Evidence Collection for SOC 2: Exactly What Auditors Want to See
Blog/SOC 2
SOC 26 min readDecember 5, 2025

Evidence Collection for SOC 2: Exactly What Auditors Want to See

Evidence collection is where most SOC 2 engagements fall apart. Companies scramble to pull screenshots and logs at the last minute. Here's how to automate it and never scramble again.

Evidence collection is where most SOC 2 engagements fall apart. Companies spend months implementing controls, then scramble in the final weeks trying to pull together screenshots, logs, and documentation that proves those controls actually worked.

Here's exactly what SOC 2 auditors want to see — and how to collect it without the scramble.

What Is Evidence in a SOC 2 Audit?

Evidence is documentation that proves your controls operated effectively during the audit period. For a Type II audit, this means evidence collected throughout the observation period — not just at the end.

Evidence comes in several forms:

  • System-generated reports: access logs, change logs, security scan results
  • Screenshots: configuration settings, dashboard views, policy acknowledgments
  • Documents: policies, procedures, contracts, training records
  • Tickets and records: change management tickets, incident reports, vendor reviews
  • Attestations: signed acknowledgments, management assertions

Evidence by Control Category

Access Control Evidence

  • User access reviews (quarterly or semi-annual) — list of users with access, confirmation of appropriateness
  • Onboarding/offboarding records — tickets showing access provisioned and deprovisioned
  • Privileged access logs — who has admin access and when they used it
  • MFA enrollment reports — showing all users have MFA enabled
  • Password policy configuration screenshots

Change Management Evidence

  • Change tickets for all production changes
  • Code review approvals (pull request approvals in GitHub/GitLab)
  • Deployment logs showing changes went through the approved process
  • Separation of duties evidence — developers can't deploy to production without approval

Vulnerability Management Evidence

  • Vulnerability scan results (monthly or quarterly)
  • Penetration test report and remediation tracking
  • Patch management records — showing critical patches applied within SLA
  • Dependency scanning results for application code

Incident Response Evidence

  • Incident log — all security incidents during the period
  • Incident response records — how each incident was handled
  • Post-incident reviews for significant incidents
  • Security monitoring alerts and dispositions

The most common audit finding: companies have good controls but poor evidence. The auditor can't attest to what they can't see. If you didn't document it, it didn't happen.

How to Automate Evidence Collection

Manual evidence collection is error-prone and time-consuming. The right approach is to automate as much as possible from day one of your observation period.

Dashr.ai, our security intelligence platform, automates evidence collection for most common controls. It continuously pulls data from your cloud providers, identity systems, and security tools — so when audit time comes, your evidence is already organized and ready.

  • Automated user access reports from Okta, Azure AD, Google Workspace
  • Continuous vulnerability scan results from your scanner
  • Cloud configuration snapshots from AWS, Azure, GCP
  • Automated policy acknowledgment tracking
  • Security training completion records

The Evidence Collection Calendar

Some evidence needs to be collected on a schedule. Here's what to collect and when:

  • Monthly: vulnerability scans, access log reviews, security monitoring summaries
  • Quarterly: user access reviews, vendor risk reviews, security metrics reports
  • Annually: penetration test, business continuity test, security awareness training completion
  • As-needed: change management tickets, incident reports, onboarding/offboarding records

What Auditors Actually Do With Your Evidence

SOC 2 auditors use a sampling methodology. They don't review every change ticket or every access review — they sample. For a 12-month observation period, they might sample 25 change tickets out of 500.

This means your evidence needs to be consistent throughout the period, not just good in the months before the audit. Auditors are trained to spot evidence that was collected retroactively or inconsistently.

The best defense: automate your evidence collection from day one and maintain it consistently throughout the observation period. That's exactly what Dashr.ai is built to do.

Careful Security Team
CISSP · CISA · GPEN · 20+ Years Experience

Questions about this article? Book a free 30-minute consultation and talk directly with a senior practitioner.

Book Free Consultation →

Related Articles

Compliance Without Chaos: A 90-Day Roadmap to Audit Readiness
SOC 210 min read

Compliance Without Chaos: A 90-Day Roadmap to Audit Readiness

Audit Ready in 90 Days
SOC 28 min read

Audit Ready in 90 Days

Audit Horror Stories: What Happens When You're Not Ready
SOC 27 min read

Audit Horror Stories: What Happens When You're Not Ready

Free Assessment

Ready to Get Audit-Ready?

Tell us where you're starting from. We'll map your fastest path to certified — no sales pressure, no fluff.

100% First-Time Pass Rate
Audit-Ready in 90 Days
Money-Back Guarantee
Your Info Is Never Shared
orBook a call directly on Calendly →

We respond within 1 business day. Your info is never shared.

"We went from zero security program to SOC 2 Type II certified in 84 days. Careful Security handled everything — policies, controls, evidence, auditor coordination. We just showed up to the calls."

MR
Marcus R.
CTO, B2B SaaS · SOC 2 Type II
Certified:CISSPCISAGPENGMONGCCC
Previously secured:Goldman SachsWarner Bros.EA SportsPfizer