Log in

SOC 2 Evidence Collection

Home » Glossary Items » SOC 2 » SOC 2 Evidence Collection

When it comes down to collecting evidence for the SOC 2 audit itself, there are a few key points that one needs to remember. Obtaining and submitting the incorrect audit evidence can cause audit headaches as it will most times mean having to recapture, extract, and submit the evidence again – showing the necessary key elements.

However, remembering the key points beforehand can make this process efficient, seamless, and a total breeze.

Key points regarding SOC 2 evidence collection

The main purpose of an audit evidence is to verify and prove to the auditor that controls, processes, and configurations are in place, as you (the organization) claim they are. For example, if your backup control has a description stating that on a daily basis, there is an image of the production environment captured, and uploaded as a backup, then the evidence provided for this control would need to verify and prove this statement.

Keeping in mind the above control description, it is possible that someone may mistake the backup of the environment control for the audit trail backup control, which is another control required in SOC 2.

In this case, the organization may upload supporting evidence for this control to show that audit trails are captured, uploaded, and retained in a secure manner to prevent tampering, and in accordance with the retention policy. If a screenshot were to be snipped (as screenshots are often used for audit evidence), it may be difficult to see if it is taken from AWS Backup or if it is taken from AWS CloudTrail, for instance. One screenshot represents and logs audit trails, and the other is focused on the actual data backup.

With this knowledge, it is a lot easier to see how audit evidence is not always straightforward. When providing audit evidence, it is important that the relevant control owner understands exactly what they need to upload.

Example

Using the same backup example mentioned above, let’s say the control owner went into AWS Backup and took a full screenshot, which would show the URL in AWS and the information on the screen itself (perhaps the existence of backups) and finally, the system timestamp. This would be a great piece of audit evidence, because:

It shows the system where the screenshot was extracted from.
By showing the system, the auditor can verify this is the production environment.
The screenshot will show the actual information relevant to the control (i.e. the existence of backup images).
The timestamp in the screenshot will be used to verify when the evidence was obtained (and prove that it is during the relevant audit period).

All of the above will verify both the completeness and accuracy of the evidence.

The timestamp attribute is a very important one in the audit evidence. The system timestamp is what is used to verify when the data is extracted. As a SOC 2 audit report gives coverage over a certain date (Type I) or over a period of time (Type II), it is mandatory to prove all evidence comes from within the audit period itself.

SOC 2 compliance and monitoring in depth

As a SOC 2 audit will be performed over a specific system, it is also important to be able to verify and prove which system the data is extracted from. As customers and customer data are processed through the production environment, this is the environment in ‘focus’ during an audit. It is pointless to provide documentation and processes that take place in the QA environment, as this does not replicate the ‘real-life’ situation of the operations of the business.

Another consideration with audit evidence is the type of audit evidence. In some controls, it will be most efficient to provide screenshots as described above. However, when considering long lists of users, data, or any kind of record that needs to be provided, there are other considerations here. Extracting a listing from a system, saving it as a .csv file, and uploading this as audit evidence can be insufficient. Think about how easily you could extract a listing, remove a few problematic records, and upload the file.

To prevent this, it is necessary to prove that no manipulation has taken place. There are a variety of ways to do this, but some of the best practices include:

Being able to verify the record count on the source system before extracting the file (i.e. seeing that there are 100 records in the file), and comparing this to the record count of the extracted and uploaded file (and confirming it has 100 records).
Being able to show where the listing was extracted from. If the listing passes through another system before being extracted, this too could be manipulated. To prevent this, the best practice is to export the data from the source system directly.

The importance of a SOC 2 compliance checklist for evidence

As you can see, there are many audit requirements that are non-negotiable when providing audit evidence. However, these concepts are pretty standard in most audit cases and once you are aware of and familiar with the process, collecting evidence will be a hassle-free process.

Back

You may also like

Blog

April 9, 2024
SOC 2 Type 1 Guide: Everything You Need To Know

Which type of SOC 2 report is best for your organization and what are their differences?
Blog

March 24, 2024
How To Speed Up Your SOC 2 Audit Without Breaking A Sweat

What’s the fastest way to pass a SOC 2 audit? Simple: you need to plan carefully.
Blog

March 4, 2024
The Latest SOC 2 Revisions and What They Mean for Your Business

Do you know what the latest SOC 2 updates mean for your company as you prepare for your next audit? This blog breaks them down for you.
Blog

February 28, 2024
5 Things To Avoid When Implementing SOC 2

There are a number of common mistakes that businesses make when implementing SOC 2.
Blog

February 6, 2024
SOC 2 Audit: The Essentials for Data Security and Compliance

Read All the Essential Steps and Requirements for Preparing for a SOC 2 Audit to Ensure Data Security and Compliance.
Blog

January 31, 2024
The Ultimate SOC 2 Checklist for SaaS Companies

Here’s a handy SOC 2 compliance checklist to help you prepare for your SOC 2 compliance audit and realize your business’ security goals.
Blog

January 23, 2024
Do You Really Need a SOC 2 Report?

You might be asking yourself, “do I really need a SOC 2 report?”
Blog

January 22, 2024
The Right Compliance Framework for Your Startup: Common Compliance Frameworks

A guide to compliance frameworks for startups, with everything you need to know about the most common frameworks and how they apply.
Blog

January 9, 2024
SOC 2 Report Examples for 2024: Insights into Top-Tier Compliance

A SOC 2 report demonstrates how effectively your business has implemented SOC 2 security controls across the five TSC.
Blog

January 3, 2024
The Importance of SOC 2 Templates

In this piece, we're talking about SOC 2 templates and their role in making the compliance process far less complicated.
Blog

December 5, 2023
5 Reasons Why You Need a SOC 2 Report

Here’s five of the most compelling reasons why your business needs SOC 2.
Blog

November 20, 2023
SOC 2 Scope: How it’s Defined

How creating a comprehensive SOC 2 scope can benefit your business, and how to get there.
Blog

October 11, 2023
How Long Does It Really Take To Get SOC 2 Compliant?

When considering how long SOC 2 takes to achieve, you need to consider the entire SOC 2 journey.
Blog

September 4, 2023
What is SOC 2 Compliance Automation Software and Why is it Important?

SOC 2 automation doesn’t simply make compliance easier, it also makes it possible.
Blog

August 7, 2023
What to Look for During a SOC 2 Readiness Assessment

A SOC 2 readiness assessment is a way of examining your systems to make sure it’s compliant with security controls of the SOC 2 standard.