Skip to Content

SOC 2 Evidence Checklist: Technical Requirements for Type 1 & Type 2 Audits

May 20, 2026 by
DCYBR

The Definitive SOC 2 Evidence List: Technical Artifacts and Auditor Expectations

Written by the DCYBR Advisory Team

Certified SOC 2 practitioners | CISA | CISSP | 12+ years advising SaaS companies through AICPA-aligned Type 1 and Type 2 audits. Meet the team

Last updated:

TL;DR: Passing a SOC 2 audit requires a structured SOC 2 evidence list covering cloud configs, MFA enforcement, and SDLC logs. Auditors apply rigid sampling rules, demanding 15–25 samples for daily operations to verify effectiveness over a 6-month period. Automated dashboards must be reconciled against manual source populations to guarantee data completeness.


Most SaaS teams assume their compliance platform will handle evidence collection automatically.

Then the auditor asks for historical logs, source populations, approval records, and proof that controls operated consistently over time.

That’s where delays usually begin.

Passing a SOC 2 audit requires more than screenshots or dashboard checkmarks. Auditors expect complete audit trails covering infrastructure, identity management, software development workflows, HR operations, vendor reviews, and incident response procedures. 

What Counts as SOC 2 Audit Evidence?

  • SOC 2 evidence should cover people, systems, infrastructure, policies, and operational workflows that directly affect customer data security.

  • Auditors validate security controls against complete source populations, including employee accounts, repositories, cloud assets, and production systems.

  • Static screenshots alone rarely satisfy Type 2 audit requirements because auditors expect evidence showing that controls operated consistently over time.

Defining your audit boundary is one of the first steps in preparing for a SOC 2 audit.

Before collecting evidence, you need a complete inventory of every system, repository, employee account, and infrastructure component that stores, processes, or protects customer data.

According to the AICPA, this boundary typically includes people, processes, technology, infrastructure, and data workflows. If the scope is poorly defined, teams often collect incomplete evidence or include unnecessary systems, which increases audit complexity and slows down fieldwork.

Once the audit boundary is finalized, auditors will expect logging and monitoring controls across all in-scope systems. For example, if customer databases are hosted inside a private cloud environment, the surrounding network perimeter, authentication systems, backup infrastructure, and administrative access controls usually become part of the audit scope.

At this stage, auditors also request “source populations” for each major control area. A source population is the complete list of items inside a category, such as active employee accounts, GitHub repositories, VPN users, or cloud instances.

Auditors compare exported configurations and evidence records against these raw populations to confirm that no systems or accounts were excluded from review. If even one active employee or production asset is missing from the population list, the auditor may expand testing or flag the evidence as incomplete.

The Standard for Auditor Sampling

  • Auditor sampling counts are determined by control execution frequency and risk levels.
  • Daily operating controls mandate testing a population selection of 15 to 25 samples.
  • Incomplete population datasets invalidate sample testing, leading to audit delays or qualified reports.

When evaluating your operational controls over a designated testing window, auditors do not look at every single event that occurred. Instead, they apply strict sampling standards to determine if your controls operated consistently. This is the core structural difference between point-in-time assessments and long-term evaluations. For a deeper breakdown of how these timelines affect evidence demands, you can read our Type 1 vs Type 2 guide.

According to the AICPA SOC Suite of Services, auditors apply standardized, mathematically backed sampling formulas to ensure testing yields reasonable assurance. The exact volume of samples requested is tied directly to how often your internal controls run:

  • Daily Controls: For systems that run every day—such as daily database backups, automated vulnerability scans, or firewall log reviews—auditors select between 15 and 25 samples from across the audit window.
  • Weekly Controls: For activities executed once a week—such as system patch reviews or infrastructure status reports—you must provide 10 to 15 samples.
  • Monthly Controls: For monthly routines—including access reconciliation reviews, financial adjustments, or continuous vulnerability remediation cycles—auditors require 2 to 5 samples.
  • Per-Event (Ad-Hoc) Controls: For events triggered on demand—such as hiring a new employee, offboarding a developer, or deploying a major code release—auditors pull a sample representing 10% to 20% of the entire population, up to a maximum standard sample size.

When providing these samples, you must deliver the exact technical artifacts requested for each selected date or transaction. If you cannot produce the configuration logs or backup outputs for even one sample, your control is considered to have failed for that period, which will be formally noted in your final report.

Technical Evidence for Cloud Infrastructure

  • Central identity providers must enforce Multi-Factor Authentication universally.
  • Cloud configurations must restrict public access and document isolated network perimeters.
  • Database backups require systematically generated encryption verification and testing logs.

Cloud computing environments require concrete proof of logical isolation, identity protection, and backup validation. Traditional compliance practices relied heavily on static, point-in-time screenshots of administrator dashboards. However, modern SOC 2 audits require automated, programmatic exports that show exact infrastructure configurations and real-time posture enforcement.

For hosting environments built on Amazon Web Services (AWS), auditors will look for specific evidence parameters. You must provide JSON or CLI exports showing that root user accounts have multi-factor authentication (MFA) enabled and that API keys are rotated regularly. You will need to export security group configurations to demonstrate that external port access is restricted, and provide storage policies verifying that S3 buckets prohibit public access. Detailed guidance on mapping these resources can be found on the AWS compliance page.

If your platform runs on Google Cloud Platform (GCP), your evidence trail must contain equivalent parameters. You will need to export Cloud Identity configuration files, IAM access hierarchies, and VPC network policies. Guidance on aligning GCP setups with auditor expectations can be reviewed on Google Cloud's SOC 2 documentation.

In addition to cloud host configurations, you must provide proof of automated encryption at rest and in transit. This includes system configurations from database services demonstrating the use of Advanced Encryption Standard (AES) with a 256-bit key length, as well as SSL/TLS configurations for all public-facing application endpoints.

Evidence Collection for Software Development

  • Automated branch protection rules provide reliable verification of segregation of duties.
  • Code deployment logs must link every release directly back to an approved code pull request.
  • A Slack chat thread or a manual project ticket does not meet change management standards on its own.

Your Software Development Life Cycle (SDLC) is the primary target for change management controls during an audit. CPAs must verify that all software updates deployed to production have been fully tested, reviewed by an independent engineer, and approved by authorized personnel. This prevents rogue code deployments and guarantees that developer accounts cannot bypass security checks.

To prove compliance, you must share the branch protection rules implemented in your version control platform, such as GitHub or GitLab. Showing a configuration screen showing that your main branch requires a minimum of one independent peer approval and a passing test suite before merging is the standard way to prove this. This process must map to authorization standards defined in NIST SP 800-53, which sets strict controls for system configuration changes and developer segregation of duties.

A common mistake is trying to use Slack notifications or unstructured email chains as proof of change approval. An auditor will reject these files because they are easy to edit and do not link programmatically to a code change. Instead, you must build an integrated audit trail for every change selected in your sample group:

First, provide the Jira or ticket ID detailing the bug report or feature request. Second, provide the pull request URL showing the automated unit test runs and the independent peer approval signature. Third, present the deployment log from your CI/CD tool showing the specific commit hash matching the production environment deployment timestamp. This automated chain of custody is the only way to satisfy technical SDLC control checks.

The Comprehensive Evidence Collection Checklist

  • A complete evidence checklist contains technical infrastructure files alongside administrative records.
  • Human resources data, such as background checks and NDAs, must be complete for all employees.
  • Incident response reports and recovery test runs are analyzed for operational validity.

To organize your prep work, utilize this comprehensive, auditable checklist of technical and organizational resources. This structured format represents the ideal target list needed to secure your compliance report.

  1. Cloud Environment Configurations: Exports of network perimeters, IAM structures, and storage security parameters from cloud hosts.

  3. Database Encryption Parameters: Technical outputs verifying AES-256 database storage encryption status and key rotation parameters.

  5. Central Identity Management Proof: Reports from Okta, Google Workspace, or Azure AD showing MFA is active for all active accounts.

  7. Repository Branch Protections: Verifiable configurations from GitHub showing peer approval rules are active on release branches.

  9. Employee Non-Disclosure Agreements: Signed NDAs and confidentiality contracts for every employee and vendor on your team.

  11. Background Check Clearances: Background screening confirmations from your HR portal for all employees hired during the audit window.

  13. Account Provisioning/Deprovisioning Logs: HR tickets showing the request, approval, and execution timestamps for system access changes.

  15. Risk Assessment Documentation: Annual risk assessment logs identifying potential business hazards, impact ratings, and security remediations.

  17. Security Incident Logs: Comprehensive tracking of security alerts, internal investigations, and resolution actions.

  19. Incident Response Tabletop Tests: Meeting logs and results showing your team simulated an active security incident within the last year.

  21. Disaster Recovery Test Records: System-generated outputs verifying a successful database recovery test from backup snapshots.

  23. Subprocessor SOC 2 Assessments: Annual review sheets analyzing the security reports and external certifications of your critical vendors.

Want a scoping assessment before committing to an audit? Talk to DCYBR — most teams get clarity in one call.

Managing Third-Party Risk

  • Critical subprocessors require a documented review of their SOC 2 reports every year.
  • Complementary User Entity Controls (CSUECs) must be mapped to your internal systems.
  • Audit logging needs to capture data exchanges with external API services.

SaaS ecosystems rely on external platforms to handle critical steps in their data pipelines. Because your cloud footprint is distributed across multiple external services, auditors require proof that you actively monitor the security posture of your partners. This monitoring process is managed through a Vendor Risk Assessment Program.

For every high-risk subprocessor—such as your hosting provider, billing pipeline, or email delivery provider—you must document an annual security assessment. This requires downloading their latest security certifications and mapping their Complementary User Entity Controls (CSUECs) back to your internal operations. For example, if you rely on Stripe for payment processing, you should access Stripe's security portal to retrieve their compliance certifications and evaluate how their transactional controls interface with your system.

When organizing your records, you must document these reviews in a central tracker. This file should contain plain-text records of the subprocessor's certification endpoints, including security sites such as aws.amazon.com/compliance/soc for hosting platforms, cloud.google.com/security/compliance/soc-2 for cloud systems, and twilio.com/security for messaging channels. By verifying that your vendor network is actively monitored, you show that your overall security boundary remains intact.

Why SOC 2 Evidence Collection Often Fails

  • Green checkmarks inside compliance dashboards do not guarantee a clean SOC 2 audit.

  • Screenshots without timestamps or historical context are frequently rejected during fieldwork.

  • Incomplete source populations often create major delays during auditor testing.

One of the most common problems during SOC 2 fieldwork appears when automated compliance platforms fail to capture changes that occur outside API-connected systems.

Teams often assume that a fully green dashboard means their audit evidence is complete. In practice, auditors validate operational controls by reviewing raw records, historical logs, and complete source populations — not dashboard summaries alone.

This distinction becomes especially important during Type 2 audits, where auditors test whether controls operated consistently over time rather than checking a single point-in-time configuration. 

Evidence CategoryAutomated SnapshotAuditor-Validated Evidence
Identity & Access ManagementA dashboard check showing MFA is enabledExported MFA status reports covering all active employee and administrator accounts
Change ManagementAn API check confirming branch protection is activeLinked Jira tickets, pull requests, peer approvals, and CI/CD deployment logs
Vendor ManagementA vendor contract stored in a shared driveA documented review of the vendor’s SOC 2 report with mapped CSUECs
Human Resources SecurityA dashboard status showing background checks are linkedIndividual background checks matched against onboarding records and employee hire dates


Frequently Asked Questions

  • MFA verification requires systemic tenant-wide configuration exports.
  • Type 2 sampling counts are strictly controlled by the frequency of your internal processes.
  • Losing historical system records during the testing period can result in an audit exception.

How do I prove MFA is enabled for SOC 2?

Proving Multi-Factor Authentication is active requires exporting a system configuration report from your identity provider and taking verified snapshots of console configuration parameters. Auditors typically cross-reference this baseline against a selected random sample of 15 to 25 users.

What is automated evidence collection?

Automated evidence collection uses programmatic API connections into cloud hosting platforms, developer tools, and HR suites to extract security parameters. This reduces the manual labor of capturing screenshots and forms a continuous, historical audit trail.

How many samples will an auditor need for a Type 2 audit?

Audit firms apply standardized statistical models requiring 15 to 25 samples for daily operations, 10 to 15 samples for weekly procedures, and 2 to 5 samples for monthly reviews. This distribution guarantees reasonable assurance across the review window.

Can I use a Slack message as evidence for a code review?

A Slack message may occasionally serve as a compensating control if it is structurally linked to a commit ID and represents a distinct author. However, standard branch protection logs in GitHub remain the industry-preferred artifact because they are tamper-proof and fully automated.

What happens if I lose evidence during the audit period?

Losing evidence creates a validation gap that may trigger an audit exception or qualify the CPA's opinion. To mitigate this risk, you must present alternative controls, such as backup replication logs or system-generated metadata, to demonstrate the control operated.

How long should I retain SOC 2 evidence after the audit?

Service organizations should retain audit evidence for a minimum of seven years to comply with standard CPA professional liability parameters and legal guidelines. Retaining files secure from alteration ensures you can present past records during customer due diligence checks.

SOC 2 Audit Preparation Guides

Understanding SOC 2 evidence requirements is only one part of audit readiness. These additional guides explain how audit timelines, Type 1 vs Type 2 reporting, and evidence collection failures affect SaaS companies during SOC 2 preparation:



               Ready to get started? 

 Need SOC 2 Type 2 readiness in 4–6 weeks? Start in 72 hours at  DCYBR.com.

 

Why SOC 2 Audits Fail: Deconstructing the Automation Trap and Evidence Integrity Gaps