How to collect SOC 2 evidence
SOC 2 isn’t a document you write the week before the audit - it’s proof that your controls actually operated all year. Here’s how to collect that proof without the scramble.
What a last-minute SOC 2 costs
SOC 2 is increasingly the price of entry to sell to other businesses - a prospect’s security team asks for the report before they’ll sign. The trap is treating it as a documentation exercise. A Type II report attests that your controls operated effectively across a period, usually three to twelve months, so evidence gathered in a panic at the end can’t prove what happened months earlier.
Why SOC 2 evidence is hard to collect
- Evidence is scattered across identity providers, ticketing, HR systems, cloud consoles, and scanners.
- Type II demands evidence spanning the whole audit window, not a single point in time.
- Controls must be mapped to the Trust Services Criteria, and one control often satisfies several.
- Manual evidence - screenshots, exports - goes stale the moment it’s captured and has to be redone.
- Onboarding and offboarding, access reviews, and change approvals must be provable for every instance in the period.
The Continuous Evidence Path
Five steps, in order
- 1
Scope the report and select criteria
Choose Type I or Type II and which Trust Services Criteria apply - Security is required; Availability, Confidentiality, Processing Integrity, and Privacy are added based on what you promise customers.
- 2
Map controls to the criteria
Write each control and link it to the criteria it satisfies, so you know exactly what evidence each control must produce and where a single control covers several requirements.
- 3
Automate continuous evidence collection
Connect the source systems so evidence - access reviews, MFA status, change tickets, scan results, onboarding records - is captured automatically and timestamped throughout the window.
- 4
Run a readiness and gap assessment
Before the auditor arrives, test each control against its evidence to find gaps while there’s still time to remediate and re-observe.
- 5
Support auditor fieldwork and remediate
Hand the auditor a clean, mapped evidence set for sampling, answer requests from the trail rather than a scramble, and remediate any findings with documented follow-up.
How Fintra automates each step
| Criterion | What it covers | Required? |
|---|---|---|
| Security (Common Criteria) | Protection against unauthorized access - the baseline every report includes. | Always |
| Availability | Systems are available for operation and use as committed. | Optional |
| Confidentiality | Information designated confidential is protected. | Optional |
| Processing Integrity | Processing is complete, valid, accurate, and timely. | Optional |
| Privacy | Personal information is collected, used, and disposed of per commitments. | Optional |
| Step | What Fintra does |
|---|---|
| Scope and select | SentriAI governance maps your commitments to the applicable Trust Services Criteria. |
| Map controls | Each control is linked to the criteria it satisfies in one control register. |
| Collect continuously | Evidence is captured and timestamped across the audit window, not screenshotted at the end. |
| Readiness assessment | Gaps between control and evidence surface before fieldwork, with time to remediate. |
| Fieldwork support | A clean, mapped evidence set is ready for the auditor to sample and trace. |
Because SentriAI governance sits on the same platform as the finance and HR systems generating the evidence, controls over access, approvals, and change are proven from the underlying activity itself - continuous by construction rather than reconstructed at audit time.
Your SOC 2 evidence checklist
Set these up at the start of your audit window, not the end
- Decide Type I vs Type II and confirm the observation period.
- Select the Trust Services Criteria that match your customer commitments.
- Write a control register and map each control to its criteria.
- Connect source systems so evidence is collected automatically and timestamped.
- Schedule recurring controls - access reviews, scans - and prove every occurrence.
- Capture onboarding and offboarding evidence for every employee in the period.
- Run a readiness assessment to close gaps before the auditor arrives.
- Keep an audit trail so fieldwork requests are a lookup, not a scramble.
Frequently asked questions
What is the difference between SOC 2 Type I and Type II?
Type I attests that your controls are suitably designed at a single point in time; Type II attests that they operated effectively across a period, usually three to twelve months. Type II is what most customers ultimately want because it proves the controls actually ran, and it is why continuous evidence matters - you cannot demonstrate operating effectiveness from a snapshot taken during audit week.
What counts as SOC 2 evidence?
Evidence is proof a control operated: access-review records with dates and reviewers, MFA configuration, change-management tickets with approvals, vulnerability-scan results, onboarding and offboarding records, and system logs. For a Type II report the evidence must span the whole observation window and be timestamped, which is why automated, continuous collection beats a folder of one-time screenshots.
How do I map controls to the Trust Services Criteria?
Start from the criteria in scope - Security is always required, with Availability, Confidentiality, Processing Integrity, and Privacy added based on your customer commitments - then write each control and link it to the criteria it satisfies. A single control often covers several criteria. The mapping tells you exactly which evidence each control must produce, which is the backbone of an efficient audit.
How far in advance should I start collecting SOC 2 evidence?
Start at the beginning of your audit window, not before fieldwork. Because a Type II report covers a period, evidence has to exist across that entire period - a recurring control missed early in the window can’t be recreated later. Setting up continuous collection on day one, then running a readiness assessment before the auditor arrives, is what keeps the audit from becoming a fire drill.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
Make SOC 2 continuous, not a scramble
Fintra’s SentriAI layer maps controls and collects timestamped evidence all year. Free to start, no card required.
Talk to us