Traceability Matrix Guide
Map risks → controls → tests → evidence for audit traceability.
Traceability Matrix
Map risks → controls → tests → evidence for audit traceability.
How to Fill Out This Traceability Matrix
SOC 2 traceability matrix template — Shows how your program connects risks, controls, and proof — auditors use for sample selection.
Recommended Owner: Security or Compliance
What this file is for
Document purpose
Maps TSC criteria → policies → evidence for audit traceability.
In your program: Status and Evidence ID must agree with SOC-021 and SOC-003 scoping.
Before you start
Getting Started
- Enable Editing; read the Instructions sheet first for tab order and version metadata.
- Use dropdowns in validated columns; delete gray sample rows before auditor samples.
- Check Dashboard after updates — formulas flag gaps and acceptance rates.
Document tour
Fill out the file section by section
Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-022 file.
Instructions
- Build after SOC-003 control scoping freeze; seed rows are examples only.
- After editing Instructions, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Traceability Matrix
- TSC Criteria column = point IDs in scope (from SOC-023).
- Policy/Procedure = what you operate, not just policy title.
- Evidence ID must exist in SOC-021; Status Implemented vs Gap Identified drives remediation.
- Control Owner should match SOC-024 for that CC area.
TSC Criteria
- Fill TSC Criteria for every in-scope row on Traceability Matrix — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Control Requirement
- Fill Control Requirement for every in-scope row on Traceability Matrix — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Policy / Procedure
- Fill Policy / Procedure for every in-scope row on Traceability Matrix — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Evidence Artifact
- Fill Evidence Artifact with a URL, ticket, or export path auditors can open — not a local-only path.
- Re-verify links before fieldwork; broken evidence links are a common audit finding.
Control Owner
- Name a person (not a team inbox) in Control Owner — auditors interview control owners.
- Must match COR-005 org chart or SOC-024 control owner assignments where applicable.
Status
- Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
- Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.
Evidence ID
- Fill Evidence ID with a URL, ticket, or export path auditors can open — not a local-only path.
- Re-verify links before fieldwork; broken evidence links are a common audit finding.
Notes
- Fill Notes for every in-scope row on Traceability Matrix — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Quality check
Before You Finalize
- No Gap Identified rows without remediation owner in Notes.
- Dashboard Missing Evidence ID = 0 before fieldwork.
Evidence
Where to Store It
- Store the completed file in your compliance evidence folder (signed PDF for policies).
- Register the document in COR-013 with version, owner, and next review date.
- Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.