SOC 2 Type II and PAM: What Auditors Are Looking For in 2026

SOC 2 is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) for technology service organisations. A SOC 2 Type II report covers a defined period — typically 6 or 12 months — and assesses whether the organisation's controls operated effectively throughout that period.

The Trust Service Criteria (TSC) most relevant to privileged access management are found in the Security criterion (CC6) and, for organisations including the Availability, Confidentiality, or Privacy additional criteria, in those sections as well.

CC6.1 requires that logical access security measures have been implemented to protect against threats from sources outside the system boundaries. For PAM, this maps to controls preventing unauthorised external access to privileged accounts, including multi-factor authentication, bastion host architecture that prevents direct external connections to internal systems, and monitoring for unusual access patterns.

CC6.2 requires controls over the creation, removal, and modification of infrastructure accounts. Auditors will want to see evidence that privileged accounts are created following a documented process, that access is reviewed periodically, and that accounts are removed promptly when no longer needed. A PAM platform with centralised account inventory and documented lifecycle workflows provides this evidence directly.

CC6.3 requires that access to information assets is identified and managed during the access process. This covers the technical controls that enforce least privilege — RBAC, JIT access, approval workflows — and the operational process of reviewing whether existing access is still appropriate.

CC7.2 covers ongoing monitoring for anomalies and threats. Privileged session monitoring, behavioural analytics, and SIEM integration with alerting on anomalous privileged activity are all relevant here.

In our experience across dozens of SOC 2 audit engagements, the privileged access evidence requests follow a consistent pattern.

Auditors will ask for a complete inventory of privileged accounts with documented ownership and access justification. They will select a sample and trace each to its authorisation — who approved this account, when, and why. Accounts without clear ownership or business justification that remain active are a finding.

They will ask for evidence of periodic access reviews. For a 12-month period, they typically want to see at least one documented review in which someone with authority verified who had privileged access and confirmed it was appropriate or initiated removal of unnecessary access.

They will ask for evidence that MFA is enforced for privileged access. Walkthrough testing typically involves an auditor requesting a demonstration of the authentication flow.

They will ask for a sample of privileged session activity. Not necessarily the full contents of recordings, but evidence that sessions are logged, that the logs are complete for the period, and that the logs are stored in a manner that prevents tampering.

They will ask about offboarding. When a privileged user leaves the organisation or changes role, is their access removed promptly? They will typically select a sample of departed employees and trace their account removal.

OmniPriv's compliance module is built specifically to address SOC 2 evidence requirements. The pre-built SOC 2 report template generates a Prepared By Client (PBC) document covering all of the above areas — account inventory with ownership, access review history, MFA enforcement status, session log completeness, and offboarding event records — from the platform's audit data.

For most customers, generating the SOC 2 privileged access evidence package takes less than an hour. The same data that drives day-to-day operational visibility — session logs, access records, approval workflows — is the evidence that satisfies the auditor. There is no separate evidence collection exercise.

Customers have reported that their SOC 2 audit preparation time for the access management sections has dropped from several weeks to under a day after deploying OmniPriv.