SOC 2 People Controls: The HR Work That Keeps the Auditor Happy

60-Second Summary

SOC 2 is a security audit, but ~30% of its controls live in HR systems.
The control isn't the policy — it's the evidence the policy was followed every time.
Provisioning, access reviews, background checks, security training, and offboarding are the big five HR-owned controls.
Automate the evidence trail — manual screenshots are how companies fail SOC 2.
Most SOC 2 findings are HR process gaps, not technology gaps.

SOC 2 is a security and operational trust audit issued under the AICPA framework. Buyers ask for it; vendors deliver it. What HR teams sometimes miss is that nearly a third of SOC 2 controls live in their territory — and most audit findings are not technology failures, they are HR process failures.

What SOC 2 really is

SOC 2 evaluates a company's controls against five 'Trust Services Criteria': security, availability, processing integrity, confidentiality, and privacy. Type I asks 'is the control designed well?' Type II asks 'did you operate it consistently over 6–12 months?' Type II is what most buyers want, and it's where HR's evidence discipline becomes decisive.

The HR-owned controls

The five HR-owned SOC 2 control families

1
Joiner — access provisioning
Access granted based on role, approved by manager, provisioned within SLA, evidence of approval and timing retained.
2
Mover — access changes on role change
When someone moves teams or gets promoted, access is re-reviewed. The old access doesn't quietly persist.
3
Leaver — termination access removal
All access removed within a defined SLA (typically same-day for critical systems). Logged and reviewable.
4
Background checks
Documented background check before access to production data. Scope appropriate to role and jurisdiction.
5
Security training
Mandatory onboarding security training + annual refresher. Completion tracked per person.

What evidence the auditor wants

Control vs. evidence — the disconnect that kills SOC 2 audits

Control claim	Evidence the auditor wants
Access is granted on approval	Ticket per access grant, with approver, timestamp, and granted scope
Access is removed on termination	Termination ticket linked to deprovisioning log; same-day timestamps
Background checks happen	Sample of recent hires with completed check on file before start date
Security training is annual	Completion log for every employee, refreshed annually
Quarterly access reviews	Quarterly export of access lists with manager sign-off

Common SOC 2 HR failures

Access reviews done in spreadsheets, signed off via email — auditor can't reconstruct timeline.
Termination tickets created, but access lingers in less-monitored systems (analytics, marketing tools).
Background checks happen but evidence isn't centrally stored — auditor can't sample.
Security training run, but completion not enforced — exceptions multiply quietly.
Contractor onboarding skipping checks 'because they're not full-time'. SOC 2 doesn't distinguish.

The principle every HR-and-IT lead should internalise

SOC 2 is not about whether you do the right thing. It is about whether you can prove you did the right thing every time. Build the evidence trail in the system, not in screenshots.

Written by Pawan Joshi. Sources cited inline. Last updated 2026-05-24.

What SOC 2 really is

The HR-owned controls

What evidence the auditor wants

Common SOC 2 HR failures

Read next