Free PBC Tracker Guide

Starter auditor PBC checklist with 18 common evidence requests — upgrade to SOC-028 for full fieldwork tracking.

free SOC 2 PBC tracker template preview (FREE-SOC-01)
.xlsx FREE-SOC-01

Free PBC Tracker & Evidence Request List

Starter auditor PBC checklist with 18 common evidence requests — upgrade to SOC-028 for full fieldwork tracking.

Download free PBC tracker (.xlsx) View SOC 2 Phase 3 Audit & Evidence Bundle
How to Fill Out This Free PBC Tracker & Evidence Request List

Free SOC 2 PBC tracker template — Track what your auditor will request before fieldwork starts. Assign owners and due dates, link evidence, and monitor acceptance on the Dashboard. This free workbook is a subset of the paid SOC-028 PBC tracker.

Recommended Owner: Security Lead or GRC analyst | Update weekly during audit prep

What this file is for

Document purpose

Starter PBC tracker for audit prep — 18 common evidence requests with internal and auditor status columns.

In your program: Free lead-in to SOC-028 (full PBC) and SOC-021 (evidence index). Not a substitute for your auditor’s final PBC list.

Before you start

Getting Started

  • Enable Editing; read the Instructions sheet first.
  • Delete gray sample PBC rows after you understand the format.
  • Upgrade to SOC-028 when you need evidence-index IDs and full auditor import workflows.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded FREE-SOC-01 file.

Instructions
  • Set workbook owner and import or replace starter PBC rows with your auditor’s list.
  • Link to FREE-001 readiness scan and FREE-SOC-02 Q&A prep in the Works With section.
PBC List
  • PBC ID: keep stable (PBC-001…) — auditors map requests to your IDs.
  • PBC Item / Description: mirror auditor wording in the Description column for easy matching.
  • TSC Ref: tie each row to CC criterion (e.g., CC6.3) for SOC-003 crosswalk.
  • Internal Status vs Auditor Status: do not mark Accepted until the auditor confirms.
  • Evidence Link: SharePoint/drive URL or ticket — must open for the auditor.
  • Delete italic gray example rows before sharing externally.

PBC ID

  • Assign stable PBC ID values — never reuse an ID for a different record in the audit period.
  • Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).

PBC Item

  • Assign stable PBC Item values — never reuse an ID for a different record in the audit period.
  • Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).

Description / Auditor Ask

  • Fill Description / Auditor Ask for every in-scope row on PBC List — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

TSC Ref

  • Fill TSC Ref for every in-scope row on PBC List — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Type

  • Fill Type for every in-scope row on PBC List — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Priority

  • Fill Priority for every in-scope row on PBC List — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Assigned To

  • Fill Assigned To for every in-scope row on PBC List — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Due Date

  • Use consistent Due Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
  • Dates must match supporting evidence — auditors compare log timestamps to HR records.

Internal Status

  • Select Internal Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
  • Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.

Auditor Status

  • Select Auditor Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
  • Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.

Evidence Link

  • Fill Evidence Link with a URL, ticket, or export path auditors can open — not a local-only path.
  • Re-verify links before fieldwork; broken evidence links are a common audit finding.

Auditor Notes

  • Fill Auditor Notes for every in-scope row on PBC List — use dropdowns where provided.
  • Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.

Quality check

Before You Finalize

  • Every Critical/High row has owner, due date, and Evidence Link before fieldwork.
  • Replace starter rows with your auditor’s actual PBC wording where it differs.
  • Dashboard shows no overdue Critical/High items still Pending with auditors.

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Free PBC Tracker & Evidence Request List:

  1. 1Complete the file: Finish every section or tab in FREE-SOC-01.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Download free PBC tracker (.xlsx) View SOC 2 Phase 3 Audit & Evidence Bundle