SOC 2 Evidence Collection Checklist: What Auditors Actually Request

Specific screenshots, exports, naming conventions, and folder structures that reduce auditor clarification requests

Resource guide · Updated 2026 · 12 min read

Most first-time SOC 2 audits encounter delays not because controls are missing, but because evidence is disorganized, incomplete, or inconsistent. Auditors don’t expect perfection—they expect proof that your documented controls actually operate as described.

This checklist provides a tactical, week-by-week evidence collection framework for startups preparing for their first SOC 2 Type I audit. It includes specific screenshots to capture, exports to save, naming conventions to follow, and folder structures that substantially reduce auditor clarification requests. For a complete readiness plan, see our SOC 2 Readiness Checklist for Startups (2026) and SOC 2 System Description Guide.

Key findings

• Auditors typically request 15–25 distinct evidence artifacts for a Type I audit.
• Evidence collection consumes 60–80% of preparation time for manual/template-based approaches.
• Organized evidence with clear naming conventions often reduces fieldwork duration by several days.

What Auditors Actually Review (Not What You Think)

SOC 2 auditors do not:

  • Perform penetration testing on your infrastructure
  • Read your source code line-by-line
  • Inspect every employee device
  • Test every single control exhaustively

SOC 2 auditors do:

  • Verify that documented controls exist and are appropriately designed
  • Sample 1–3 instances per control to validate operational consistency
  • Cross-reference policies against actual system configurations
  • Confirm that exceptions are documented with remediation plans
  • Validate that third-party vendors maintain appropriate certifications

Bottom line: Your evidence must demonstrate consistent execution, not perfection.

The 10 Most-Requested Evidence Types

Based on common startup SOC 2 audit patterns, these are the evidence artifacts auditors request in nearly every engagement.

1. Access Management & MFA Enforcement

What auditors ask for:

  • Screenshot of MFA enforcement settings in identity provider (Okta, Google Workspace, Azure AD)
  • User access list export showing active employees and contractors
  • Termination/offboarding checklist with access revocation timestamps

How to collect it:

  • Okta: Admin Console → Security → Authentication → MFA Policies (screenshot)
  • Google Workspace: Admin Console → Security → 2-Step Verification (screenshot)
  • Export user list: Okta → Users → Export CSV; Google Workspace → Directory → Users → Download
  • Save as: ACE-001_MFA_Settings.pdf, ACE-002_User_Access_List.csv
📸 SCREENSHOT: Okta MFA Enforcement Settings
Okta Admin Console → Security → Authentication → MFA Policies. Shows MFA policy enabled, authentication methods required (TOTP, SMS, hardware key), in-scope users/groups, URL bar visible with admin domain, system timestamp visible.

2. Change Management & Code Review

What auditors ask for:

  • GitHub/GitLab branch protection rules screenshot
  • Sample of 3–5 pull requests showing peer review approvals
  • Deployment pipeline configuration (GitHub Actions, CircleCI, Vercel)

How to collect it:

  • GitHub: Settings → Branches → Branch protection rules (screenshot main/master branch)
  • Pull requests: Navigate to 3 recent merged PRs, capture approval timestamps and reviewer names
  • Save as: CHG-001_Branch_Protection.pdf, CHG-002_PR_Approval_Samples.pdf
📸 SCREENSHOT: GitHub Branch Protection Rules
GitHub repository Settings → Branches → Branch protection rules. Shows “Require a pull request before merging” checked, approval requirements set (e.g., 1 reviewer), “Dismiss stale approvals” checked, branch name (main/master) and repository URL visible.

3. Encryption & Data Protection

What auditors ask for:

  • Database encryption configuration (AWS RDS, Supabase, MongoDB Atlas)
  • TLS/SSL certificate configuration for web application
  • Object storage encryption settings (S3 bucket policies)

How to collect it:

  • AWS RDS: RDS Console → Databases → Configuration tab → Encryption (export config)
  • S3: S3 Console → Bucket → Properties → Default encryption (export config)
  • Save as: ENC-001_Database_Encryption.pdf

Note: Export configuration details rather than relying solely on screenshots. Auditors accept exported JSON or PDF configs.

4. Backup & Disaster Recovery

What auditors ask for:

  • Automated backup configuration
  • Backup retention policy documentation
  • Most recent backup restoration test evidence

How to collect it:

  • AWS RDS: RDS Console → Backups → Automated backups enabled (export config)
  • Restoration test: Document date, method, and outcome of last test restore
  • Save as: BKP-001_Backup_Configuration.pdf, BKP-002_Restoration_Test_Log.pdf
📸 SCREENSHOT: AWS RDS Automated Backup Configuration
AWS RDS Console → Backups. Shows “Automated backups” enabled, backup retention period (e.g., 7-30 days), backup window time, and latest restorable time visible. Database identifier and region visible.

5. Incident Response

What auditors ask for:

  • Incident response policy document
  • Incident escalation procedures
  • Sample incident log (even if empty, document “no incidents reported”)

How to collect it:

  • Incident response policy: Use your documented policy (PDF)
  • Create incident log spreadsheet with columns: Date, Severity, Description, Resolution, Owner
  • If no incidents: Document “No security incidents reported during period [date range]”
  • Save as: INC-001_Incident_Response_Policy.pdf, INC-002_Incident_Log.xlsx

6. Vendor Management & Subprocessors

What auditors ask for:

  • Vendor/subprocessor inventory spreadsheet
  • SOC 2 reports or security questionnaires from critical vendors (AWS, Stripe, Okta, etc.)
  • Data Processing Addendums (DPAs) with vendors handling customer data

How to collect it:

  • Create spreadsheet: Vendor Name, Service Provided, Data Access Level, SOC 2 Status, DPA Signed
  • Request SOC 2 reports from AWS, Stripe, Okta, etc.
  • Save as: VND-001_Vendor_Inventory.xlsx, VND-002_AWS_SOC2_Report.pdf

7. Security Awareness Training

What auditors ask for:

  • Security awareness training policy
  • Employee training completion records
  • New hire onboarding security checklist

How to collect it:

  • Training policy: Use your documented policy (PDF)
  • Export completion records from training platform (KnowBe4, Hoxhunt, or internal LMS)
  • Save as: TRN-001_Training_Policy.pdf, TRN-002_Training_Records.xlsx

8. Physical Security & Device Management

What auditors ask for:

  • Device management policy (MDM enrollment, disk encryption, screen locks)
  • MDM console screenshot showing enrolled devices
  • Disk encryption verification (FileVault/BitLocker status)

How to collect it:

  • MDM console (Jamf, Kandji, Intune): Admin console → Devices → Enrollment status
  • For remote-first teams: Document “Physical security controls managed via MDM and device encryption policies”
  • Save as: DEV-001_MDM_Enrollment.pdf, DEV-002_Disk_Encryption_Policy.pdf

9. Logging & Monitoring

What auditors ask for:

  • Cloud audit log configuration (AWS CloudTrail, GCP Audit Logs)
  • Alerting rules for security events
  • Log retention settings

How to collect it:

  • AWS CloudTrail: CloudTrail Console → Trails → Logging status (export config)
  • Alerting: Show alert rules for failed logins, privilege escalation, configuration changes
  • Save as: LOG-001_CloudTrail_Configuration.pdf, LOG-002_Security_Alerts.pdf

10. HR & Employee Lifecycle

What auditors ask for:

  • Employee handbook with security policies
  • Signed security acknowledgment forms
  • Background check completion records

How to collect it:

  • Employee handbook: PDF with security policy section highlighted
  • Acknowledgments: Signed forms from all employees (digital signatures acceptable)
  • Background checks: Completion confirmation from Checkr, GoodHire, or provider
  • Save as: HRM-001_Employee_Handbook.pdf, HRM-002_Security_Acknowledgments.pdf, HRM-003_Background_Check_Records.xlsx

Evidence Naming Convention (Auditor-Preferred)

Use this standardized format to make evidence instantly scannable:

Format: [PREFIX-XXX]_[Description]_[Date/Period].[ext]

Examples:

  • ACE-001_MFA_Settings_2026-01.pdf
  • CHG-002_PR_Samples_Q1-2026.pdf
  • ENC-001_Database_Encryption.pdf
  • VND-001_Vendor_Inventory_Q1-2026.xlsx

Recommended Folder Structure

Organize evidence to mirror AICPA Trust Services Criteria with realistic control prefixes:

  • /SOC2-Evidence-2026/
  • ├── SOC-CC1-Governance/
  • │ ├── SOC-CC1-001_Code_of_Conduct.pdf
  • │ ├── SOC-CC1-002_Org_Structure.pdf
  • │ └── HRM-001_Employee_Handbook_v3.2.pdf
  • ├── SOC-CC6-Logical-Access/
  • │ ├── ACE-001_MFA_Policy_Config.pdf
  • │ ├── ACE-002_User_Access_Review_Q1-2026.xlsx
  • │ ├── ACE-003_Role_Based_Access_Matrix.xlsx
  • │ └── ACE-004_Termination_Checklist_Samples.pdf
  • ├── SOC-CC7-System-Ops/
  • │ ├── LOG-001_CloudTrail_Config_us-east-1.json
  • │ ├── LOG-002_Alert_Rules_Security_Events.pdf
  • │ ├── BKP-001_RDS_Automated_Backup_Config.pdf
  • │ └── BKP-002_Restoration_Test_2026-01-15.pdf
  • ├── SOC-CC8-Change-Mgmt/
  • │ ├── CHG-001_GitHub_Branch_Protection_Main.pdf
  • │ ├── CHG-002_PR_Approval_Samples_Jan2026.pdf
  • │ └── CHG-003_Deployment_Pipeline_Config.yaml
  • ├── SOC-CC9-Risk-Mitigation/
  • │ ├── ENC-001_RDS_Encryption_Config_us-east-1.json
  • │ ├── ENC-002_S3_Bucket_Encryption_Default.pdf
  • │ ├── RA-001_Annual_Risk_Assessment_2026.pdf
  • │ └── INC-001_Incident_Response_Runbook_v2.1.pdf
  • ├── PRI-Privacy/
  • │ ├── PRI-001_Privacy_Policy_Public.pdf
  • │ ├── PRI-002_Data_Retention_Schedule.xlsx
  • │ └── PRI-003_DPA_Template_Vendors.pdf
  • └── VND-Vendor-Mgmt/
  • ├── VND-001_Subprocessor_Inventory_2026-Q1.xlsx
  • ├── VND-002_AWS_SOC2_Type2_Report_2025.pdf
  • ├── VND-003_Stripe_Security_Review.pdf
  • └── VND-004_Okta_Trust_Package.pdf

Evidence Differences: SOC 2 Type I vs Type II

AreaType IType II
Evidence TimingPoint-in-timeMulti-month observation period
Access ReviewsCurrent snapshotQuarterly recurring reviews
Monitoring EvidenceConfiguration screenshotsHistorical logs & alerts
Change ManagementSample pull requestsRepeated operational consistency
Backup TestingConfiguration proofOngoing restoration verification

Evidence Collection Timeline (12-Week Prep)

Weeks 1–2: Foundation

  • Create evidence folder structure
  • Set up naming convention
  • Export current user access lists
  • Capture Okta MFA enforcement screenshots

Weeks 3–4: Technical Controls

  • Database encryption configuration
  • Backup settings and retention
  • GitHub branch protection rules
  • Cloud audit log configuration

Weeks 5–6: Operational Evidence

  • Sample pull requests with approvals
  • Vendor inventory spreadsheet
  • Request SOC 2 reports from vendors

Weeks 7–8: HR & Training

  • Employee handbook with security section
  • Signed security acknowledgments
  • Training completion exports

Weeks 9–10: Incident Response

  • Incident response policy
  • Incident log (even if empty)
  • Alerting configuration

Weeks 11–12: Final Compilation

  • Review evidence completeness
  • Fill gaps with additional evidence
  • Create evidence index spreadsheet
  • Conduct internal dry-run review

Manual Collection vs. Automation Platforms

Evidence TypeManual (Templates)Vanta/Drata/Secureframe
MFA SettingsScreenshot Okta/Google Workspace consoleAuto-captured via API
User AccessExport CSV from Okta/Google WorkspaceAuto-synced daily
Branch ProtectionScreenshot GitHub settingsAuto-validated
EncryptionExport config from AWS/Supabase consoleAuto-detected
Backup ConfigExport backup settingsAuto-monitored
PR ApprovalsScreenshot 3–5 sample PRsAuto-sampled
Vendor SOC 2 ReportsManual collection via NDASome auto-fetched

Bottom line: Automation platforms reduce evidence collection time by 60–70%, but cost $8k–$20k/year. Manual collection requires 80–150 hours but costs $0 in software. For bootstrapped startups, the template path is viable if you start early and stay organized.

Common Evidence Mistakes & How to Fix Them

  • Evidence quality too low: Blurry or cropped screenshots. Fix: Use full-screen captures, ensure text is readable, include URL bar.
  • Missing timestamps or dates: Evidence without visible dates. Fix: Include system clock or add date stamp in filename.
  • Inconsistent naming: Files named screenshot1.png. Fix: Use standardized naming convention from day one.
  • Evidence from wrong environment: Capturing staging instead of production. Fix: Verify URL and environment before capturing.
  • No exception documentation: Controls not fully implemented with no explanation. Fix: Create exception log with rationale and remediation timeline.

Evidence Tracker Template

Create a master evidence tracker with these columns to monitor collection progress and auditor status:

Control IDControl DescriptionEvidence File NameDate CollectedAuditor StatusNotes
CC6.1Logical Access ControlsACE-001_MFA_Settings.pdf2026-01-15Approved
CC7.1System OperationsCHG-002_PR_Samples.pdf2026-01-18Pending ReviewNeed 2 more samples
CC8.1Change ManagementCHG-001_Branch_Protection.pdf2026-01-20Approved

Platform-Specific Evidence Guides

Deep-dive guides for your specific tech stack:

AWS Evidence Collection

  • RDS encryption & backup configurations
  • S3 bucket policies & access logs
  • CloudTrail & GuardDuty setup
  • IAM role & policy documentation
SOC-003 control worksheet →

Okta/Identity Evidence

  • MFA policy enforcement screenshots
  • User lifecycle workflows
  • Quarterly access review exports
  • SSO integration configurations
COR-002 access policy →

GitHub & CI/CD Evidence

  • Branch protection rules (org & repo)
  • PR approval samples & workflows
  • GitHub Actions security settings
  • Secret scanning & Dependabot config
Phase 2 implementation kit →

Google Workspace Evidence

  • 2-Step Verification enforcement
  • Admin audit log exports
  • DLP & data sharing settings
  • Third-party app access reviews
COR-002 access policy →

Frequently Asked Questions

How much evidence do I need for SOC 2 Type I?

Typically 15–25 distinct artifacts covering all applicable Trust Services Criteria. Each control needs 1–3 pieces of supporting evidence.

Do screenshots expire?

Auditors prefer evidence collected within 30 days of fieldwork start date. For Type II, evidence must span the entire observation period.

Can I use the same evidence for Type II?

Yes, but Type II requires evidence of consistent operation over time (e.g., quarterly access reviews, monthly backup tests).

What if I can’t provide certain evidence?

Document it as an exception with business rationale, risk acceptance, and remediation timeline. Auditors expect some exceptions for early-stage startups.

Should I redact sensitive information?

Yes. Redact API keys, passwords, customer PII, and proprietary business data. Auditors understand security redaction.

Where should I store evidence?

Use whatever your team already uses—Google Drive, Notion, SharePoint, or encrypted cloud storage. Consistency and access control matter more than the specific platform.

Download SOC 2 Templates

Get the complete template pack — policies, scoping worksheets, evidence trackers, and system description workbook.

Get Phase 1 Starter Kit →
Disclaimer: This checklist provides educational guidance for SOC 2 evidence collection. It does not constitute legal, audit, or compliance advice. Always engage a qualified CPA firm for official SOC 2 reporting. Evidence requirements may vary by auditor, scope, and organizational complexity. Template frameworks accelerate preparation but do not guarantee audit outcomes—implementation rigor and operational adherence remain essential.