Learn · SOC Reports
Your SOC 2 Is In Progress,
What Do You Tell Customers?
Somewhere between kickoff and the signed opinion, a customer will ask whether you have SOC 2. This is the honest playbook for that moment: what you can say at each stage, the interim evidence buyers accept, and the exact claims to avoid.
The one hard rule: SOC 2 is an attestation issued by a licensed CPA firm. Until that report exists, nothing is “certified” or “compliant” — but almost everything else about your progress can be shared.
Plain-English playbook · Honest by design · Last reviewed July 2026
While your SOC 2 is underway, you can honestly say exactly what is true — which stage you are in, the report type and period you are targeting, and who is engaged — and back it with readiness evidence. What you cannot do is claim to “be SOC 2” before a CPA firm has issued the report. The question always lands mid-deal, usually inside a security questionnaire: do you have SOC 2? A SOC 2 is an attestation report that only a licensed CPA firm can issue, so there is no partial state you can claim — but there is a great deal you can show. Security reviewers do not punish in-progress status; they punish vagueness and overclaiming. The playbook below gives you the stage-by-stage vocabulary, the interim evidence that actually moves reviews forward, and sample language you can adapt without writing a sentence your auditor would wince at.
The Ladder
The Honest Vocabulary Ladder
Each stage of the journey has a sentence you can say without flinching. Climb the ladder as the facts change — never ahead of them:
| Stage | Where you are | What you can honestly say |
|---|---|---|
| Stage 1Readiness / gap phase | Gap assessment and remediation underway; no examination has started. | “We are in SOC 2 readiness with [consultant], targeting a Type 1 / Type 2 examination.” |
| Stage 2Review period running | Remediation done; the Type 2 observation window is open and controls are operating. | “Our Type 2 review period began [month]; the report is expected after [month].” |
| Stage 3Fieldwork | The period has closed; the auditor is testing evidence and drafting. | “The examination is underway with an independent CPA firm.” |
| Stage 4Report issued | The CPA firm has signed its opinion; the report exists. | “We hold a SOC 2 Type 2 report, available under NDA.” |
Three phrases are never on the ladder. “SOC 2 certified” — nothing in the SOC world is certified; a SOC 2 is an attestation report containing a CPA firm’s opinion, and there is no certificate at any stage. “SOC 2 compliant” before a report exists — there is no report to be compliant against. Badges and seals that imply a report you don’t hold — a logo on your website makes a claim just as loudly as a sentence does.
If you are still at stage 1, the fastest way to make the next rung true is to work the SOC 2 compliance checklist systematically — scope, gap assessment, remediation, then the examination.
Interim Evidence
What Buyers Will Accept in the Meantime
A security review is an evidence exercise, and the report is only its most convenient format. While yours is in progress, most reviewers will work with a substitute stack — shared under NDA:
- A readiness assessment summary or letter from your consultant — what was assessed, what was remediated, and the examination it points toward.
- The signed engagement letter with the CPA firm — the single strongest proof that the examination is real, scoped, and scheduled rather than aspirational.
- Your security policy set and completed questionnaire answers — most security reviews run on these long before a report enters the picture.
- A completed CAIQ or SIG — or the buyer’s own questionnaire — answered honestly, with open items marked as in-remediation rather than hidden.
- A penetration-test executive summary — independent technical evidence that exists today, not at the end of the review period.
- A call between your security lead and their reviewer — thirty minutes of candid answers routinely clears what documents alone cannot.
Be equally honest about the limits: some enterprise buyers will simply wait for the report, and others will accept contractual commitments instead — a security addendum with audit rights, breach-notification, and report-delivery obligations. Neither outcome is a failure; it is procurement doing its job. Since the question usually arrives inside a formal review, it pays to study the enterprise security questionnaire format before your first one lands.
Sample Language
Words You Can Adapt
Three examples — adapt, don’t copy-paste. Every bracket is a fact to fill in honestly, and every sentence should survive being read aloud to your auditor. Delete anything that isn’t true for you.
Example — security questionnaire status line
“SOC 2 Type 2 examination in progress. Readiness completed with an external consultant and remediation closed; our review period opened [month, year] under a signed engagement with an independent CPA firm. Report expected after the period closes. Readiness summary and policy set available under NDA.”
Example — trust-page paragraph
“We are pursuing a SOC 2 Type 2 attestation with an independent CPA firm. Our review period is underway, and the controls it covers — access control, change management, incident response, vendor management — are in operation today. We will note report availability here the day the opinion is issued.”
Example — email reply to “Do you have SOC 2?”
“Not yet — our SOC 2 Type 2 is in progress. The review period opened in [month], and fieldwork with an independent CPA firm follows it. In the meantime we can share our readiness summary, security policies, and completed CAIQ under NDA — and our security lead is happy to walk your team through them.”
Notice what all three do: they name the stage, the report type, the review period, and the independent CPA firm — and they offer evidence rather than adjectives. For the wider playbook on surviving security review while a deal is live, see SOC 2 for enterprise sales.
Red Flags
What Not to Do
Every one of these has torpedoed a real deal — usually months later, when the claim met the paperwork:
- Don’t buy a “SOC 2 certificate” from a non-CPA vendor — no such document exists. Only licensed CPA firms can issue SOC 2 reports, and a certificate from anyone else is worthless in a security review.
- Don’t post a compliance-platform dashboard screenshot as “proof” — the platform tracks your readiness; it is not the examination, and experienced reviewers know the difference instantly.
- Don’t claim a Type 2 when you hold only a Type 1 — the report type is printed on the opinion page, and buyers who read reports will catch it immediately.
- Don’t promise a hard report date you don’t control — “expected after the period closes in [month]” survives slippage; “you’ll have it on the 15th” does not.
- Don’t hide a qualified opinion you can see coming — if exceptions are likely, set expectations now. Customers forgive exceptions with remediation plans far more readily than surprises.
Assume every claim you make now will eventually be read against the report itself. Enterprise reviewers increasingly know how to read a SOC 2 report — the opinion page, the period, the exceptions — so the safest marketing strategy is for the report to confirm everything you said while it was in progress.
Timelines
Why You Can’t Promise an Exact Date
A SOC 2 Type 2 has three sequential parts, and you fully control none of them. The review period must run its planned length — ending it early shrinks the very evidence the opinion rests on. Fieldwork starts only after the period closes, and its pace depends on how cleanly your evidence holds up. And drafting, quality review, and signing of the opinion sit with the CPA firm, not with you. A calendar date promised to a customer is therefore a promise made with someone else’s pen — offer stage-based updates instead, and let the SOC 2 timeline show buyers how the sequence fits together.
If the wait itself is the problem, a Type 1 can be a legitimate interim milestone: it examines whether your controls are suitably designed at a point in time, so it can be issued while the Type 2 review period is still running. That gives you a genuine CPA-issued deliverable mid-journey — the differences are laid out in Type 1 vs Type 2. For Indian SaaS companies selling into US enterprise, this mid-journey question is near-universal — deals mature faster than review periods close. Engagements run with Tranquility Cybersecurity pair readiness consultants with empanelled independent licensed CPA firms, so “who is engaged” always has a concrete answer.
SOC 2 In Progress — Common Questions
Honest answers for the months between kickoff and the signed opinion.
What can we say while our SOC 2 is in progress?
Exactly what is true, with specifics: which stage you are in (readiness, review period running, or fieldwork), the report type you are targeting (Type 1 or Type 2), when your review period opened, and that an independent licensed CPA firm is engaged. Specificity is what separates a credible in-progress answer from marketing — “our Type 2 review period began in March under a signed CPA engagement” earns trust; “we take security seriously and SOC 2 is coming soon” does not.
Can we say we are “SOC 2 compliant” during the audit?
No. There is nothing to be “compliant” with until a CPA firm has issued a report containing its opinion — and even then, the accurate phrasing is that you hold a SOC 2 report or have completed a SOC 2 examination. “SOC 2 certified” is never accurate at any stage, because SOC 2 is an attestation, not a certification. While the audit runs, say the examination is underway with an independent CPA firm — it is honest, and buyers accept it.
What proof can we give customers before the report arrives?
The interim evidence stack: a readiness assessment summary from your consultant, the signed engagement letter with the CPA firm, your security policy set, a completed CAIQ or SIG (or the buyer’s own questionnaire), a penetration-test executive summary, and a call with your security lead. Shared under NDA, this satisfies many security reviewers. Some enterprise buyers will still wait for the report or ask for contractual security commitments instead — that is normal, not a failure.
Should we get a Type 1 first as an interim step?
Often, yes. A Type 1 examines whether your controls are suitably designed at a point in time, so it can be issued while your Type 2 review period is still running. That gives you a genuine CPA-issued deliverable to share mid-journey, and many buyers accept a Type 1 for initial onboarding with the Type 2 to follow. The trade-offs: it adds examination cost, and some enterprise security teams give a standalone Type 1 limited weight because it says nothing about operating effectiveness.
Can we share our readiness assessment with customers?
Yes — under NDA, and clearly labeled for what it is: a consultant’s readiness or gap assessment, not an audit opinion. Shared honestly, it shows that scope, gaps, and remediation were handled systematically, which is precisely what a reviewer wants to see mid-journey. Dressed up as an “audit,” it destroys the trust it was meant to build. Pair it with your policy set and the CPA engagement letter so the reviewer sees both the work done and the examination it leads to.
What if a deal is blocked waiting for the report?
Ask precisely what would unblock it — the answer differs by buyer. Options that work in practice: a security addendum with audit rights, breach-notification, and report-delivery obligations; a Type 1 as an interim CPA-issued milestone; a deep-dive call between security teams; or closing with the report as a contractual post-signature deliverable. If the buyer’s policy genuinely requires the report, offer stage-based transparency on progress rather than promising a delivery date you don’t control.
When can we say we “have SOC 2”?
The day the CPA firm issues the report: signed opinion, system description, and — for a Type 2 — the test results over your review period. From then on, the accurate sentence is “we hold a SOC 2 Type 2 report, available under NDA,” ideally naming the period it covers. Keep it current: a report describes a defined period, so buyers expect a fresh examination on roughly an annual cycle, with a bridge letter covering any gap between reports.
Related reading: the Learn hub, SOC 2 for enterprise sales, how to read a SOC 2 report, the SOC 2 compliance checklist, and SOC 2 services. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours