When it comes down to collecting evidence for the SOC 2 audit itself, there are a few key points that one needs to remember. Obtaining and submitting the incorrect audit evidence can cause audit headaches as it will most times mean having to recapture, extract, and submit the evidence again - showing the necessary key elements.
However, remembering the key points beforehand can make this process efficient, seamless, and a total breeze.
Key points regarding SOC 2 evidence collection
The main purpose of an audit evidence is to verify and prove to the auditor that controls, processes, and configurations are in place, as you (the organization) claim they are. For example, if your backup control has a description stating that on a daily basis, there is an image of the production environment captured, and uploaded as a backup, then the evidence provided for this control would need to verify and prove this statement.
Keeping in mind the above control description, it is possible that someone may mistake the backup of the environment control for the audit trail backup control, which is another control required in SOC 2.
In this case, the organization may upload supporting evidence for this control to show that audit trails are captured, uploaded, and retained in a secure manner to prevent tampering, and in accordance with the retention policy. If a screenshot were to be snipped (as screenshots are often used for audit evidence), it may be difficult to see if it is taken from AWS Backup or if it is taken from AWS CloudTrail, for example. One screenshot represents and logs audit trails, and the other is focused on the actual data backup.
With this knowledge, it is a lot easier to see how audit evidence is not always straightforward. When providing audit evidence, it is important that the relevant control owner understands exactly what they need to upload.
Using the same backup example above, let's say the control owner went into AWS Backup and took a full screenshot, which would show the URL in AWS and the information on the screen itself (perhaps the existence of backups) and finally, the system timestamp. This would be a great piece of audit evidence, because:
- It shows the system where the screenshot was extracted from.
- By showing the system, the auditor can verify this is the production environment.
- The screenshot will show the actual information relevant to the control (i.e. the existence of backup images).
- The timestamp in the screenshot will be used to verify when the evidence was obtained (and prove that it is during the relevant audit period).
All of the above will verify both the completeness and accuracy of the evidence.
The timestamp attribute is a very important one in the audit evidence. The system timestamp is what is used to verify when the data is extracted. As a SOC 2 audit report gives coverage over a certain date (Type I) or over a period of time (Type II), it is mandatory to prove all evidence comes from within the audit period itself.
SOC 2 compliance and monitoring in depth
As a SOC 2 audit will be performed over a specific system, it is also important to be able to verify and prove which system the data is extracted from. As customers and customer data are processed through the production environment, this is the environment in ‘focus’ during an audit. It is pointless to provide documentation and processes that take place in the QA environment, as this does not replicate the ‘real-life’ situation of the operations of the business.
Another consideration with audit evidence is the type of audit evidence. In some controls, it will be most efficient to provide screenshots as described above. However, when considering long lists of users, data, or any kind of record that needs to be provided, there are other considerations here. Extracting a listing from a system, saving it as a .csv file, and uploading this as audit evidence can be insufficient. Think about how easily you could extract a listing, remove a few problematic records, and upload the file.
To prevent this, it is necessary to prove that no manipulation has taken place. There are a variety of ways to do this, but some of the best practises include:
- Being able to verify the record count on the source system before extracting the file (i.e. seeing that there are 100 records in the file), and comparing this to the record count of the extracted and uploaded file (and confirming it has 100 records).
- Being able to show where the listing was extracted from. If the listing passes through another system before being extracted, this too could be manipulated. To prevent this, the best practice is to export the data from the source system directly.
The importance of a SOC 2 compliance checklist for evidence
As you can see, there are many audit requirements that are non-negotiable when providing audit evidence. However, these concepts are pretty standard in most audit cases and once you are aware of and familiar with the process, collecting evidence will be a hassle-free process.