SOC 2 Evidence List: What Auditors Actually Ask For
A practical SOC 2 evidence list for startups preparing for audit readiness, with auditor expectations, examples, organization tips, mistakes, and automation guidance.
Based on common SOC 2 evidence requests, startup readiness workflows, auditor fieldwork patterns, and compliance automation implementation research.
SOC 2 Evidence List: What Auditors Actually Ask For
A SOC 2 evidence list is the set of documents, exports, tickets, logs, screenshots, approvals, and system records an auditor uses to verify that your controls are designed correctly and operating as described. For startups, the core evidence usually covers access control, cloud security, change management, employee onboarding and offboarding, vendor management, policies, monitoring, incidents, backups, and risk assessment.
The audit does not fail because a founder cannot explain MFA. It stalls because the company cannot prove who reviewed admin access, when a terminated employee was removed, whether a production change was approved before deployment, or which vendors touch customer data.
Use this guide before fieldwork. Then run the free SOC 2 readiness checklist to turn the list into a downloadable audit-prep plan.
SOC 2 evidence list at a glance
For most SaaS startups, auditors will ask for evidence in these areas:
| Evidence category | Examples auditors may request | What the auditor is checking |
|---|---|---|
| Scope and system description | System description, architecture diagram, data flow, in-scope systems, Trust Services Criteria | The report covers the right product, systems, data, and control boundaries |
| Access control | MFA settings, user exports, admin lists, access review records, offboarding tickets | Only authorized users have access, and access is reviewed and removed on time |
| Cloud and infrastructure | IAM settings, logging, encryption, backups, vulnerability scans, firewall rules | Production infrastructure is configured, monitored, and recoverable |
| Change management | Pull requests, code reviews, CI/CD logs, approval tickets, release records | Production changes are reviewed, tested, approved, and traceable |
| Employee lifecycle | Employee roster, training records, policy acknowledgments, background checks, device controls | Employees and contractors are trained, acknowledged, and secured |
| Vendor management | Vendor inventory, risk reviews, subprocessors, vendor SOC 2 reports, renewal reviews | Third parties that touch customer data are identified and evaluated |
| Policies and governance | Security policy, access policy, incident policy, risk assessment, board or leadership approvals | Written controls match how the company actually operates |
| Monitoring and incidents | Alert records, incident tickets, tabletop exercises, postmortems, on-call process | The company can detect, escalate, and respond to security events |
| Business continuity | Backup tests, disaster recovery plan, business continuity test, RTO/RPO assumptions | The company can recover from operational disruption |
For Type I, the auditor is primarily checking whether controls exist at a point in time. For Type II, the auditor tests whether those controls operated during the observation period. That distinction changes the amount of evidence you need.
What counts as SOC 2 evidence?
Good SOC 2 evidence is specific, timestamped, attributable, and tied to a control. A screenshot with no date, no system context, and no owner is weak. A system export, ticket, pull request, or audit log with a timestamp and approver is stronger.
Strong evidence usually has:
- A clear control owner
- A date or time period
- A system source
- A named reviewer or approver
- A link to the relevant asset, ticket, or record
- Enough context for an auditor to understand what happened
Auditors increasingly prefer live or API-driven evidence from systems such as Okta, Google Workspace, AWS, GitHub, Jira, Linear, Workday, Rippling, Vanta, Drata, or Secureframe. Static screenshots still have a place, especially for Type I or point-in-time settings, but they are weaker for Type II operating evidence.
Auditor expectations: the "show me" standard
Competent auditors do not want a folder full of polished PDFs. They want to see whether your company does what it says it does.
Expect questions like:
- Show me the list of users with production access.
- Show me who reviewed that access and when.
- Show me the ticket where this access was approved.
- Show me evidence that a terminated employee was removed within policy.
- Show me the pull request linked to this deployment.
- Show me the vendor review for the subprocessor that stores customer data.
- Show me the incident response test or tabletop exercise.
- Show me that the policy was approved and acknowledged.
This is where generic policy templates create problems. If your access control policy says reviews happen quarterly, auditors will expect quarterly access review records. If your change management policy says every production change requires approval, auditors will sample production changes and look for approval before deployment.
SOC 2 evidence by control area
1. Scope and system description evidence
The system description is the foundation of the report. If the scope is sloppy, the rest of the audit becomes harder.
| Evidence item | Practical example | Startup advice |
|---|---|---|
| System description | Narrative explaining product, customers, infrastructure, data, people, and controls | Write it in plain English. Do not make the auditor reverse-engineer your architecture. |
| Architecture diagram | Product, cloud services, databases, identity provider, logging, third-party services | Keep one current diagram. A stale diagram causes avoidable follow-up. |
| Data flow diagram | How customer data enters, moves, is stored, and leaves the system | Mark where customer data and sensitive data live. |
| In-scope system list | AWS, GCP, Azure, GitHub, Okta, Google Workspace, Slack, Jira, production databases | Exclude tools that do not affect the service or customer data when reasonable. |
| Trust Services Criteria selection | Security only, or Security plus Availability, Confidentiality, Privacy, Processing Integrity | Most first-time startups start with Security. Add criteria only when buyers require them. |
| Control matrix | Control ID, description, owner, frequency, evidence source | This becomes the audit operating plan. |
Over-scoping is expensive. If a tool is not part of the service, does not store customer data, and is not needed to operate controls, ask whether it belongs in scope.
2. Access control evidence
Access control is often the highest-friction part of SOC 2 readiness. It touches identity, production access, SaaS tools, contractors, service accounts, and offboarding.
| Evidence item | Practical example | Auditor expectation |
|---|---|---|
| MFA enforcement | Okta, Google Workspace, Azure AD, or GitHub MFA configuration export | MFA is required for in-scope systems, especially privileged access |
| User access listing | Export of active users from identity provider and critical SaaS tools | The auditor can reconcile users to employees and contractors |
| Admin access list | List of privileged users in AWS, GitHub, production database, identity provider | Admin access is limited and justified |
| Access approval | Ticket showing manager or system owner approval for new access | Access is granted intentionally, not informally in Slack |
| Periodic access review | Quarterly or monthly review record with reviewer, date, exceptions, and remediation | Someone reviewed access and removed what was not needed |
| Offboarding evidence | HR termination record plus access removal timestamps across in-scope systems | Access was removed within the timeframe in your policy |
| Service account inventory | Owner, purpose, permissions, rotation expectations | Non-human accounts are controlled and not forgotten |
The most common startup failure is offboarding. Auditors may select a former employee and ask for proof that access was removed from every relevant system within the policy window, often 24 to 48 hours. If you cannot show timestamps, the control may fail even if access was eventually removed.
3. Cloud and infrastructure evidence
For a SaaS startup, infrastructure evidence usually comes from AWS, GCP, Azure, Kubernetes, Terraform, logging tools, vulnerability scanners, and backup systems.
| Evidence item | Practical example | Auditor expectation |
|---|---|---|
| Cloud account inventory | AWS account list, GCP projects, Azure subscriptions | Production boundaries are known |
| IAM review | Privileged roles, root account protection, least-privilege review | Administrative access is restricted |
| Logging evidence | CloudTrail, Cloud Logging, SIEM, Datadog, Sumo Logic, or similar configuration | Security-relevant events are logged |
| Encryption evidence | Database encryption, storage encryption, TLS settings, key management | Customer data is protected in transit and at rest |
| Backup configuration | Backup schedules, retention settings, backup coverage | Production data is backed up |
| Backup restore test | Ticket or report showing a restore test and result | Backups are not just configured; they are usable |
| Vulnerability scanning | Scanner results, remediation tickets, patch timelines | Vulnerabilities are identified and addressed |
| Network controls | Security groups, firewall rules, private networking, WAF settings | Exposure is controlled and reviewed |
Do not rely only on a green dashboard. A compliance platform can confirm that a setting exists, but the auditor may still ask why the setting is appropriate for your environment.
4. Change management evidence
Change management evidence proves that production changes are reviewed, tested, approved, and traceable.
| Evidence item | Practical example | Auditor expectation |
|---|---|---|
| Pull request sample | GitHub or GitLab PR with reviewer, approval, linked ticket, and merge timestamp | Code was reviewed before merge |
| Branch protection | Repository settings requiring review before merge | The process is enforced, not optional |
| CI/CD logs | Passing build, tests, deployment pipeline record | Changes pass defined checks before deployment |
| Change ticket | Jira, Linear, Asana, or GitHub issue linked to the change | There is business or engineering context |
| Release record | Deployment log, release note, or change calendar | Production changes are traceable |
| Emergency change | Incident or hotfix record with after-the-fact review | Exceptions are documented and reviewed |
The policy must match the workflow. If your startup deploys continuously from GitHub after one review, write that. Do not copy a heavyweight change advisory board policy unless you actually operate one.
5. Employee lifecycle and device evidence
SOC 2 auditors test people controls because employees and contractors create risk.
| Evidence item | Practical example | Auditor expectation |
|---|---|---|
| Employee roster | HRIS export from Rippling, Gusto, BambooHR, Workday, or spreadsheet | The population is complete |
| Contractor roster | Contractor list with sponsor, access, start date, end date | Contractors are not invisible |
| Security training | Training completion report with dates | Users receive security awareness training |
| Policy acknowledgment | Employee acknowledgment report or signed handbook | Employees accepted relevant policies |
| Background check | Vendor report or HR record where required by policy | Screening is performed when promised |
| Device inventory | MDM export from Kandji, Jamf, Intune, Fleet, or similar | Company devices are known and managed |
| Disk encryption | MDM or endpoint agent evidence | Devices storing company data are encrypted |
| Screen lock | MDM policy or endpoint compliance report | Device security settings are enforced |
Be careful with early employees. If your policy requires background checks for all employees but the first five hires never completed them, either remediate before the audit or revise the policy to match a defensible process.
6. Vendor management evidence
Vendor evidence maps closely to SOC 2 vendor risk expectations. For startups, the right level is usually a simple risk-based process, not an enterprise procurement bureaucracy.
| Evidence item | Practical example | Auditor expectation |
|---|---|---|
| Vendor inventory | List of vendors, owner, purpose, data touched, risk tier | The company knows who supports the service |
| Critical vendor list | AWS, GCP, Stripe, Snowflake, OpenAI, HubSpot, support tooling, logging providers | High-impact vendors are identified |
| Vendor risk review | Review form, questionnaire, or ticket for critical vendors | Vendors are assessed before or during use |
| Vendor SOC 2 report | SOC 2 report or security documentation from important subprocessors | The startup reviewed third-party assurance |
| Subprocessor list | Public or internal list of vendors processing customer data | Customer-facing data sharing is clear |
| Annual review | Evidence that critical vendors are reviewed periodically | Vendor risk is maintained, not one-time |
If a vendor stores, processes, transmits, or can access customer data, it belongs in the conversation. The fastest practical approach is to tier vendors by risk and document a lightweight review for the critical tier first.
7. Monitoring and incident response evidence
Auditors want to see that security events would be noticed and handled.
| Evidence item | Practical example | Auditor expectation |
|---|---|---|
| Incident response policy | Approved policy with roles, severity levels, and escalation paths | The company has a defined response process |
| Alert configuration | Datadog, PagerDuty, Sentry, CloudWatch, SIEM, EDR, or similar alert rules | Relevant events are monitored |
| Alert review sample | Ticket, alert history, or reviewed event record | Alerts are reviewed, not ignored |
| Incident ticket | Record of investigation, containment, resolution, and communication | Incidents are tracked through closure |
| Postmortem | Root cause, impact, corrective actions, owner, dates | Lessons are captured |
| Tabletop exercise | Scenario, attendees, decisions, gaps, action items | The process was tested even if no incident occurred |
If there were no incidents, auditors may still ask how you know there were none. Monitoring evidence answers that question.
8. Policy and governance evidence
Policies are evidence only if they are approved, communicated, and consistent with reality.
Common policy evidence includes:
- Information security policy
- Access control policy
- Change management policy
- Incident response policy
- Vendor management policy
- Risk assessment policy
- Business continuity and disaster recovery policy
- Data classification policy
- Acceptable use policy
- Secure development policy
- Policy approval record
- Employee acknowledgment record
Do not adopt policies that describe a company you hope to become. Auditors test the company you actually operate.
Type I vs Type II evidence requirements
| Evidence question | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
| What is tested? | Control design and implementation at a point in time | Control design plus operating effectiveness over a period |
| Evidence volume | Lower | Higher |
| Sample testing | Limited | Common and expected |
| Timestamps | Useful | Critical |
| Access reviews | Need current evidence | Need evidence for each required review period |
| Offboarding | Point-in-time process and selected evidence | Termination samples across the observation window |
| Change management | Configuration and sample changes | Multiple sampled changes across the period |
| Vendor reviews | Current vendor process | Evidence that reviews happened during the period |
If a customer is flexible, Type I may help unblock a deal while you build Type II history. If the buyer explicitly asks for Type II, do not assume a Type I report will satisfy procurement. Read SOC 2 Type I vs Type II before choosing the audit path.
Manual evidence vs automated evidence
Automation helps, but it does not eliminate evidence work. A realistic startup should expect a mix.
| Evidence type | Best for | Weakness |
|---|---|---|
| API-driven evidence | MFA status, cloud settings, repository settings, device posture, user lists | May miss context, exceptions, and non-standard systems |
| System exports | Access lists, HR rosters, training reports, vulnerability results | Must be dated and tied to the audit period |
| Tickets and pull requests | Approvals, changes, incidents, reviews, remediation | Requires consistent team behavior |
| Screenshots | Point-in-time settings, small tools without exports | Weak if undated or lacking system context |
| Narratives and memos | Explaining scope, exceptions, compensating controls | Cannot replace missing operating evidence |
In practice, 20-45% of SOC 2 evidence can remain manual even with a platform. Offboarding, vendor reviews, quarterly access reviews, business continuity tests, policy approvals, and exception explanations still need human judgment.
Vanta vs Drata vs Secureframe for evidence collection
Vanta, Drata, and Secureframe can all reduce the evidence scramble. The right choice depends on your stack, owner model, and buyer pressure.
| Platform | Strong fit | Evidence collection angle | Watch-outs |
|---|---|---|---|
| Vanta | Seed to growth SaaS startups with a standard cloud stack and urgent enterprise sales pressure | Broad integration library, familiar auditor workflow, strong first-audit motion | Renewal increases, alert noise, and limited flexibility for unusual control models |
| Drata | Engineering-led teams with a security owner and more complex compliance roadmap | Stronger fit for custom controls, API-driven workflows, and multi-framework operating models | Can be too heavy for founder-led first audits without a real owner |
| Secureframe | Startups that need guided setup, policy support, or regulated-framework help | More hands-on guidance for teams without a dedicated GRC hire | Not automatically the cheapest; technical teams may find it restrictive |
If you are comparing tools, use the SOC 2 vendor comparison tool, then read our deeper comparisons:
- Vanta review
- Vanta pricing
- Vanta vs Drata
- Vanta vs Secureframe
- Drata alternatives
- Secureframe alternatives
Affiliate note: we may earn commissions from qualified referrals or partner links. Our evidence collection recommendations remain based on fit, audit readiness, and buyer requirements.
How to organize SOC 2 evidence before fieldwork
The best evidence library is organized by control, not by random file type.
Use a simple structure:
| Folder or tracker field | What to include |
|---|---|
| Control ID | Example: CC6.1 access provisioning, CC6.2 MFA, CC8.1 change management |
| Control owner | Person responsible for the control |
| Frequency | Continuous, per event, monthly, quarterly, annually |
| Evidence source | Okta, AWS, GitHub, Jira, HRIS, Vanta, Drata, Secureframe, spreadsheet |
| Evidence sample | Link to export, ticket, screenshot, PR, log, or report |
| Date covered | Point-in-time date or observation-period range |
| Exceptions | Missing items, late reviews, terminated users, failed checks |
| Remediation owner | Person responsible for fixing gaps |
Name files so they make sense outside your laptop:
| Weak file name | Better file name |
|---|---|
| screenshot.png | CC6.2-okta-mfa-enforcement-2026-05-01.png |
| access_review.xlsx | CC6.3-quarterly-access-review-q2-2026-reviewed-by-cto.xlsx |
| backup.pdf | A1.2-rds-backup-restore-test-2026-04-18.pdf |
| vendors-final-final.xlsx | CC9.2-critical-vendor-risk-review-2026.xlsx |
For Type II, preserve the original timestamps. Do not overwrite evidence files after the period ends unless you keep the original record.
Startup-specific advice
Startups should keep SOC 2 evidence narrow, current, and tied to revenue.
Do this first:
- Confirm whether the customer requires Type I or Type II.
- Confirm whether Security-only is enough or whether Confidentiality, Availability, Privacy, or Processing Integrity is required.
- Identify the systems that store, process, or can access customer data.
- Assign one owner for each control area.
- Clean up stale users before the auditor samples access.
- Run one access review before the audit window starts.
- Run one backup restore test before fieldwork.
- Review critical vendors before fieldwork.
- Rewrite policies that do not match reality.
Do not buy a compliance platform before you understand the gap. Run the SOC 2 readiness checklist, then estimate the full audit budget with the SOC 2 cost calculator.
Common SOC 2 evidence mistakes
| Mistake | Why it hurts | Better approach |
|---|---|---|
| Saving screenshots with no date or URL | Auditor cannot verify timing or system source | Use exports, logs, or screenshots that show context and date |
| Copying policy templates without editing them | Auditor tests against promises you do not keep | Write policies to match actual workflows |
| Treating access reviews as a checkbox | Review exists but no exceptions or removals are tracked | Document reviewer, date, population, exceptions, and remediation |
| Forgetting contractors and service accounts | Non-employee access becomes unmanaged | Track contractors and service accounts separately |
| Waiting until fieldwork to collect evidence | Missing Type II history cannot be recreated cleanly | Start evidence collection before the observation period |
| Assuming Vanta, Drata, or Secureframe does everything | Manual controls still require owners and judgment | Use the platform as evidence infrastructure, not a substitute for operations |
| Choosing the cheapest auditor without buyer fit | Enterprise buyers may question low-quality reports | Match auditor credibility to customer expectations |
| Migrating platforms during Type II | Evidence continuity can break mid-observation period | Switch between audit cycles when possible |
Downloadable SOC 2 evidence checklist
Use this page as the reference list, then create your working plan with the free SOC 2 readiness checklist. It gives you a readiness score, identifies priority gaps, and creates a practical next-step list before you book auditor calls or vendor demos.
If the budget is still unclear, use the SOC 2 cost calculator. If the evidence workload looks too manual, compare automation options with the SOC 2 vendor comparison tool.
People Also Ask
What is a SOC 2 evidence list?
A SOC 2 evidence list is the practical set of records an auditor reviews to test your controls. It usually includes access reviews, MFA settings, user exports, change approvals, cloud security settings, training records, vendor reviews, incident response evidence, backup tests, and approved policies.
What evidence is needed for SOC 2 Type II?
SOC 2 Type II evidence must show that controls operated throughout the observation period. Auditors commonly sample access reviews, offboarding records, change approvals, vulnerability management, vendor reviews, monitoring alerts, incident records, backup tests, and policy acknowledgments.
Do auditors accept screenshots for SOC 2 evidence?
Auditors may accept screenshots for some point-in-time settings, especially in Type I audits, but screenshots should show the system, date, user context, and relevant configuration. For Type II, system exports, logs, tickets, and API-collected evidence are usually stronger.
Can Vanta, Drata, or Secureframe collect all SOC 2 evidence?
No. They can collect a meaningful portion of technical evidence from integrated systems, but manual evidence remains. Startups still need owners for access reviews, vendor reviews, policy approvals, incident testing, exception handling, and explanations when controls do not fit the default workflow.
How should startups organize SOC 2 evidence?
Organize evidence by control ID, owner, frequency, source system, date covered, and exceptions. Avoid a generic folder of screenshots. Auditors work faster when each evidence item maps directly to a control and observation period.
Bottom line
The best SOC 2 evidence list is not the longest spreadsheet. It is the shortest defensible set of records that proves your controls exist, match your policies, and operate consistently enough for the report you are pursuing.
If you are a startup preparing for audit readiness, focus first on access, offboarding, change management, cloud security, vendor risk, policies, and monitoring. Those are the places where evidence gaps most often delay reports and block enterprise deals.
Free SOC 2 tools
Calculate your SOC 2 next step
Estimate costs, check readiness, and compare automation platforms before you spend budget.
Related Articles
