What SOC 2 actually checks, and why we passed clean

If you have only ever read a SOC 2 report from the outside, the document looks intimidating — hundreds of pages, formal language, and a list of trust services criteria that feels abstract. Inside the audit, the experience is more grounded. The auditor asks specific questions, examines specific evidence, and tests specific controls. The depth is real, but the scope is bounded.

Type II evaluates not just that you have controls, but that the controls operated effectively over a period of time — typically six to twelve months. The auditor samples evidence at random across that window. If your control says 'we review access reviews quarterly,' the auditor pulls the last four quarters and verifies the review actually happened, was actually signed off, and resulted in actual changes when warranted.

We architected Mnemos so the evidence is a side effect of operation, not a separate exercise. Every access review is a row in a queryable table. Every code change is signed and traceable to a ticketed work item. Every customer access is audited at the retrieval layer. When the auditor asked for evidence, we ran a query and exported it. No scrambling, no spreadsheet archaeology.