SOC 2 Evidence Collection: What Assessors Actually Ask For
In SOC 2 evidence collection, assessors sample the artifacts that prove each control operated across the audit period: access-review sign-offs, deprovisioning tickets closed within SLA, change tickets carrying peer review and approval, the annual risk assessment with tracked remediation, penetration test results, security-training completion records, and dated backup restore tests. In a Type II they don't take your word for it once. They pull a sample across the observation window and confirm the control ran every time it was supposed to. The teams that pass cleanly aren't the ones with the strongest controls on paper. They're the ones whose evidence is indexed by Trust Services Criteria and retrievable in minutes, not reconstructed the week before fieldwork.
What evidence does a SOC 2 assessor sample per control area?
Assessors map every request back to a Trust Services Criterion, so it pays to think the same way. Below is what they typically pull for the common criteria that carry most SOC 2 reports, and what a passing artifact actually looks like.
For a Type II, sample size scales with control frequency. A quarterly access review over a 12-month period yields four occurrences, and the assessor may test all four. A daily or continuous control gets sampled against a population, commonly 25 to 40 instances depending on the assessor's methodology. Miss one occurrence in the window and it can become an exception, even if the control works today.
- Logical access (CC6.1): current user access listings showing MFA enforced and least privilege, plus your IdP or SSO policy configuration. Assessors reconcile the listing against HR headcount to catch orphaned or shared accounts.
- Access reviews (CC6.3): dated quarterly review exports with a named reviewer, sign-off, and proof that flagged access was actually revoked rather than just noted.
- Deprovisioning (CC6.2): joiner/mover/leaver tickets showing access removed within SLA (commonly 24 hours for terminations). They match the ticket timestamp against the HR termination date.
- Change management (CC8.1): change tickets with a linked pull request, a peer reviewer distinct from the author, and documented approval before deploy. A merge with zero reviewers is the fastest route to an exception.
- Risk assessment (CC3.1/CC3.2): the annual risk assessment, the risk register, and evidence that identified risks carry owners and remediation dates.
- Vulnerability management and pen testing (CC7.1, supported by CC4.1): the most recent penetration test report, remediation tracking for findings, and recurring vulnerability scan evidence.
- Security awareness training (CC1.4/CC2.2): completion records covering all in-scope personnel, with dates inside the audit period and coverage for new hires.
- Backups and recovery (A1.2/A1.3): backup configuration showing encryption at rest (AES-256) and a dated restore test proving recoverability, not just that backups run.
- Monitoring and incident response (CC7.2/CC7.3, with CC7.4 for response): log retention configuration (often 90 days or more), alerting evidence, and any incident tickets with response timelines.
How should I organize a SOC 2 evidence repository?
Structure the repository by Trust Services Criteria, not by tool or team, because that is how the assessor's request list is organized. When they ask for CC6.2 deprovisioning evidence, you want one folder holding every artifact for that criterion across the period, already labeled.
A practical index carries one row per control: the criterion reference, the control owner, the collection frequency, the evidence type, and the storage location. Keep it in a spreadsheet or your GRC platform so the walkthrough you hand the assessor mirrors their fieldwork exactly.
- Name folders by criterion and control family: /CC6-Logical-Access, /CC7-Operations, /CC8-Change-Management, /A1-Availability.
- Date and version every artifact (2026-Q1-access-review.csv) so an assessor sampling a specific quarter finds it without asking.
- Capture evidence when the control runs, not retroactively. Screenshots reconstructed in month 11 are obvious and invite deeper testing.
- Keep raw system exports, not summaries. Assessors want the system-generated report, not a hand-typed table that could have been edited.
- Record who produced each artifact and when, so the chain of custody holds up during the walkthrough.
What's the difference between Type I and Type II evidence?
A Type I tests design at a single point in time, so evidence is a snapshot: as of the report date, MFA is enforced, the review process exists, the policy is signed. A Type II tests operating effectiveness across a period, usually 3 to 12 months, so evidence must show the control ran repeatedly and on schedule throughout that window.
That is why Type II is unforgiving of gaps. Enable a control in month four and the first three months have no evidence, which the assessor documents. Start collecting from day one of your observation period and treat the earliest window as the highest-risk stretch of the audit.
- Type I: point-in-time snapshots proving each control is designed and in place as of the report date.
- Type II: recurring, dated artifacts proving each control operated throughout the observation period.
- Gap risk: any month a control lacked evidence surfaces as an exception, and backfilling after the fact rarely holds up.
- Best practice: begin collection on day one of the period and audit your earliest months first, since that is where evidence is thinnest.
What evidence trips teams up most often?
The recurring failures are rarely missing controls. They are timing and completeness gaps in processes that genuinely exist.
Two concepts worth knowing before fieldwork: CUECs and bridge letters. Complementary User Entity Controls (CUECs) are the responsibilities your report pushes onto your customers, and you should be able to point to yours in the report. A bridge letter (gap letter) covers the interval between your report's period end and a customer's reliance date; it is management's attestation that nothing material changed, not a substitute for evidence, so don't lean on it to paper over a control that lapsed.
- Deprovisioning tickets closed outside SLA, or a terminated employee still present in the access listing during reconciliation.
- Change tickets where the author approved their own merge, breaking segregation of duties.
- Access reviews performed but with no evidence that flagged items were remediated.
- Training completions dated after the period end, or new hires with no record at all.
- Backups configured but never restore-tested, so recoverability is asserted rather than proven.
- A penetration test that is stale (older than 12 months) or has open critical findings with no remediation trail.
Skip the blank page
Get all 19 SOC 2 policies — editable, mapped to the Trust Services Criteria and ISO 27001, with a 90-day readiness plan and an evidence index.
Get the SOC 2 Policy Pack — $149FAQ
How far back do SOC 2 assessors sample evidence?
For a Type II, across the entire observation period, typically 3 to 12 months. Sample size scales with control frequency, so a quarterly control over a year yields four testable occurrences while a daily control may be sampled 25 to 40 times against its population. Any period where a control lacked evidence can become an exception, which is why collection should begin on day one of the window.
What is the fastest way to fail a SOC 2 Type II?
Reconstructing evidence right before fieldwork and carrying timing gaps: deprovisioning tickets closed outside SLA, change merges with no independent reviewer, or a control turned on partway through the period. Assessors compare system-generated timestamps against HR and deploy records, so backdated or summarized artifacts invite deeper testing rather than fewer questions.
Do I need a separate tool to manage SOC 2 evidence?
No. A folder tree organized by Trust Services Criteria plus an index spreadsheet listing each control's owner, frequency, evidence type, and location is enough for a first audit. A GRC platform earns its keep once collection frequency and headcount grow, mainly by automating capture and flagging stale or missing artifacts before the assessor does.
SOC 2 evidence collection is won on organization and timing, not control strength: index every artifact by Trust Services Criterion, capture it the moment each control runs, and start on day one of your observation period so a Type II sample finds a complete, dated trail for every control.