How-to Playbook

How to collect SOC 2 evidence

SOC 2 isn’t a document you write the week before the audit - it’s proof that your controls actually operated all year. Here’s how to collect that proof without the scramble.

Talk to usFree to start - no card required.

What a last-minute SOC 2 costs

SOC 2 is increasingly the price of entry to sell to other businesses - a prospect’s security team asks for the report before they’ll sign. The trap is treating it as a documentation exercise. A Type II report attests that your controls operated effectively across a period, usually three to twelve months, so evidence gathered in a panic at the end can’t prove what happened months earlier.

Why SOC 2 evidence is hard to collect

  • Evidence is scattered across identity providers, ticketing, HR systems, cloud consoles, and scanners.
  • Type II demands evidence spanning the whole audit window, not a single point in time.
  • Controls must be mapped to the Trust Services Criteria, and one control often satisfies several.
  • Manual evidence - screenshots, exports - goes stale the moment it’s captured and has to be redone.
  • Onboarding and offboarding, access reviews, and change approvals must be provable for every instance in the period.

The Continuous Evidence Path

Five steps, in order

  1. 1

    Scope the report and select criteria

    Choose Type I or Type II and which Trust Services Criteria apply - Security is required; Availability, Confidentiality, Processing Integrity, and Privacy are added based on what you promise customers.

  2. 2

    Map controls to the criteria

    Write each control and link it to the criteria it satisfies, so you know exactly what evidence each control must produce and where a single control covers several requirements.

  3. 3

    Automate continuous evidence collection

    Connect the source systems so evidence - access reviews, MFA status, change tickets, scan results, onboarding records - is captured automatically and timestamped throughout the window.

  4. 4

    Run a readiness and gap assessment

    Before the auditor arrives, test each control against its evidence to find gaps while there’s still time to remediate and re-observe.

  5. 5

    Support auditor fieldwork and remediate

    Hand the auditor a clean, mapped evidence set for sampling, answer requests from the trail rather than a scramble, and remediate any findings with documented follow-up.

How Fintra automates each step

CriterionWhat it coversRequired?
Security (Common Criteria)Protection against unauthorized access - the baseline every report includes.Always
AvailabilitySystems are available for operation and use as committed.Optional
ConfidentialityInformation designated confidential is protected.Optional
Processing IntegrityProcessing is complete, valid, accurate, and timely.Optional
PrivacyPersonal information is collected, used, and disposed of per commitments.Optional
Trust Services Criteria coverage
StepWhat Fintra does
Scope and selectSentriAI governance maps your commitments to the applicable Trust Services Criteria.
Map controlsEach control is linked to the criteria it satisfies in one control register.
Collect continuouslyEvidence is captured and timestamped across the audit window, not screenshotted at the end.
Readiness assessmentGaps between control and evidence surface before fieldwork, with time to remediate.
Fieldwork supportA clean, mapped evidence set is ready for the auditor to sample and trace.
Evidence step to Fintra module

Because SentriAI governance sits on the same platform as the finance and HR systems generating the evidence, controls over access, approvals, and change are proven from the underlying activity itself - continuous by construction rather than reconstructed at audit time.

Your SOC 2 evidence checklist

Set these up at the start of your audit window, not the end

  • Decide Type I vs Type II and confirm the observation period.
  • Select the Trust Services Criteria that match your customer commitments.
  • Write a control register and map each control to its criteria.
  • Connect source systems so evidence is collected automatically and timestamped.
  • Schedule recurring controls - access reviews, scans - and prove every occurrence.
  • Capture onboarding and offboarding evidence for every employee in the period.
  • Run a readiness assessment to close gaps before the auditor arrives.
  • Keep an audit trail so fieldwork requests are a lookup, not a scramble.

Frequently asked questions

What is the difference between SOC 2 Type I and Type II?

Type I attests that your controls are suitably designed at a single point in time; Type II attests that they operated effectively across a period, usually three to twelve months. Type II is what most customers ultimately want because it proves the controls actually ran, and it is why continuous evidence matters - you cannot demonstrate operating effectiveness from a snapshot taken during audit week.

What counts as SOC 2 evidence?

Evidence is proof a control operated: access-review records with dates and reviewers, MFA configuration, change-management tickets with approvals, vulnerability-scan results, onboarding and offboarding records, and system logs. For a Type II report the evidence must span the whole observation window and be timestamped, which is why automated, continuous collection beats a folder of one-time screenshots.

How do I map controls to the Trust Services Criteria?

Start from the criteria in scope - Security is always required, with Availability, Confidentiality, Processing Integrity, and Privacy added based on your customer commitments - then write each control and link it to the criteria it satisfies. A single control often covers several criteria. The mapping tells you exactly which evidence each control must produce, which is the backbone of an efficient audit.

How far in advance should I start collecting SOC 2 evidence?

Start at the beginning of your audit window, not before fieldwork. Because a Type II report covers a period, evidence has to exist across that entire period - a recurring control missed early in the window can’t be recreated later. Setting up continuous collection on day one, then running a readiness assessment before the auditor arrives, is what keeps the audit from becoming a fire drill.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Make SOC 2 continuous, not a scramble

Fintra’s SentriAI layer maps controls and collects timestamped evidence all year. Free to start, no card required.

Talk to us