The email subject line read: "We're ready for our SOC 2 audit." I smiled, then called the CTO immediately.
"Walk me through your incident response testing," I said.
Silence.
"When did you last review your vendor security assessments?"
More silence.
"Show me your access review documentation from the last quarter."
"Well... we have the spreadsheet started..."
They weren't ready. Not even close.
In my 15+ years helping companies achieve SOC 2 certification, I've learned one fundamental truth: the difference between passing and failing your SOC 2 audit is determined in the 90 days before your auditor arrives. The organizations that treat this period as a final sprint to document, test, and validate everything they've built—those are the ones who sail through their audits.
The ones who assume they're ready because they "have all the controls in place"? They're the ones getting findings that delay certification by 6-12 months.
This isn't theoretical. Last year, I watched a SaaS company postpone their audit three times because they kept discovering gaps during our pre-audit assessments. Each delay cost them at least $200,000 in lost enterprise deals. Their VP of Sales literally had customers holding signed contracts pending SOC 2 certification.
"SOC 2 readiness isn't about having controls. It's about proving you've been operating those controls consistently for your entire audit period."
Let me walk you through the exact checklist I use when preparing companies for their SOC 2 audit. This is the same process that's helped 47 organizations achieve clean audit reports—many on their first attempt.
The 90-Day Pre-Audit Timeline
Here's the reality nobody tells you: if you're discovering major gaps 30 days before your audit, you're already in trouble. Most audit periods are 6-12 months, and auditors need to see evidence that controls operated throughout that entire period.
But even if you've been operating controls all year, the 90 days before audit is when you validate everything, fill documentation gaps, and prepare evidence packages that make your auditor's job easy.
Timeline | Focus Areas | Key Activities | Red Flags to Address |
|---|---|---|---|
90-60 Days Out | Evidence Collection & Gap Analysis | Gather all documentation, Run mock audits, Identify missing evidence | Missing logs, Incomplete access reviews, Undocumented procedures |
60-30 Days Out | Gap Remediation & Testing | Complete missing documentation, Test all controls, Conduct vendor assessments | Failed control tests, Unresponsive vendors, Missing change tickets |
30-0 Days Out | Final Validation & Preparation | Organize evidence folders, Brief all stakeholders, Conduct final walkthrough | Last-minute surprises, Unprepared interviewees, Disorganized evidence |
I worked with a fintech company that followed this timeline religiously. They discovered at Day 75 that they'd been using an unapproved vendor for six months. We had enough time to complete a vendor assessment, document the approval process retroactively (with proper justification), and implement controls. Had they waited until Day 30, they would have had a finding.
Critical Documentation Review: What Auditors Actually Want to See
Let me share something that might surprise you: auditors aren't trying to fail you. They want you to succeed. But they need evidence that's clear, complete, and consistent.
I remember reviewing documentation for a healthcare SaaS company two weeks before their audit. Their security policies were beautifully written—86 pages of comprehensive procedures. There was just one problem: none of their actual practices matched the policies.
Their password policy required 14-character passwords with special characters. Their actual Azure AD configuration? 8 characters, no special character requirement.
Their change management policy required approval from three people. Their actual Jira workflow? One approver.
The disconnect between documentation and reality would have resulted in multiple findings. We spent the next 10 days either updating policies to match reality or implementing the documented controls.
"Your documentation should describe what you actually do, not what you wish you did. Auditors verify reality, not aspirations."
Policy and Procedure Documentation Checklist
Here's what needs to be absolutely buttoned up:
Document Type | What Auditors Verify | Common Gaps I See | How to Fix |
|---|---|---|---|
Security Policy | Comprehensive coverage of all security domains, Board/executive approval | No approval signatures, Last updated 3 years ago | Get current executive signature, Update to reflect current practices |
Access Control Policy | Role-based access, Provisioning/deprovisioning procedures | Doesn't match actual RBAC implementation | Align policy with actual access model in place |
Change Management | Approval workflows, Testing requirements, Rollback procedures | Real changes bypass the process | Update policy or enforce process for ALL changes |
Incident Response Plan | Clear escalation paths, Communication procedures, Tested annually | Never actually tested | Conduct tabletop exercise, Document results |
Business Continuity/DR | Recovery time objectives, Backup procedures, Annual testing | Backups exist but never tested restoration | Perform full restoration test, Document results |
Vendor Management | Assessment procedures, Annual reviews, SLA monitoring | No documented vendor reviews | Complete assessments for all critical vendors |
Acceptable Use Policy | Employee responsibilities, Consequences for violations | Not acknowledged by all employees | Implement acknowledgment tracking system |
Data Classification | Classification levels, Handling requirements | Data not actually classified | Tag systems and data with classification levels |
I helped a 200-person company discover they had 47 different "critical" vendors but only 12 had documented security assessments. We spent three weeks getting assessments from the other 35. It was exhausting, but the alternative was audit findings on vendor management.
Trust Services Criteria: The Five Pillars You Must Prove
SOC 2 is built on Trust Services Criteria. Many companies pursue only Security (Common Criteria), but understanding all five helps you plan for future expansions.
Security Criteria: The Non-Negotiable Foundation
Every SOC 2 audit includes Security. This is your core.
Pre-Audit Security Validation Checklist:
✅ Logical Access Controls
[ ] All user accounts tied to real people (no shared accounts)
[ ] Access provisioning follows documented approval process
[ ] Quarterly access reviews completed for entire audit period
[ ] Terminated employee access revoked within documented timeframe
[ ] Privileged access is restricted and monitored
[ ] Multi-factor authentication enforced for all users
[ ] Access reviews documented with evidence of approvals and removals
I watched a company fail this because they had a "[email protected]" shared account with production database access. One shared account. Single finding that delayed their certification by four months.
✅ System Operations
[ ] Production changes follow documented CAB approval process
[ ] Emergency changes have retroactive approval process
[ ] All changes have tickets/documentation
[ ] Change success/failure tracked
[ ] Failed changes have documented rollback procedures
✅ Change Management
[ ] Sample 25-40 changes across your audit period
[ ] Verify every change has proper approval before implementation
[ ] Confirm testing evidence exists
[ ] Document any emergency changes with retroactive approval
A client once told me, "We do change management in Slack." That's not documentation. That's not auditable. We implemented Jira workflows and suddenly every change had clear approval trails.
✅ Risk Management
[ ] Annual risk assessment completed
[ ] Risks prioritized and documented
[ ] Mitigation plans for high/critical risks
[ ] Risk register updated quarterly
[ ] Board/executive review of risk assessment
✅ Security Monitoring
[ ] SIEM or logging solution capturing security events
[ ] Logs retained for audit period (minimum 90 days, preferably longer)
[ ] Security alerts configured and investigated
[ ] Evidence of alert investigation and resolution
[ ] Vulnerability scanning performed quarterly
[ ] Critical/high vulnerabilities remediated within SLA
Availability Criteria: Proving Your Uptime
If you're pursuing Availability (and most SaaS companies should), you need evidence of system reliability.
Availability Requirement | What You Need | Auditor Will Check |
|---|---|---|
Performance Monitoring | Uptime monitoring tools, SLA definitions | Historical uptime data, Incident records |
Capacity Management | Infrastructure monitoring, Growth planning | Evidence of capacity reviews, Scaling decisions |
Backup and Recovery | Automated backups, Tested restores | Backup logs, Restoration test results |
Incident Management | Incident tracking system, Response procedures | Incident tickets, Resolution times, Post-mortems |
Business Continuity | Disaster recovery plan, Annual testing | Test results, Plan updates, Tabletop exercises |
I'll never forget a SaaS company that claimed 99.9% uptime but had no monitoring tools to prove it. Their AWS console showed the infrastructure was up, but they had no application-level monitoring. We implemented Datadog and discovered their actual uptime was 98.7%—not bad, but not what they'd been claiming to customers.
Processing Integrity: Data Accuracy and Completeness
This is crucial for companies that process data on behalf of customers—think payment processors, data analytics platforms, or any transformation services.
Processing Integrity Evidence Requirements:
[ ] Data validation controls at input
[ ] Processing error handling and logging
[ ] Data reconciliation procedures
[ ] Output accuracy verification
[ ] Error correction and reprocessing procedures
[ ] Sample transactions traced end-to-end
Confidentiality: Beyond Basic Security
Confidentiality applies when you handle proprietary information beyond typical business data.
Confidentiality Control Checklist:
[ ] Data classification policy and implementation
[ ] Confidential data inventory
[ ] Access restricted to need-to-know basis
[ ] Encryption for confidential data (rest and transit)
[ ] Confidentiality agreements with employees and contractors
[ ] Secure disposal procedures for confidential information
Privacy: The GDPR of SOC 2
Privacy criteria aligns closely with privacy regulations like GDPR and CCPA.
Privacy Control Requirements:
[ ] Privacy notice provided to data subjects
[ ] Consent mechanisms for data collection
[ ] Data subject rights procedures (access, deletion, portability)
[ ] Data retention and disposal policies
[ ] Third-party data sharing agreements
[ ] Privacy incident response procedures
Here's a reality check: only pursue the criteria your customers actually need. I've seen companies waste $50,000 getting all five criteria when their customers only cared about Security. Start with Security, add others based on actual business requirements.
System Description: Your Audit Narrative
The System Description is arguably the most important document you'll create. It's your opportunity to tell your story before the auditor starts testing.
I worked with a company whose system description was 4 pages long. It was so vague that auditors spent the first week of the audit just trying to understand what the company actually did. We rewrote it to 22 pages with detailed descriptions, architecture diagrams, and control explanations. The audit went from projected 8 weeks to actual 4 weeks because auditors understood the environment.
Essential System Description Components:
Section | What to Include | Why It Matters |
|---|---|---|
Company Overview | Services offered, Customer base, Locations | Sets context for auditor |
System Architecture | Infrastructure components, Data flow diagrams, Technology stack | Defines scope and boundaries |
Security Controls | Control descriptions, Implementation details, Responsibilities | Tells auditor what you do and who does it |
Complementary Controls | Customer responsibilities, Shared security model | Clarifies what's out of scope |
Subservice Organizations | Critical vendors, What they provide, Their certifications | Explains trust relationships |
"A great system description answers auditor questions before they're asked. A poor one creates questions that derail your audit."
Evidence Organization: Making Your Auditor's Job Easy
Here's an insider secret: auditors remember the difficult audits and the easy audits. You want to be the easy one.
I've participated in audits where evidence was scattered across Google Drive, Confluence, Jira, GitHub, and someone's laptop. The auditor spent 40% of their time just finding documents. It extended the audit timeline and increased costs.
Compare that to a client who organized everything into a clear folder structure with a comprehensive evidence index. Their auditor told me, "This is the smoothest audit I've conducted in three years."
Evidence Collection Framework
Create this folder structure 90 days before your audit:
SOC2_Audit_Evidence/
├── 01_Policies_and_Procedures/
│ ├── Security_Policy_v2.3_Signed.pdf
│ ├── Change_Management_Policy_Signed.pdf
│ └── Incident_Response_Plan_v1.5.pdf
├── 02_Risk_Management/
│ ├── 2024_Annual_Risk_Assessment.xlsx
│ ├── Risk_Register_Q1-Q4.xlsx
│ └── Executive_Risk_Review_Minutes.pdf
├── 03_Access_Controls/
│ ├── Access_Reviews/
│ │ ├── Q1_2024_Access_Review.xlsx
│ │ ├── Q2_2024_Access_Review.xlsx
│ │ ├── Q3_2024_Access_Review.xlsx
│ │ └── Q4_2024_Access_Review.xlsx
│ ├── Provisioning/
│ │ └── New_User_Tickets_Sample.pdf
│ └── Deprovisioning/
│ └── Terminated_User_Evidence.pdf
├── 04_Change_Management/
│ ├── Change_Tickets_Sample_Q1.xlsx
│ ├── Change_Tickets_Sample_Q2.xlsx
│ ├── Change_Approval_Board_Minutes.pdf
│ └── Emergency_Change_Documentation.pdf
├── 05_Monitoring_and_Logging/
│ ├── Security_Alerts_Sample.xlsx
│ ├── Alert_Investigation_Evidence.pdf
│ ├── Vulnerability_Scans/
│ └── Penetration_Test_Results.pdf
├── 06_Vendor_Management/
│ ├── Vendor_Inventory.xlsx
│ ├── Vendor_Assessments/
│ ├── Vendor_Contracts/
│ └── Vendor_Annual_Reviews/
├── 07_Incident_Response/
│ ├── Incident_Tickets_Sample.xlsx
│ ├── Incident_Post_Mortems.pdf
│ └── Tabletop_Exercise_Results.pdf
├── 08_Business_Continuity/
│ ├── BCP_DR_Plan_v2.0.pdf
│ ├── Backup_Verification_Logs.xlsx
│ ├── DR_Test_Results_2024.pdf
│ └── Backup_Restoration_Evidence.pdf
├── 09_Training_and_Awareness/
│ ├── Security_Training_Completion.xlsx
│ ├── Training_Materials/
│ └── Phishing_Simulation_Results.pdf
└── 10_System_Description/
├── System_Description_v3.1.pdf
├── Architecture_Diagrams.pdf
└── Data_Flow_Diagrams.pdf
Create an evidence index spreadsheet that maps each control to specific evidence files:
Control ID | Control Description | Evidence Type | Evidence Location | Date Range | Notes |
|---|---|---|---|---|---|
CC6.1 | Logical access controls restrict access | Access Review Reports | 03_Access_Controls/Access_Reviews/ | Jan-Dec 2024 | Quarterly reviews documented |
CC6.2 | Access provisioning follows approval process | Provisioning Tickets | 03_Access_Controls/Provisioning/ | Sample from each quarter | 25 sample tickets provided |
CC8.1 | Change management process followed | Change Tickets | 04_Change_Management/ | Jan-Dec 2024 | 40 sample changes across year |
The People Factor: Preparing Your Team for Interviews
Here's something that consistently surprises people: employee interviews can make or break your audit.
I watched a company with excellent controls fail their initial audit because employees gave inconsistent answers during interviews. The CTO said quarterly access reviews happened. The IT manager said monthly. The actual process? Quarterly, but the inconsistency raised red flags that led to additional scrutiny.
Interview Preparation Strategy
90 Days Before Audit:
Identify who will be interviewed (usually 5-15 people)
Create interview prep documents for each role
Conduct mock interviews
60 Days Before Audit:
Review actual procedures with everyone
Ensure consistent terminology
Address any process confusion
30 Days Before Audit:
Final interview prep sessions
Refresh on any recent changes
Remind everyone: honesty over perfection
Key Personnel to Prepare:
Role | What They'll Be Asked | Preparation Focus |
|---|---|---|
CISO/Security Lead | Overall security program, Risk management, Incident history | Program overview, Key metrics, Major incidents |
IT Manager | Change management, Access controls, System operations | Day-to-day procedures, Tool usage, Exception handling |
HR Lead | Onboarding/offboarding, Training, Background checks | Employee lifecycle, Training tracking, Verification procedures |
Developer/Engineer | Development practices, Code reviews, Testing | SDLC process, Security in development, Change procedures |
Support Manager | Customer data handling, Incident response, Access logs | Support tools, Data privacy, Customer communication |
I prep people with these rules:
Answer only what's asked - Don't volunteer information beyond the question
If you don't know, say so - "I'd need to verify that" is better than guessing
Use consistent terminology - If your policy calls it "quarterly access reviews," don't say "access audits"
Describe the normal process - Exceptions should be documented as exceptions
Honesty beats perfection - If something failed, explain how you handled it
"Auditors expect to find some issues. What they can't tolerate is deception or inconsistency. Be honest about your gaps—it builds trust."
Common Pre-Audit Findings and Fast Fixes
In the 90 days before audit, I typically find the same issues repeatedly. Here's what to check and how to fix them:
The "Shadow IT" Problem
Issue: Departments using unapproved tools that process customer data.
How I Find It: Review credit card statements and SSO logs.
Fast Fix:
Document all tools currently in use
Conduct rapid security assessments
Add to vendor management program
Implement approval process going forward
Last month, I found a marketing team using an unapproved email tool with access to customer data. We completed a vendor assessment in 72 hours, got executive approval, and documented the exception. Crisis averted.
The "Access Review" Gap
Issue: Access reviews show people were granted access, but not that inappropriate access was removed.
Fast Fix:
Review current access against job roles
Document and remove inappropriate access now
In future reviews, explicitly document removals
The "Backup Testing" Gap
Issue: Automated backups run daily, but no evidence of successful restoration testing.
Fast Fix:
Perform full restoration test immediately
Document the test procedure and results
Schedule quarterly restoration tests going forward
I can't tell you how many times I've seen companies with perfect backup logs and zero restoration testing. Auditors need evidence that backups actually work.
The "Change Management Bypass" Problem
Issue: Emergency changes happened without following documented approval process.
Fast Fix:
Identify all emergency changes in audit period
Create retroactive emergency change documentation
Document why emergency process was necessary
Show that changes were later reviewed and approved
The "Vendor Assessment" Gap
Issue: Critical vendors haven't been assessed in 12+ months.
Fast Fix:
Prioritize vendors by criticality
Send assessment requests immediately
For slow responders, document follow-up attempts
Accept vendor SOC 2 reports as evidence
The Mock Audit: Your Dress Rehearsal
Sixty days before your audit, conduct a full mock audit. This is non-negotiable.
I do this with every client. We pretend I'm the auditor and request evidence exactly as an auditor would. The findings are always eye-opening.
Mock Audit Process:
Week 1: Evidence Requests
I send standard evidence request list
Team has 5 days to provide everything
Week 2: Document Review
Review all evidence for completeness
Identify gaps and missing items
Check for consistency across documents
Week 3: Interview Simulation
Conduct mock interviews with key personnel
Note inconsistent answers
Identify knowledge gaps
Week 4: Gap Remediation
Document all findings
Create remediation plan
Assign owners and deadlines
A healthcare company I worked with found 23 gaps during their mock audit. We fixed all of them before the real audit. They passed with zero findings. The CFO told me the mock audit was the best $15,000 they'd ever spent.
Red Flags That Require Immediate Attention
If you discover any of these during your pre-audit assessment, stop everything and fix them immediately:
Red Flag | Why It's Critical | Immediate Action |
|---|---|---|
Shared Administrative Accounts | Fundamental access control violation | Create individual admin accounts, disable shared accounts |
No MFA on Production Systems | Basic security control failure | Implement MFA immediately for all production access |
Unpatched Critical Vulnerabilities | Evidence of ineffective vulnerability management | Emergency patching, document exception if patching not possible |
No Access Reviews in Last 6 Months | Control not operating | Conduct immediate comprehensive access review |
Production Changes Without Approval | Change management failure | Stop all changes, implement approval process |
Customer Data in Non-Production | Data handling control failure | Remove customer data from non-prod or document sanitization |
No Vendor Assessments for Critical Vendors | Third-party risk management failure | Emergency vendor assessments for top 10 critical vendors |
Never Tested Incident Response Plan | Preparedness failure | Conduct tabletop exercise immediately |
I once had a client who discovered three days before their audit that they had never tested their incident response plan. We conducted an emergency tabletop exercise on Saturday, documented everything, and submitted it Monday morning. The auditor accepted it, but that was way too close for comfort.
The Final 30-Day Sprint
The last month before audit is about validation and polish, not major changes.
30 Days Out:
[ ] All evidence collected and organized
[ ] Evidence index complete
[ ] System Description finalized
[ ] All employees interview-ready
[ ] Mock audit findings resolved
14 Days Out:
[ ] Final review of all evidence
[ ] Confirm auditor kickoff meeting
[ ] Distribute audit schedule to team
[ ] Brief executives on audit process
[ ] Ensure evidence access for auditor
7 Days Out:
[ ] Final evidence verification
[ ] Confirm all stakeholders available
[ ] Review any last-minute policy updates
[ ] Prepare welcome packet for auditor
[ ] Deep breath
Day of Audit:
[ ] Kickoff meeting prepared
[ ] Evidence access confirmed
[ ] Team briefed and ready
[ ] Conference rooms reserved
[ ] Coffee stocked (seriously)
"The week before audit should be boring. If you're scrambling, you started too late."
Real Talk: When You're Not Ready
Sometimes, despite best efforts, you reach the 30-day mark and realize you're not ready. I need to be brutally honest here: it's better to postpone than to fail.
A failed audit is public (your report shows findings). A postponed audit is private (only you know). Plus, failed audits create doubt with customers and make your next audit harder.
I advised a company to postpone their audit 21 days before kickoff. They were devastated. Their sales team was furious. But we'd found gaps that couldn't be fixed in three weeks:
Six months of access reviews were incomplete
Their change management process had only been implemented for four months
Critical vendor assessments were missing
We postponed by 90 days, fixed everything, and they passed cleanly. Eighteen months later, their VP of Engineering thanked me. "You saved us from a disaster that would have haunted us for years."
Signs You Should Postpone:
Missing 3+ months of required evidence
Major controls implemented less than 6 months ago
Critical vendor assessments not completed
Significant control failures in last 90 days
Team not prepared or understaffed
Major system migrations in progress
How to Postpone Gracefully:
Call your auditor immediately
Be honest about specific gaps
Provide clear remediation timeline
Request new audit dates 60-90 days out
Use the time productively
Most audit firms are understanding. They'd rather postpone than issue a report with findings.
The Post-Audit Reality Check
Let me share something nobody talks about: even with perfect preparation, you'll probably get observations.
Observations aren't failures—they're opportunities for improvement. I've been through audits that resulted in clean reports but still had 5-10 observations noted.
The difference between observations and findings:
Observations: Suggestions for improvement, don't prevent certification
Findings: Control deficiencies that must be remediated
A recent client got an observation about their password policy lacking explicit prohibition of password sharing. It wasn't a finding because they had compensating controls (MFA everywhere, monitoring for concurrent sessions). But the auditor noted it for future improvement.
They updated their policy the next day. Observation addressed.
Your Pre-Audit Checklist: The Bottom Line
Here's my complete pre-audit checklist that I use with every client. Print this, work through it methodically, and you'll be in excellent shape:
Documentation (90-60 Days Out):
[ ] All policies current and signed
[ ] System Description complete and accurate
[ ] Architecture diagrams updated
[ ] Data flow diagrams current
[ ] All procedures documented
Evidence Collection (90-30 Days Out):
[ ] Access reviews for entire audit period
[ ] Change management tickets (sample)
[ ] Security monitoring logs
[ ] Vulnerability scan results
[ ] Incident response records
[ ] Vendor assessments complete
[ ] Training completion records
[ ] Backup and DR test results
[ ] Risk assessments current
Control Validation (60-30 Days Out):
[ ] Mock audit completed
[ ] All gaps identified and remediated
[ ] Control testing performed
[ ] Evidence quality verified
[ ] Consistency check across documents
Team Preparation (30-0 Days Out):
[ ] Interview prep completed
[ ] All stakeholders briefed
[ ] Terminology standardized
[ ] Schedule confirmed with all participants
[ ] Evidence access tested
Final Validation (14-0 Days Out):
[ ] Evidence folder organization verified
[ ] Index spreadsheet complete
[ ] System Description final review
[ ] Auditor logistics confirmed
[ ] Team ready and confident
A Final Story: The Power of Preparation
I want to close with a success story that illustrates why this preparation matters.
In 2023, I worked with a 45-person SaaS company pursuing their first SOC 2. The CEO was skeptical about the amount of prep work I was recommending. "Can't we just wing it?" he asked. "We're a security company. We know what we're doing."
I convinced him to follow the 90-day checklist. Reluctantly, they did.
During the mock audit at Day 60, we found 31 gaps. Thirty-one! From a security company that "knew what they were doing."
They spent the next 45 days fixing everything. When the real audit came, it took exactly 2.5 weeks. Zero findings. Zero observations. The auditor told me it was one of the smoothest audits she'd conducted.
But here's the kicker: a competitor company—same size, same market, also a "security company"—started their audit without preparation. Their audit took 9 weeks, they got 7 findings, and had to remediate and re-audit. Six months later, they finally got certified.
By that time, my client had landed three enterprise customers worth a combined $4.2 million in ARR. Customers who explicitly chose them because they had SOC 2 and the competitor didn't.
The CEO sent me a bottle of whiskey with a note: "You were right. Preparation matters. Thank you for not letting us wing it."
"SOC 2 preparation isn't about perfection. It's about demonstrating that you have systems, you follow them, and you continuously improve them. That's what customers are buying."
Your Next Steps
If your audit is in the next 90 days:
This Week:
Review this checklist against your current state
Identify your top 10 gaps
Assign owners to each gap
Schedule daily standups for audit prep
This Month:
Conduct mock audit (or hire someone to do it)
Begin evidence collection and organization
Start interview prep with key personnel
Update any outdated documentation
This Quarter:
Complete all remediation activities
Validate all evidence is complete
Conduct final readiness assessment
Confidently begin your audit
Remember: the companies that pass SOC 2 audits cleanly aren't the ones with perfect security programs. They're the ones who prepare thoroughly, document honestly, and make their auditor's job easy.
You've got this. Start with Day 90 and work backward. By Day 0, you'll be ready.