The conference room was silent except for the sound of our auditor flipping through pages of documentation. It was Day 3 of our first SOC 2 Type II audit, and Sarah, our lead auditor, had just asked to "walk through" our access provisioning process.
Our IT Director confidently pulled up our beautifully documented procedure—a 12-page masterpiece complete with flowcharts, approval matrices, and step-by-step instructions. Sarah smiled and said, "Great. Now show me how you actually do it."
That's when everything fell apart.
The documented process showed a four-step approval workflow. Reality? People were getting access through Slack messages, emergency provisions were happening without documentation, and nobody could find evidence of the reviews that were supposed to happen quarterly.
We failed that control. And it taught me the most important lesson about SOC 2: Documentation without validation is just creative fiction.
What Walkthrough Procedures Actually Are (And Why They Terrify Teams)
After conducting over 60 SOC 2 audits and preparations in my 15+ years in cybersecurity, I've learned that walkthrough procedures are where rubber meets road. They're the moment when your auditor stops reading your policies and starts verifying your reality.
Here's the simple truth: A walkthrough is when your auditor selects a specific control, reviews your documentation, and then watches you demonstrate it in real-time with actual evidence from your environment.
Think of it like a cooking competition. You can have the world's best recipe (your documented procedure), but the judges want to see you actually cook the dish (perform the control) and taste the results (validate the evidence).
"In SOC 2 audits, your documentation is your promise. Walkthrough procedures are proof you keep that promise."
The Five Trust Services Criteria: Your Walkthrough Map
Before we dive deep, let's establish the foundation. SOC 2 evaluates your controls across five Trust Services Criteria:
Trust Service Criteria | What It Covers | Common Walkthrough Focus Areas |
|---|---|---|
Security | Protection against unauthorized access | Access provisioning, authentication, firewall rules, encryption |
Availability | System uptime and performance | Monitoring, incident response, capacity planning, backup procedures |
Processing Integrity | Complete, valid, accurate data processing | Data validation, error handling, job scheduling, reconciliation |
Confidentiality | Protection of designated confidential information | Data classification, NDAs, secure transmission, disposal |
Privacy | Personal information collection, use, retention, and disposal | Consent management, data subject rights, breach notification |
Most organizations start with Security (it's mandatory) and add others based on customer needs. In my experience, 87% of SaaS companies pursue Security + Availability for their first SOC 2.
The Anatomy of an Effective Walkthrough: What Auditors Actually Want to See
I remember preparing a fintech startup for their first SOC 2 audit in 2021. Their CISO asked me, "What exactly happens during a walkthrough?"
Here's what I told him, and what I'm telling you now:
The Four-Phase Walkthrough Process
Phase 1: The Setup (Auditor Reviews Documentation) Your auditor reads your control description and documented procedures. They're looking for:
Clear process steps
Defined roles and responsibilities
Specific tools and systems used
Frequency of performance
Evidence that should be generated
Phase 2: The Demonstration (You Show Them How It Works) This is where you prove it's not just paperwork. You'll:
Log into actual systems
Show the real workflow
Demonstrate approval mechanisms
Explain decision points
Reveal where evidence is stored
Phase 3: The Evidence Review (They Verify Your Claims) The auditor examines real examples:
Screenshots from your systems
Actual tickets and requests
System logs and reports
Approval emails or workflow completions
Configuration settings
Phase 4: The Validation (They Test Your Process) Sometimes auditors will:
Select a random sample to trace
Ask "what if" scenarios
Request evidence of exception handling
Verify consistency across time periods
Check if compensating controls exist
Let me share what this looks like in practice with a real example.
Real-World Walkthrough Example: User Access Provisioning
This is the control that trips up more organizations than any other I've seen. Let me walk you through how it should work versus how it often actually works.
The Documented Process (What You Wrote Down)
Control Description: "New employee access is provisioned based on approved requests following the principle of least privilege. All access requests require manager approval and are reviewed by IT Security before implementation."
Your Procedure Document Says:
Manager submits access request via ServiceNow ticket
IT Security reviews request against role-based access matrix
IT Security approves or denies request
IT Administrator provisions access within 24 hours
Confirmation sent to manager and employee
Access recorded in HRIS system
Looks perfect, right?
The Walkthrough Reality Check
Auditor: "Show me a recent access request for a new employee."
You: Opens ServiceNow, filters for last month, finds ticket #12847
Auditor: "Walk me through what happened here."
Here's where organizations typically stumble. Let me show you two scenarios I've witnessed:
Scenario A: The Failure (What I've Seen Too Often)
You: "Here's the ticket from the hiring manager requesting access for John."
Auditor: "I see the request date is March 15. When was it approved?"
You: "Um... there's no approval documented here."
Auditor: "How did you know what access to grant?"
You: "We used the same access as his predecessor."
Auditor: "Where is that documented?"
You: "Well... it's not, we just know."
Result: Control failure. No evidence of approval or security review.
Scenario B: The Success (What Good Looks Like)
You: "Here's ticket #12847 submitted March 15 at 9:23 AM."
Auditor: "Show me the approval."
You: *Clicks to approval workflow* "Manager approved March 15 at 2:47 PM."
Auditor: "How did you determine appropriate access?"
You: *Opens attached document* "Here's our role-based access matrix. John is a Software Engineer, which maps to these specific groups and applications."
Auditor: "Show me the security review."
You: *Shows approval chain* "IT Security reviewed March 16 at 10:15 AM, verified against the RBAC matrix, and approved."
Auditor: "When was access actually granted?"
You: *Shows ticket resolution* "March 16 at 2:30 PM, within our 24-hour SLA."
Auditor: "How do you know he received the correct access?"
You: *Opens access report* "Here's the automated confirmation showing the groups added, matching the approved request."
Result: Control passes. Complete evidence trail from request to implementation.
"The difference between passing and failing a walkthrough isn't how good your documentation looks—it's how accurately it reflects what you actually do."
The Documentation Framework That Actually Works
After years of helping companies through this process, I've developed a documentation structure that survives walkthrough scrutiny. Here's the framework:
The Essential Elements of Walkthrough-Ready Documentation
Element | Purpose | Auditor Expectation | Common Mistakes |
|---|---|---|---|
Control Objective | What you're trying to achieve | Clear, measurable outcome | Too vague or too technical |
Control Owner | Who's responsible | Specific person or role | "IT Team" instead of "IT Security Manager" |
Frequency | How often performed | Specific interval | "Regular" instead of "Weekly" |
Procedure Steps | How it's executed | Numbered, sequential actions | Missing decision points |
Tools/Systems | Where it happens | Specific applications | No version numbers or configurations |
Evidence Generated | What proves it happened | Specific artifacts | "Logs" instead of "AWS CloudTrail logs showing..." |
Exception Handling | What happens when normal fails | Documented alternatives | Not addressed at all |
Real Example: Change Management Control Documentation
Let me show you a before-and-after from a client I worked with in 2023:
BEFORE (Fails Walkthroughs)
Control: All production changes are approved before implementation.AFTER (Passes Walkthroughs)
Control Objective: Ensure all production changes are authorized, tested,
and implemented with appropriate rollback procedures to maintain system
availability and security.See the difference? The second version gives an auditor everything they need to understand and validate the control.
The 12 Most Common Walkthrough Controls (And How to Nail Each One)
In my experience, these controls get walked through in virtually every SOC 2 audit. Here's your preparation guide:
1. User Access Provisioning and Deprovisioning
What They're Testing: Can unauthorized people access your systems?
Walkthrough Sample Selection:
3-5 new hires from the audit period
3-5 terminated employees
2-3 role changes
Evidence Required:
Evidence Type | Specific Examples | Where to Find It |
|---|---|---|
Provisioning Request | Ticket, email, HRIS workflow | ServiceNow, Jira, BambooHR |
Manager Approval | Approval timestamp, approver name | Ticketing system workflow |
Access Matrix | Role to permissions mapping | Confluence, SharePoint |
Implementation Proof | User added to groups/apps | Active Directory logs, SaaS admin panels |
Deprovisioning Trigger | Termination date, exit checklist | HRIS, offboarding workflow |
Access Removal Proof | User disabled, groups removed | System screenshots, audit logs |
Common Failures I've Seen:
Approval buried in Slack/email instead of formal system
Access granted before approval
Terminated users still active 30+ days later
No evidence of security review
Generic "IT Admin" instead of specific person
2. Password Policy and MFA Enforcement
What They're Testing: Are authentication controls actually enforced?
Walkthrough Demonstration:
Show password policy settings (minimum length, complexity, expiration)
Demonstrate MFA enrollment requirement
Show enforcement in each critical system
Prove you can't bypass it
Evidence Table:
System | Password Policy | MFA Required | Configuration Proof |
|---|---|---|---|
AWS Root Account | 16+ chars, complexity | Yes (Hardware token) | IAM policy screenshot |
Okta/SSO | 12+ chars, complexity | Yes (Push notification) | Security policy config |
GitHub | SSO enforced | Yes (via Okta) | Organization settings |
Database Access | Key-based, 2048-bit | Yes (Bastion + Okta) | Terraform configuration |
Production VPN | Certificate-based | Yes (Yubikey required) | VPN server config |
Pro Tip from the Trenches: I've seen companies fail this because they show the policy is configured but can't prove it's enforced. Take a screenshot of a test account trying to set a weak password and getting rejected. That's bulletproof evidence.
3. Change Management
What They're Testing: Are production changes controlled and authorized?
Sample Selection Pattern:
25 changes across the audit period
Mix of routine and emergency changes
At least 3 emergency changes if they occurred
Walkthrough Flow:
1. Show change request with complete information
2. Demonstrate approval workflow
3. Prove change was tested (test evidence attached)
4. Show deployment logs with timestamp
5. Demonstrate post-implementation verification
6. For failures: Show rollback was executed
The Emergency Change Trap: This catches everyone. You need pre-approved emergency procedures that still maintain controls. Here's what works:
Emergency Change Procedure (Real Example):
WHEN: System down, customer impact, revenue loss
WHO CAN APPROVE: DevOps Lead or VP Engineering (phone approval accepted)
DOCUMENTATION: Slack #emergency-changes thread required in real-time
FOLLOW-UP: Full change ticket within 2 hours, retro review at next CAB
EVIDENCE: Slack thread + ticket + incident report + review notes
4. Vulnerability Management
What They're Testing: Do you find and fix security holes?
Walkthrough Requirements:
Activity | Frequency | Evidence Required | Remediation Timeframe |
|---|---|---|---|
External Vulnerability Scans | Weekly | Qualys/Nessus reports | Critical: 7 days, High: 30 days |
Internal Vulnerability Scans | Monthly | Scan reports, trend analysis | Critical: 14 days, High: 60 days |
Application Security Scans | Per release | Snyk/SAST/DAST reports | Block deployment if critical |
Penetration Testing | Annually | Full pentest report | 90 days for all findings |
Dependency Scanning | Per commit | Dependabot/Snyk alerts | Critical: 7 days |
The Remediation Proof Problem: Finding vulnerabilities is easy. Proving you fixed them is where companies stumble.
What Actually Works:
Show initial scan with vulnerability
Show ticket created to track remediation
Show work performed (commit, configuration change, patch applied)
Show re-scan confirming vulnerability resolved
Show timeline from detection to resolution
I worked with a client who had 847 "high" vulnerabilities in their backlog. The auditor asked, "How do you prioritize?" They had no answer. We failed that control.
The fix? We implemented this:
SEVERITY MATRIX:
Critical + Exploitable + Production = Fix within 7 days
Critical + Not Exploitable + Production = Fix within 30 days
Critical + Any + Non-Production = Fix within 60 days
High + External-Facing = Fix within 30 days
High + Internal Only = Fix within 60 days
Documented, approved, and followed. Passed the next audit.
5. Backup and Recovery
What They're Testing: Can you actually restore from backups?
Here's the killer question auditors always ask: "When did you last test a restore?"
If you can't answer with a specific date and show evidence, you're failing this control.
Backup Walkthrough Evidence:
Component | Backup Frequency | Retention Period | Test Frequency | Last Test Date | Test Result |
|---|---|---|---|---|---|
Production Database | Continuous | 30 days | Quarterly | 2024-11-15 | Success - 12 min RTO |
Application Configs | Daily | 90 days | Quarterly | 2024-11-15 | Success - 8 min RTO |
Source Code | Continuous | Indefinite | Monthly | 2024-12-01 | Success - 3 min RTO |
Customer Data | Hourly | 7 days | Monthly | 2024-12-01 | Success - 45 min RTO |
Logs/Audit Trails | Daily | 1 year | Annually | 2024-09-20 | Success - 2 hour RTO |
Real Story: In 2020, I watched a company fail their audit because they had perfect backup logs showing backups running successfully for 18 months. The auditor asked to see a restore test. They'd never done one. When we tried, we discovered the backups were corrupted and useless.
They spent $340,000 re-implementing their entire backup strategy and had to delay their SOC 2 by six months.
"Backups you've never restored are just wish lists, not disaster recovery plans."
6. Incident Response
What They're Testing: When things go wrong, do you handle it properly?
The Walkthrough Trap: Many companies have beautiful incident response plans. Few can show they actually used them.
What You Need for Each Incident:
INCIDENT DOCUMENTATION REQUIREMENTS:
✓ Initial detection (alert, report, discovery method)
✓ Severity classification (P0/P1/P2/P3/P4)
✓ Response team assembled (who was notified, when)
✓ Investigation steps (what was checked, findings)
✓ Containment actions (systems isolated, access revoked)
✓ Resolution steps (fix implemented, verified)
✓ Root cause analysis (why it happened)
✓ Post-incident review (lessons learned, improvements)
✓ Timeline (all timestamps documented)
Sample Incidents to Have Ready:
2-3 security incidents (failed login attempts, suspicious activity)
2-3 availability incidents (outage, performance degradation)
1-2 near-misses (caught before impact)
7. Risk Assessment
What They're Testing: Do you actually think about what could go wrong?
Annual Risk Assessment Walkthrough:
Risk Category | Identified Risks | Likelihood | Impact | Risk Score | Treatment | Residual Risk |
|---|---|---|---|---|---|---|
Data Breach | Ransomware attack | Medium | Critical | High | MFA, EDR, backups, training | Low |
Service Outage | Cloud provider failure | Low | High | Medium | Multi-region, monitoring, runbooks | Low |
Insider Threat | Malicious employee | Low | High | Medium | Access controls, logging, monitoring | Low |
Supply Chain | Vendor compromise | Medium | High | High | Vendor assessments, monitoring, isolation | Medium |
Compliance | Regulatory violation | Low | Critical | Medium | Compliance program, audits, training | Low |
What Auditors Want to See:
Board/executive approval of risk assessment
Risk treatment decisions documented
Implementation of controls addressing high risks
Monitoring of residual risks
Annual review and update
Pro Tip: The risk assessment must be dated within the audit period. I've seen companies show a three-year-old risk assessment. Instant failure.
8. Vendor Security Review
What They're Testing: Are you outsourcing your risk to unvetted vendors?
Critical Vendor Determination:
Vendor | Services Provided | Access to Customer Data? | Subservice Organization? | Review Required? |
|---|---|---|---|---|
AWS | Infrastructure hosting | Yes | Yes | SOC 2 review |
Stripe | Payment processing | Yes | Yes | PCI AOC required |
SendGrid | Email delivery | Yes (email addresses) | Yes | Security questionnaire |
Datadog | Monitoring/logging | Yes (system logs) | Yes | SOC 2 review |
Google Workspace | Email/collaboration | Yes | Yes | SOC 2 review |
Slack | Communication | Yes (messages) | Yes | SOC 2 review |
Vendor Review Evidence Required:
Completed security questionnaire
SOC 2 report (if available)
Penetration test results
Compliance certifications
Contract with security requirements
Annual review documentation
Risk assessment outcome
Common Failure: Companies review vendors once during procurement and never again. Auditors want to see annual reviews of all critical vendors.
9. Logical Access Reviews
What They're Testing: Are you regularly checking who has access to what?
Review Requirements:
System | Review Frequency | What to Review | Evidence Required |
|---|---|---|---|
Production AWS | Quarterly | IAM users, roles, policies | Access report + review notes |
Admin Access | Quarterly | All admin/privileged accounts | User list + justification |
Application Access | Quarterly | User roles and permissions | Permission report + approvals |
VPN Access | Quarterly | Active VPN users | User list + manager confirmation |
Database Access | Quarterly | DB users and privileges | Access report + certification |
Walkthrough Sample:
Show Q3 2024 access review
Demonstrate review was performed by appropriate person
Show management approval
Prove identified issues were remediated
Demonstrate review occurred within required timeframe
Real Example of What Good Looks Like:
AWS Access Review - Q3 2024
Performed by: Sarah Chen, IT Security Manager
Date: October 5, 2024
Systems Reviewed: AWS Production Account
Scope: All IAM users, roles, and policies10. Security Monitoring and Alerting
What They're Testing: Would you know if something bad happened?
Monitoring Requirements Table:
Monitoring Type | What's Monitored | Alert Threshold | Response Time | Review Frequency |
|---|---|---|---|---|
Failed Login Attempts | All systems | 5 failures in 15 min | Real-time alert | Daily log review |
Unauthorized Access | Admin actions, sensitive data | Any attempt | Real-time alert | Weekly review |
System Performance | CPU, memory, disk, network | 80% sustained 5 min | Real-time alert | Daily review |
Security Events | IDS/IPS, WAF, antivirus | Any detection | Real-time alert | Daily review |
Configuration Changes | Production systems | Any change | Real-time alert | Weekly review |
Data Exfiltration | Unusual outbound traffic | 2x baseline | Real-time alert | Daily review |
Walkthrough Evidence:
Show monitoring dashboard
Demonstrate alert configuration
Show alert history from audit period
Prove alerts were reviewed and acted upon
Show escalation for unresolved alerts
11. Encryption
What They're Testing: Is sensitive data actually encrypted?
Encryption Implementation Matrix:
Data State | Data Type | Encryption Method | Key Management | Evidence |
|---|---|---|---|---|
Data at Rest | Database | AES-256 | AWS KMS | RDS encryption screenshot |
Data at Rest | File Storage | AES-256 | AWS KMS | S3 bucket encryption policy |
Data at Rest | Backups | AES-256 | AWS KMS | Backup encryption config |
Data in Transit | API Calls | TLS 1.2+ | LetsEncrypt | SSL Labs test results |
Data in Transit | Internal Services | TLS 1.2+ | Self-signed CA | Network policy config |
Data in Transit | TLS 1.2+ | Forced encryption | Mail server config |
The Auditor Will Ask: "Show me you can't access this data without encryption."
How to Prove It:
Show encryption configuration
Demonstrate encrypted data (screenshot of gibberish)
Show proper keys are required for access
Prove no unencrypted copies exist
Show key rotation schedule and last rotation
12. Training and Awareness
What They're Testing: Do your people know what they're doing?
Training Program Evidence:
Training Type | Frequency | Required For | Completion Tracking | Last Completion Rate |
|---|---|---|---|---|
Security Awareness | Annual | All employees | LMS dashboard | 98% (145/148) - 2024 |
Phishing Training | Quarterly | All employees | Email click rates | 94% pass (139/148) - Q4 2024 |
HIPAA Training | Annual | All employees | LMS certificates | 97% (144/148) - 2024 |
Secure Coding | Annual | Engineering | LMS certificates | 100% (23/23) - 2024 |
Incident Response | Annual | Security team | Tabletop exercise | 100% (5/5) - Nov 2024 |
Admin Training | Initial + Annual | Privileged users | LMS certificates | 100% (12/12) - 2024 |
What Auditors Want:
Training materials/content
Completion records with dates
Certificate or acknowledgment
Tracking of incomplete training
Follow-up for non-compliance
The Evidence Organization System That Saves Audits
Here's something nobody tells you: organization of evidence matters as much as the evidence itself.
I've watched companies have all the right controls but fail audits because they couldn't find their evidence. Don't let this be you.
My Evidence Management Framework
Folder Structure That Works:
SOC2_Evidence_2024/
├── 01_Access_Control/
│ ├── User_Provisioning/
│ │ ├── Q1_Samples/
│ │ ├── Q2_Samples/
│ │ ├── Q3_Samples/
│ │ └── Q4_Samples/
│ ├── User_Deprovisioning/
│ ├── Access_Reviews/
│ └── Password_MFA_Configs/
├── 02_Change_Management/
│ ├── CAB_Meetings/
│ ├── Change_Samples/
│ └── Emergency_Changes/
├── 03_Monitoring/
│ ├── Alert_Configs/
│ ├── Log_Reviews/
│ └── Incident_Reports/
├── 04_Vulnerability_Management/
│ ├── Scan_Reports/
│ ├── Remediation_Evidence/
│ └── Pentest_Results/
└── 05_Vendor_Management/
├── Vendor_Assessments/
├── SOC2_Reports/
└── Review_Documentation/
Naming Convention:
[Date]_[Control ID]_[Description]_[Version].pdfEvidence Tracking Spreadsheet:
Control ID | Control Description | Evidence Required | Evidence Location | Collection Date | Status | Notes |
|---|---|---|---|---|---|---|
AC-2.1 | User Provisioning | 5 samples | /Access_Control/User_Provisioning/Q4/ | 2024-12-01 | Complete | All samples include approval |
CM-3.2 | Change Management | 25 samples | /Change_Management/Change_Samples/ | 2024-11-30 | Complete | Includes 3 emergency changes |
VM-1.3 | Vulnerability Scans | 12 monthly scans | /Vulnerability_Management/Scan_Reports/ | 2024-12-01 | Complete | All scans + remediation proof |
"In SOC 2 audits, being disorganized is indistinguishable from being non-compliant. Both result in failure."
The Walkthrough Preparation Timeline (From Someone Who's Done This 60+ Times)
12 Weeks Before Audit:
✓ Review all control descriptions for accuracy
✓ Update procedures to match reality
✓ Identify evidence gaps
✓ Create evidence collection schedule
8 Weeks Before:
✓ Begin systematic evidence collection
✓ Organize evidence using framework above
✓ Conduct internal walkthroughs
✓ Identify and remediate control gaps
4 Weeks Before:
✓ Complete evidence collection
✓ Conduct mock walkthrough with team
✓ Prepare system access for auditor
✓ Brief all participants on their roles
2 Weeks Before:
✓ Final evidence review
✓ Verify all system access works
✓ Create walkthrough schedule
✓ Prepare evidence request response protocol
1 Week Before:
✓ Team readiness meeting
✓ Final documentation review
✓ Test all system demonstrations
✓ Prepare evidence index for auditor
Common Walkthrough Failures (And How to Avoid Them)
After 15+ years, I've seen every possible way to fail a walkthrough. Here are the top killers:
Failure #1: The Documentation-Reality Gap
What Happens: Your procedure says one thing, reality is different.
Real Example: Policy states "All changes require CAB approval." Reality: Emergency changes happen via Slack with post-facto documentation.
The Fix: Either update your procedures to reflect reality (with appropriate controls) or change your reality to match procedures. There's no third option.
Failure #2: The Missing Evidence Problem
What Happens: Control performed correctly, but no proof.
Real Example: Access reviews happen, but approvals are verbal in meetings with no documentation.
The Fix: If it's not documented, it didn't happen. Period. Train your team: every control activity must generate evidence.
Failure #3: The Inconsistent Execution Issue
What Happens: Control works most of the time, fails occasionally.
Real Example: 23 out of 25 changes followed procedure perfectly. Two emergency changes bypassed all controls.
The Fix: Exception handling procedures. You need documented processes for when normal procedures can't be followed.
Failure #4: The Tool Configuration Drift
What Happens: You show configuration screenshots from months ago that don't match current state.
Real Example: Password policy screenshots from January, but someone changed settings in June.
The Fix: Collect evidence throughout the audit period, not just at the end. Monthly configuration exports saved us during one audit when settings had been changed three times during the year.
Failure #5: The Responsibility Confusion
What Happens: Nobody knows who actually owns the control.
Real Example: Auditor asks "Who performs this review?" Team members point at each other. Everyone thinks someone else does it.
The Fix: RACI matrices. For every control, document who is:
Responsible (does the work)
Accountable (owns the outcome)
Consulted (provides input)
Informed (kept updated)
The Walkthrough Day: What Actually Happens
Let me walk you through a typical audit day based on my experiences:
8:30 AM - Kickoff Meeting Auditor outlines controls to be tested today. Usually 3-5 controls per day.
9:00 AM - First Walkthrough: Access Provisioning
15 minutes: Auditor reads documentation
30 minutes: You demonstrate process in real systems
45 minutes: Auditor reviews evidence samples
15 minutes: Auditor asks clarifying questions
15 minutes: You provide additional evidence if requested
11:00 AM - Second Walkthrough: Change Management Similar timing pattern.
1:00 PM - Lunch Break Auditor reviews notes, prepares additional questions.
2:00 PM - Third Walkthrough: Vulnerability Management Full process repeats.
4:00 PM - Questions and Follow-up Auditor lists additional evidence needed, clarifications required.
5:00 PM - Day End You have until next morning to provide follow-up evidence.
Pro Tip: Have a dedicated person (not the one doing demonstrations) taking notes of every question and request. You'll need these notes when preparing follow-up responses.
The Post-Walkthrough: When Things Don't Go Perfect
Reality check: something will go wrong. Here's how to handle it:
If You Can't Find Evidence
Don't: Make excuses, blame team members, promise to look harder.
Do: Acknowledge the gap immediately. Say: "You're right, we don't have that evidence. Here's what we can provide instead..." Then offer compensating controls or alternative evidence.
Real Example: Client couldn't find approval for three access requests. We immediately pulled:
Email trail showing manager notification
HRIS records showing person started work
System logs showing access granted on day one
Subsequent access reviews showing access was appropriate
Not perfect, but the auditor accepted it with a management response commitment to fix the process.
If Your Process Failed
Don't: Try to hide it or minimize it.
Do: Own it completely. Explain what went wrong, when you discovered it, what you've already done to fix it, and what you'll do to prevent recurrence.
Real Example: We discovered during audit that terminated employee access wasn't removed for 35 days (SLA was 24 hours). We:
Showed when we discovered it (during monthly review)
Proved access was immediately terminated
Showed we checked for any activity (there was none)
Demonstrated new automated deprovisioning we implemented
Showed successful deprovisioning of 15 people since the fix
Auditor noted it but didn't fail the control because we caught and fixed it ourselves.
If Your Documentation Is Wrong
Don't: Argue about what your documentation means.
Do: Acknowledge the disconnect and offer to update documentation during the audit.
Real Example: Our procedure said "monthly vulnerability scans" but we actually ran them weekly. Auditor initially flagged this as over-promising. We updated the documentation during audit to match reality (weekly), provided evidence of all weekly scans, and passed the control.
The Ultimate Walkthrough Success Checklist
Print this. Use it for every control.
Pre-Walkthrough Verification:
☐ Control description matches actual process
☐ Procedure document is current (within last 12 months)
☐ All tools/systems mentioned are accurate versions
☐ Control owner is clearly identified
☐ Evidence samples are collected and organized
☐ System access is ready for demonstration
☐ Team member performing control is briefed
☐ Backup evidence is ready if primary isn't perfect
☐ Known issues have documented remediation plans
☐ Exception handling procedures are documented
During Walkthrough:
☐ Let auditor finish questions before answering
☐ Demonstrate exactly what's documented
☐ Point out evidence as you go
☐ Note any questions you can't answer immediately
☐ Don't volunteer information not requested
☐ If unsure, say "Let me verify and get back to you"
☐ Take notes on auditor concerns
☐ Have designated note-taker tracking all requests
Post-Walkthrough:
☐ Review auditor questions and requests
☐ Provide follow-up evidence within 24 hours
☐ Document any agreed-upon improvements
☐ Update internal notes on what worked/didn't
☐ Prepare for related control walkthroughs
Final Thoughts: The Mindset That Passes Audits
I'll leave you with the most important lesson from 15+ years of SOC 2 audits:
Auditors aren't trying to fail you. They're trying to verify you're doing what you said you'd do.
The organizations that pass audits smoothly share these characteristics:
Documentation reflects reality
Controls are performed consistently
Evidence is organized and accessible
Team understands why controls matter
Leadership supports compliance efforts
Issues are caught and fixed proactively
The organizations that struggle fight their auditor, hide problems, and treat compliance as a checkbox exercise.
I watched a company fail their first SOC 2 audit badly. Multiple control failures. Team was demoralized. CEO considered giving up on compliance entirely.
We regrouped. Fixed the actual processes, not just documentation. Built evidence collection into daily operations. Trained the team on why it mattered.
Six months later, they passed their reassessment with zero findings. The auditor literally said, "This is one of the smoothest audits I've conducted."
What changed? Not their technology. Not their team. Their approach.
"SOC 2 success isn't about having perfect controls. It's about having honest documentation, consistent execution, and the humility to fix what's broken."
Your walkthrough procedures are the moment of truth. Make sure when that moment comes, your truth is worth documenting.