Fortinetics
← Case Studies · Commercial Software (B2B SaaS) ·

SOC 2 Type II for a Series B SaaS platform: clearing enterprise procurement gates

A Series B commercial B2B SaaS company whose deals were stalling at enterprise security review (name withheld per engagement confidentiality)

Duration
9 months
Frameworks
SOC 2 (AICPA TSC) · SOC 2 Type I · SOC 2 Type II
Outcome
Clean Type I report issued at month three with no exceptions. The Type II observation window ran through the back half of the engagement and the Type II examination was completed with a small, well-explained set of exceptions and management responses. Two stalled enterprise deals re-entered procurement once the Type I was in hand; the Type II report became the standing artifact for the company's security questionnaire responses.
SOC 2 Type II engagement timeline — Type I at month three, then a six-month Type II observation window A nine-month SOC 2 engagement for a Series B SaaS platform. Trust Services Criteria are scoped to Security (the mandatory common criteria), Availability, and Confidentiality; Processing Integrity and Privacy are deliberately out of scope. A clean Type I point-in-time report is issued at month three, then a Type II observation window runs months four through nine on the same controls. An evidence pipeline produces control evidence as a byproduct of normal operations across the window. PLATE CS-06 · SOC 2 TYPE II · ENTERPRISE PROCUREMENT AICPA TSC · TYPE I → TYPE II TRUST SERVICES CRITERIA — SCOPED TO REAL COMMITMENTS Security COMMON CRITERIA · MANDATORY Availability UPTIME COMMITMENTS Confidentiality CUSTOMER DATA Processing Integrity SCOPED OUT · NOT CONTRACTED Privacy SCOPED OUT · NOT CONTRACTED ENGAGEMENT TIMELINE · 9 MONTHS Scoping · TSC + controls Remediation · Type I readiness Type I clean · no exceptions TYPE II OBSERVATION WINDOW SAME CONTROLS, OPERATING ACROSS THE FULL WINDOW Type II exam sampled · small explained exceptions EVIDENCE PIPELINE → BYPRODUCT OF OPERATIONS Access reviews · quarterly Change approvals · per PR/CI Log review · on cadence Vendor reviews · on cadence M1M2M3M4M5M6M7M8M9 9 MONTHS · CLEAN TYPE I → COMPLETED TYPE II · 2 STALLED DEALS UNBLOCKED FORTINETICS · FRAMEWORK + EVIDENCE LEAD
Fig. · Nine-month SOC 2 path. A clean Type I at month three unblocks stalled deals; the Type II observation window then proves the same controls operating over time, fed by evidence produced as a byproduct of operations. All references anonymized per engagement confidentiality.

The situation

A Series B commercial B2B SaaS company had reached the point in its growth where the deals it most wanted to close were the ones it could no longer close on product alone. Mid-market customers had signed without much security diligence. The enterprise accounts now in the pipeline brought procurement teams, vendor risk questionnaires, and a recurring line in the contract redlines: a current SOC 2 report, Type II preferred.

The company had a competent engineering organization and a cloud-native stack. What it did not have was a security program described in the terms an auditor and an enterprise buyer expect. Access was managed, but access reviews were not run on a schedule anyone could point to. Changes went through pull requests and CI, but the link between a code change and an approval record was implicit rather than documented. Logging existed; retention and review cadence did not. Vendor relationships were real but not inventoried against any risk criteria. None of this was negligence — it was the normal state of a company that had built quickly and had not yet been asked to prove its controls to a third party.

Two specific enterprise opportunities had stalled at security review. The buyers were not asking the company to be perfect; they were asking it to demonstrate that controls existed and operated. The engagement was scoped to get the company to a defensible SOC 2 position in a sequence that unblocked those deals as early as possible while building toward the Type II report the market actually wanted.

The approach

The engagement ran nine months. The structural decision that shaped everything else was to pursue a Type I first — a point-in-time report on the design of controls — and then run a Type II observation window on top of it. Type I gave the company an artifact to put in front of the stalled deals within the first quarter. The Type II then demonstrated those same controls operating over time, which is the report enterprise buyers ultimately want on file.

Months 1–2 — Scoping and control framework design. We scoped the Trust Services Criteria to Security, Availability, and Confidentiality. Security (the common criteria) is mandatory; Availability and Confidentiality were chosen because they map to what this company’s customers actually contract for — uptime commitments and the handling of customer data. We deliberately did not include Processing Integrity or Privacy. Adding categories that do not reflect real customer commitments inflates the audit surface and the evidence burden without improving the report’s value to a buyer. With scope set, we designed the control framework against the 2017 Trust Services Criteria, incorporating the 2022 points of focus, and mapped each criterion to a specific, owned control with a named system of record.

Months 2–3 — Remediation and Type I readiness. In parallel, we closed the design gaps that would prevent a clean Type I. Access reviews were put on a defined quarterly cadence with a documented reviewer and retained results. Change management was formalized so that approvals, testing, and deployment left a traceable record tied to each change. Logging retention and review were aligned to the control descriptions. A vendor inventory was built and scored against risk criteria. Policies were written to describe what the company actually did — not aspirational policies that the evidence would later contradict.

Month 3 — Type I examination. We selected and coordinated the CPA firm, prepared the company for the examination, and supported the walk-throughs. The Type I report was issued with no exceptions. The two stalled enterprise deals re-entered procurement on the strength of it.

Months 4–9 — Type II observation window. The observation window is where most first-time SOC 2 programs either succeed quietly or fail expensively. The report tests not whether a control was designed once, but whether it operated consistently across the entire window. We designed the evidence pipeline so that the controls produced their own evidence in the course of normal operations — access reviews ran and retained their results on schedule, change approvals accumulated as a byproduct of the existing engineering workflow, log reviews were performed and recorded, vendor reviews happened on cadence. The work during these months was less about building new controls and more about operating the program with the discipline the report would later test, and catching drift early — a missed access review or a change that bypassed the documented path — while there was still time to correct course before the examination.

Through month nine and beyond — Type II examination. The auditor sampled across the observation window. The Type II examination was completed with a small set of exceptions, each with a clear root cause and a documented management response — a credible outcome for a first Type II, and one enterprise buyers read as honest rather than alarming.

What made this engagement fit

The gap was documentation and operating discipline, not missing technology. This company had built functional, modern infrastructure. What it lacked was the control framework, the evidence discipline, and the auditor-facing documentation that turn functional infrastructure into an examinable program. That gap — implementation present, proof absent — is the center of how we work. The minority of the effort was new controls; the majority was framework design, evidence engineering, and running the program through the window.

Type I first bought commercial momentum without compromising the Type II. Sequencing the Type I early gave the company a real artifact for its stalled deals months before a Type II could exist. Because the Type I controls and the Type II controls were the same controls — designed once, operated continuously — the early report was a down payment on the later one, not throwaway work.

Scoping discipline kept the audit surface honest. Choosing three Trust Services Categories that matched real customer commitments, rather than all five for appearance, kept the evidence burden proportionate and the report meaningful. A SOC 2 that covers categories a company cannot actually support is a liability at the next audit, not an asset.

The outcome

The Type I report was issued at month three with no exceptions, and the two enterprise opportunities that had stalled at security review re-entered procurement once the company could produce it. Over the back half of the engagement, the Security, Availability, and Confidentiality controls operated through the observation window, and the Type II examination was completed with a small, well-explained set of exceptions and corresponding management responses — a result appropriate for a first Type II and one that buyers read as candid.

The more durable outcome is that the company now answers security questionnaires by attaching a report rather than negotiating each one line by line. The control framework, evidence pipeline, and policy library are living artifacts that feed the next annual Type II window rather than one-time audit deliverables. The access review, change management, and vendor risk programs run on the cadence the report describes, which means the next examination is a continuation rather than a fresh scramble.

This is a young firm and a recent engagement; the honest framing is that the company cleared its enterprise procurement gates and put a defensible, repeatable SOC 2 program in place — not that a single report transformed the business overnight.

Commercial structure

The engagement combined a firm fixed-price readiness and Type I support phase with a time-and-materials observation-window phase through the Type II, recognizing that the operating window’s effort depends on how cleanly the program runs in practice. CPA examination fees were contracted directly between the client and the audit firm; we coordinated but did not mark up the auditor’s work. Engagement pricing is scope-dependent and is defined during a scoping call; we do not publish price lists.

If your deals are stalling at enterprise security review, book a thirty-minute scoping call — we’ll give you an honest read on the runway to a clean Type I and a defensible Type II.

Similar engagement?

Start a scoping conversation.

If you're building a classified facility, pursuing a certification, or scoping an accreditation — we'll walk through your situation honestly in a thirty-minute call.

Book a scoping call →