Evidence Index Guide

Master index linking controls to evidence artifacts for auditor PBC requests.

SOC 2 evidence index template preview (SOC-021)
.xlsx SOC-021

Evidence Index

Master index linking controls to evidence artifacts for auditor PBC requests.

Get SOC 2 Phase 3 Audit & Evidence Bundle
How to Fill Out This Evidence Index

SOC 2 evidence index template — Central catalog of audit evidence — update before fieldwork and link from SOC-028 PBC tracker.

Recommended Owner: Compliance or Security | Control owners maintain rows

What this file is for

Document purpose

Master catalog of audit evidence linking artifacts to TSC and policies.

In your program: Evidence IDs used in SOC-028 PBC Tracker and SOC-022 traceability matrix.

Before you start

Getting Started

  • Enable Editing; read the Instructions sheet first for tab order and version metadata.
  • Use dropdowns in validated columns; delete gray sample rows before auditor samples.
  • Check Dashboard after updates — formulas flag gaps and acceptance rates.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-021 file.

Instructions
  • Follow 6 steps on Instructions; cross-reference SOC-022 and SOC-028 related docs.
  • After editing Instructions, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Evidence Index
  • Evidence ID (EVD-###) never reused for a different artifact in the same audit period.
  • TSC Mapping = criteria IDs from SOC-023 (e.g., CC6.1, CC7.2).
  • Policy Ref = toolkit doc ID (COR-002, SOC-010) auditors will request.
  • Status flow: Draft → Collected → Under Review → Accepted; Rejected needs auditor note in link field context.
  • Type dropdown must match artifact (Report, Log, Ticket, Configuration).

Evidence ID

  • Fill Evidence ID with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

Evidence Name

  • Fill Evidence Name with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

Category

  • Fill Category for every in-scope row on Evidence Index — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

TSC Mapping

  • Fill TSC Mapping for every in-scope row on Evidence Index — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Type

  • Fill Type for every in-scope row on Evidence Index — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Collected By

  • Fill Collected By for every in-scope row on Evidence Index — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Collected Date

  • Use consistent Collected Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Reviewed By

  • Use consistent Reviewed By format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Review Date

  • Use consistent Review Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Status

  • Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
  • Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.

Policy Ref

  • Fill Policy Ref for every in-scope row on Evidence Index — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Location / Link

  • Fill Location / Link with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

Quality check

Before You Finalize

  • Dashboard acceptance rate reflects production-ready evidence — not Draft rows.
  • Every Accepted row has Evidence Link URL and Review Date.

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Evidence Index:

  1. 1Complete the file: Finish every section or tab in SOC-021.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 3 Audit & Evidence Bundle See what’s included