AI SOC 2 Documentation Generator
SOC 2 documentation requires precise control narratives mapped to Trust Services Criteria, supported by evidence. Vespper generates and maintains your SOC 2 documentation with every statement traceable to policies and controls.
1. Trust Services Criteria
SOC 2 reports are organized around the AICPA Trust Services Criteria, with Common Criteria required and additional criteria selected based on service commitments.
Common Criteria (CC1.0-CC5.0)
- CC1: Control Environment — board oversight, organizational structure, commitment to competence
- CC2: Communication and Information — internal and external communication of control policies
- CC3: Risk Assessment — risk identification, fraud risk assessment, change management
- CC4: Monitoring Activities — ongoing and separate evaluations of control effectiveness
- CC5: Control Activities — logical access, physical access, change management, system operations
Additional Criteria Categories
- Availability (A1.1-A1.3): system availability commitments and recovery objectives
- Confidentiality (C1.1-C1.2): confidential information identification and protection
- Processing Integrity (PI1.1-PI1.5): completeness, accuracy, and timeliness of processing
- Privacy (P1.0-P8.0): personal information lifecycle from collection through disposal
- Each selected criteria category requires specific control narratives and evidence — omitting a category the service commitments imply can trigger a qualified opinion
- Common Criteria are mandatory regardless of which additional categories are selected
2. Control Narrative Requirements
Control narratives must describe the specific design and implementation of each control with enough detail for an auditor to evaluate and test.
AICPA Control Description Standards
- Each control must specify who performs it, what is performed, how frequently, and what evidence is generated
- Control narratives must distinguish between automated and manual controls
- Compensating controls must be documented when primary controls have design gaps
Complementary Controls
- Complementary User Entity Controls (CUECs) — controls the customer must implement for the system to meet criteria
- Complementary Subservice Organization Controls (CSOCs) — controls that subservice organizations must implement
- Carve-out vs. inclusive method documentation for subservice organizations
- Vague control narratives (e.g., 'access is restricted') result in auditor requests for specificity and potential testing failures
- Missing CUECs leave customers unable to rely on the SOC 2 report for their own compliance obligations
3. Type I vs Type II Documentation
The documentation requirements differ significantly between Type I (design) and Type II (design + operating effectiveness) examinations.
Type I — Point-in-Time Assessment
- Control design evaluation as of a specific date
- Management assertion covers fairness of system description and suitability of control design
- No operating effectiveness testing — suitable for first-year SOC 2 reports
Type II — Period-of-Time Assessment
- Operating effectiveness testing across a minimum 6-month examination period (12 months preferred)
- Evidence collection must cover the entire examination period — not just start and end dates
- Exception handling and remediation documentation required for any control deviations identified
- Type II evidence gaps during the examination period can result in qualified opinions even if controls are currently effective
- Transitioning from Type I to Type II requires building evidence collection processes well before the examination period begins
4. System Description Requirements
The system description is a critical component that defines what is and is not covered by the SOC 2 examination.
AICPA Description Criteria (DC Section 200)
- System boundaries including infrastructure, software, people, procedures, and data
- Principal service commitments and system requirements as defined in customer agreements
- Subservice organization identification with carve-out or inclusive method designation
- Incident disclosure requirements for security events during the examination period
- System boundaries that are too narrow may exclude services customers rely on for their own compliance
- Incomplete subservice organization disclosure can result in examination scope issues
5. Auditor Evidence Expectations
Understanding what auditors need to test controls efficiently reduces examination friction and cost.
Evidence Collection and Testing
- Population completeness documentation for each control testing sample
- Sample size methodology based on control frequency (annual, quarterly, monthly, daily, per-occurrence)
- Exception handling evidence including root cause analysis, remediation action, and management response
- Management response documentation for any identified deviations
- Incomplete population listings force auditors to expand sample sizes or issue scope limitations
- Unresolved exceptions without documented remediation result in qualified opinions for affected criteria
What happens when documentation falls short
- Qualified SOC 2 opinion from insufficient control evidence or unresolved exceptions
- Customer contract termination for enterprise clients requiring clean SOC 2 attestation
- Competitive disadvantage in enterprise sales cycles where SOC 2 is table stakes
- Increased cyber insurance premiums from failed or qualified security attestation
- Downstream liability from subservice organization failures not covered in report scope
What this means for your team
How Vespper helps with SOC 2 documentation
Control narrative generation
Upload your security policies and control descriptions. Vespper generates Trust Services Criteria-aligned narratives traced to your actual controls.
Evidence linking
Every control narrative references the specific policy, procedure, or technical configuration it draws from — ready for auditor walkthrough.
Revision tracking for audit cycles
When policies change or controls are updated, revise your documentation with AI and track every modification with full before/after visibility.
Structured output by criteria
Generate documentation organized by Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) with proper cross-references.
Generate your SOC 2 documentation in 3 steps
Upload policies and control evidence
Connect your security policies, control descriptions, configuration screenshots, and prior audit documentation.
Generate control narratives
Vespper drafts control narratives aligned to Trust Services Criteria, with each statement traced to your uploaded evidence.
Review and prepare for audit
Review narratives, verify evidence links, accept or refine AI suggestions, and export auditor-ready documentation packages.
Built for
Related solutions
Start generating SOC 2 documentation with AI
Produce auditor-ready SOC 2 documentation with every narrative traced to evidence.
Sign in