Start with Identity
Subscribe
← Guides
compliance · Intermediate

SOC 2 for identity: the controls that actually matter

By Deepak Gupta · Updated 2026-01-15 · 12 min

What auditors test in identity

SOC 2 isn't prescriptive — it tests controls you've defined against the Trust Services Criteria. For identity, the controls auditors expect to find are:

  • Access provisioning tied to a documented process (HR ticket or workflow)
  • Access reviews on a defined cadence (typically quarterly for sensitive systems)
  • Deprovisioning that completes within a defined window (often 24 hours for terminations)
  • MFA enforcement on all production systems and admin accounts
  • Privileged access controls with logging
  • Logical access logs retained for the audit period

Evidence the audit needs

  • Provisioning tickets with approval trail
  • Access review records with reviewer attestation
  • Deprovisioning logs showing time-to-revoke for sample terminations
  • MFA enforcement evidence (config screenshots, policy exports)
  • Sample audit log entries for privileged actions
  • Background check records for new hires (if your controls include them)

Vendor capabilities that pay off at audit

SCIM provisioning with audit trail. Access certification campaigns built into the IGA tool. Reports of "who has access to what" exportable on demand. Audit log retention configurable to match audit period. MFA enforcement reports per app and per user.

Common pitfalls

  • "Manual deprovisioning checklist" as a control — auditors find the misses
  • Access reviews done in a spreadsheet, not in the IGA tool
  • MFA exceptions for executives that are never documented
  • Audit logs that exist but can't be exported in a usable format
  • Production access by engineers without ticket-tied approval

The pragmatic path

If you're pre-SOC 2 and want to build for it without overengineering:

  1. Pick an IdP and IGA combination (or all-in-one) that can produce the evidence above
  2. Wire HR-driven joiner/leaver flows from day one
  3. Run a quarterly access review even when you have 20 employees
  4. Document your controls in a single page; refine over time

The Type 1 audit tests design. The Type 2 audit tests that you actually did the thing for 6-12 months. The latter is what tells you whether your controls hold up.