Solutions · SOC 2
SOC 2, audit-ready by design
A SOC 2 report is your service organisation proving, to an independent auditor, that the controls behind the Trust Services Criteria are designed and operating. Acuna runs that programme in one place: the criteria mapped to controls with named owners, evidence collected on a cadence, and audit readiness held as a live state rather than a pre-examination scramble.
In short
SOC 2 is an attestation, defined by the AICPA, in which an independent auditor examines a service organisation’s controls against the Trust Services Criteria (security, and where relevant availability, processing integrity, confidentiality, and privacy). A Type I report assesses the design of controls at a point in time; a Type II report assesses their operating effectiveness over a period. Acuna is a multi-framework GRC platform that maps the criteria once, ties every control to an owner and to evidence collected on a cadence, and keeps you examination-ready.
Turn the examination into a state you hold, not a season you dread
For most service organisations SOC 2 is a sales gate: enterprise customers will not buy without the report. That makes the real cost not the audit fee but the disruption, the weeks your team spends assembling evidence the auditor could have seen all along. The organisations that handle SOC 2 well are the ones where the controls, their owners, and their evidence run continuously, so a Type II period is documented as it happens rather than reconstructed at the end.
One system for the whole SOC 2 programme
SOC 2 is organised around the Trust Services Criteria rather than a fixed control catalogue, so Acuna maps those criteria once across the four core panes, then the access-control depth the criteria demand is carried by the extension your programme needs.
What it unlocks, and what waiting costs
| What a running SOC 2 programme unlocks | What waiting costs |
|---|---|
| The report your enterprise deals are gated on, produced from a programme that runs continuously. | Evidence assembled under deadline, with gaps discovered mid-examination. |
| A Type II period documented as it happens, so evidence collection is not a quarter-end sprint. | The same security control described once for SOC 2 and again for ISO 27001. |
| Security controls that carry between SOC 2 and ISO 27001 instead of being maintained twice. | Access reviews that were meant to happen quarterly and are reconstructed at audit time. |
| Access reviews that exist as records, not as a promise you scramble to back up. |
We are early, so we will not quote a customer count. The mechanism is the argument: a Type II report attests to controls operating over a period. If the controls and their evidence run in one system across that period, the examination reads a record rather than triggering a reconstruction.
The hesitations worth naming
GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.
Pipeline at risk
Enterprise deal value
typical affected deal, annualised
CHF 200K
Deals blocked or slowed
per year, your estimate
3 deals
Security questionnaires
your team fills out, per month
5 / month
Questionnaire overhead
Hours per questionnaire
across all people involved (SIG/CAIQ often run 6–12 hrs)
6 hrs
All-in hourly cost
fully-loaded: salary + overhead of the person filling it
CHF 125
Acuna starts from
CHF 5'388 / year, all frameworks included
120×
your est. cost
These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.
Built by people who ran the programmes
Acuna is built and operated by an established Swiss GRC group led by practitioners with decades of combined experience in audit, security, and governance. The platform models how a mature control programme actually runs, which is exactly what a Type II examination rewards.
Trust Services Criteria map once and reuse across ISO 27001 and beyond.
Access reviews produce the CC6 records auditors ask for.
Priced per organisation, so every control owner and auditor is included.
Data hosted in Switzerland and the EU.