidentiality. Privacy gets added when handling consumer PII (most BPOs serving regulated US enterprise). Processing Integrity is rare in BPO scopes because the BPO's role is usually service delivery rather than data transformation. Confirm scoping with your auditor before the engagement starts; expanding scope mid-audit is expensive.
Type I vs. Type II, and why buyers ask for Type II
A SOC 2 Type I report attests to the design of controls at a specific point in time. The auditor evaluates whether the controls are suitably designed to meet the criteria.
A SOC 2 Type II report attests to the design and operating effectiveness of controls over a period of time (the observation period or audit window). The auditor evaluates whether the controls operated effectively throughout the period.
The distinction matters because the value of the report to a buyer is the evidence that controls actually worked over time, not just that they were documented on the audit day. The AICPA does not prescribe a minimum observation period, but a 6 to 12 month observation period is the industry norm for Type II. A 3 month observation period is the practical floor accepted by most auditors for first-year engagements. Anything shorter typically gets the report flagged in client security reviews.
AICPA does not publish a position that Type II is preferred over Type I. That said, the pattern in enterprise procurement is overwhelming. By 2026, almost every US enterprise client a BPO wants to serve will require Type II. Type I is widely treated as a stepping stone in year one toward Type II in years two and beyond. Treating Type I as the destination is a strategic miscalculation; it produces a report that satisfies almost no enterprise security review.
The audit process and timeline
SOC 2 audits must be performed by a licensed CPA firm. In the United States, this means a firm registered with a US state board of accountancy and operating under AICPA professional standards. In Canada, the equivalent work is performed under CSAE 3000 by CPA Canada-licensed practitioners, often with cross-jurisdictional engagement teams when the report needs to satisfy US client expectations.
A first-year SOC 2 Type II engagement typically runs 12 to 18 months end-to-end. The phases:
Scoping and readiness assessment (1–3 months). Define the system boundary, which TSC are in scope, which controls map to which criteria. Identify gaps. Build the remediation plan. This is the phase where most of the actual work happens.
Remediation (3–6 months, in parallel with the start of the observation period). Close the gaps identified in readiness. Operationalise controls that were documented but never actually run. Build the evidence collection mechanics.
Observation period (3 months minimum, 6–12 typical). The audited period during which controls must operate as documented. The auditor will sample evidence from across this window during fieldwork. Three to six months is common for first-year engagements that need to close quickly; twelve months becomes the norm in steady state.
Audit fieldwork (1–2 months). The auditor's evidence-gathering and testing work. Interviews, sample selection, walkthroughs, document review.
Report writing and delivery (1–2 months). Auditor opinion, management's assertion, system description, and the matrix of controls tested with results. Typical Type II reports run 80 to 120 pages.
The cost of a first-year Type II audit varies widely with scope and operation size. The auditor fees alone typically run $10,000 to $50,000 for a small-to-mid BPO; all-in first-year program cost (including readiness work, remediation, tooling, internal staff time) is usually $30,000 to $150,000. Renewals run lighter, typically $15,000 to $40,000 in auditor fees plus continuing internal investment. These figures are industry-reported ranges from audit firms; AICPA does not publish official benchmarks.
What auditors actually find at BPOs
The same handful of findings recur across BPO SOC 2 engagements. Four account for most of what gets flagged in first-year reports.
Access reviews not consistently performed. The control is documented ("quarterly access reviews of all production systems"). The reviews actually happen unevenly. Some quarters get reviewed, some don't, and the evidence trail is incomplete. The auditor pulls a sample of quarters and the inconsistency surfaces.
Change management without ticket trails. Production changes happen but the ticket-and-approval discipline isn't tight. A change gets deployed, an approval gets backfilled, the ticketing system shows a gap between change and approval timestamps. The control as documented isn't running as designed.
Vendor management gaps. The BPO has sub-processors (cloud providers, payment processors, communications platforms) but the documented sub-processor review process isn't being executed. Annual reviews aren't actually annual. SOC 2 reports from sub-processors aren't being collected and tracked.
Incident response not tested. The plan exists. It hasn't been tested in twelve months. The auditor will ask for the last tabletop or simulation and the answer is something like "we'll do one this quarter."
The pattern across all four: the control exists on paper, the discipline doesn't operate in practice. The fix is the same in each case, the operational habit has to be tighter than the documentation. Documented control without operational discipline is the most common failure mode and the most common reason a Type II engagement comes back with qualified findings.
The bridge letter
A SOC 2 Type II report covers a specific observation period. When that period ends, the report is still valid evidence but only for the period it covers. Clients reviewing the report after the period ends will sometimes ask for confirmation that nothing material has changed since the audit window closed.
The instrument that answers that ask is a bridge letter (sometimes called a gap letter). It's issued by the audited entity's management, not by the auditor, because auditor independence prevents a CPA firm from attesting to a period outside the one they tested. Your management writes the letter on its own letterhead, stating that no material changes to the control environment occurred between the end of the audit period and the date of the letter.
Bridge letters typically cover a gap of up to three months. Beyond that the relevance drops sharply, and most enterprise security teams will push back for an updated audit. AICPA has not published formal guidance on bridge letters; they are an industry convention rather than a standard.
If your audit window closes December 31 and your next Type II report won't be ready until late next year, a bridge letter covering January through March is reasonable. One covering an entire year is not. Continued control discipline is the real evidence; the audit cadence has to keep up.
How SOC 2 compares to related frameworks
Three frameworks come up alongside SOC 2 in enterprise security reviews, often with overlapping requirements but different audit posture.
ISO 27001. International standard for information security management systems (ISMS). Process-oriented rather than control-effectiveness-oriented. Maps closely to SOC 2, the NIST AICPA TSC crosswalk shows roughly 80% overlap between SOC 2 controls and ISO 27001 Annex A. Many BPOs serving both US and EU clients carry both. The audit work for the second is substantially less than the first because of the overlap.
HITRUST CSF. Healthcare-industry-focused framework. Required by some US healthcare clients beyond SOC 2. Heavier on healthcare-specific controls. BPOs serving healthcare clients sometimes find they need both SOC 2 and HITRUST for the same scope.
FedRAMP. Required only if the BPO is providing services to US federal agencies. The audit posture is significantly heavier than SOC 2 and the timeline runs years rather than months. Not relevant to most commercial BPOs.
SOC 1. Different framework, sometimes confused. SOC 1 addresses internal controls over financial reporting (ICFR) and is relevant when the BPO's services materially affect a client's financial statements. Most BPOs need SOC 2; some need both SOC 1 and SOC 2 depending on which client functions they support.
Sources
SOC 2 is governed by the AICPA. Authoritative references below. Where a figure (cost, timeline, observation-period minimum) cannot be sourced directly to AICPA, the article labels it as industry-reported.
SSAE 18. AICPA Statement on Standards for Attestation Engagements No. 18 . The attestation standard SOC 2 examinations are performed under; specifically AT-C Sections 105 and 205. AICPA landing page; PDF behind download form.
Trust Services Criteria. 2017 Trust Services Criteria With Revised Points of Focus, 2022 . The current criteria document. The 2022 update revised supporting points of focus only; underlying criteria from 2017 unchanged.
SOC Suite landing page. System and Organization Controls: SOC Suite of Services . The AICPA's reference point for the SOC 1 / SOC 2 / SOC 3 distinction and the broader framework.
Canadian equivalent. CPA Canada SOC 2 guide . CPA Canada's adaptation of the AICPA guide for Canadian practitioners; CSAE 3000 is the Canadian attestation standard SOC 2 is performed under in Canada.
TSC crosswalks. NIST: AICPA Trust Services Criteria crosswalk . NIST's mapping of the 2017 TSC to the NIST Privacy Framework. Useful for organisations carrying multiple framework certifications.
Observation period. AICPA does not prescribe a minimum observation period for SOC 2 Type II. The 3-month floor and 6-to-12-month norm cited in this article reflect audit-firm convention, not an AICPA standard.
Type II preference. AICPA does not publish a position on Type I vs. Type II adoption. The procurement-gate observation is industry-reported pattern.
Cost benchmarks. AICPA does not publish auditor fee benchmarks. The $10,000–$50,000 auditor fees and $30,000–$150,000 all-in program cost figures reflect audit-firm price guidance and engagements I've observed.
Common findings. AICPA does not publish BPO-specific or industry-specific common findings statistics. The four findings flagged in this article (access reviews, change management, vendor management, incident response testing) are widely reported by audit firms as the most common SOC 2 first-year findings across industries.
Bridge letter. AICPA has not published formal guidance on bridge letters. The convention described in this article is industry practice, not an AICPA standard.
This article is not legal advice and not a substitute for an audit engagement. Specific applicability to your operation requires assessment by a licensed CPA firm. The article is the operator's read from someone who's helped BPOs stand up SOC 2 readiness.
Sami Akhtar
Security & Compliance Advisor, FrontLine
Security and compliance specialist with deep experience helping BPOs navigate PCI DSS, SOC 2, and cross-border privacy regimes. Writes the FrontLine compliance series.