Inevitably, organizations run into the scenario where they have designed a control, but there have been no instances of the control occurring during the audit period. In other words, there is simply no sample to show an auditor.
Guidance for SOC 2 Type 1 Audits
Generally speaking, if you are pursuing a SOC 2 Type 1 audit, your auditor should accept evidence that the control has been designed properly, meaning you have some kind of policy, procedure, or technical configuration that outlines what would happen if the given control functions. In this case, it is acceptable to simply upload a text file to the evidence sample request saying that an occurrence has not yet been documented.
For example, the Incident Response: Process control has a linked evidence item titled Security Incident Resolution, which requests a ticket or similar evidence for a recently resolved security incident. For a Type 1 audit, this item could be satisfied by uploading a text file stating, "No security incidents have occurred as of [date of audit kickoff]. Please see the Incident Response Policy for more information."
Guidance for SOC 2 Type 2 Audits
If you are pursuing a SOC 2 Type 2 audit, your auditor will generally need to see more than a simple text attestation. With regards to the example given above, they will likely need to see screenshots of a listing showing that no instances have occurred.
The Incident Response: Process control also has a linked evidence item titled Security Incident List. For a Type 2 audit, it will likely be necessary to upload a screenshot of wherever you theoretically track security incidents to this evidence item, even if you haven't yet logged any incidents.
The point of this is to prove to the auditor that you have a defined process in place and have set up incident logging. Then, for the Security Incident Resolution evidence item, you could upload a text file stating, "No security incidents have occurred as of [dates of monitoring period]. Please see the Security Incident List evidence item and Incident Response Policy for more information."
You can also use our Attestation of Non-Occurrence Template linked below:
More Details
Non-occurrences happen when there has been no instance of the control occurring during the audit period. For example, you likely have breach procedures written and may have even tested how it will all work with a run-through. However, if there has not yet been an actual data breach, there is no sample to give to the auditor. Maybe you haven't had to terminate an employee yet, but the termination procedures exist. In both scenarios, you have designed a control, but there is simply no sample to test against. In these scenarios, your auditor may state they were unable to test the control due to timing or because the control was ‘not eventuated.’ This is not a control failure and does not negatively impact your SOC 2 report conclusion.
You have designed a control and consider it to be in place, but it is too soon for an example. This often occurs with HR processes in very young organizations, such as the annual performance review. You have identified the control (annual performance review) that you intend to perform, but a year has not yet passed to kick off the review. For a type 2, your auditor may be uncomfortable but should be able to still test the design of your control without seeing one sample.
You may also be asked to identify other controls to demonstrate that you have addressed the relevant SOC 2 criteria. Using the performance review control example, your auditor may request to see other methods for meeting criteria 1.5, which reads: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. For example, have you had to terminate anyone for performance? If you were able to retain documentation, your auditor might accept this as evidence. Alternatively, have you set up any regular cadence of 1:1 with any manager/staff combos? If notes are retained from these meetings, these meetings can serve as the controls with the notes as auditable evidence. It is also ok to not call out the performance review controls for this year and wait until next year to add it to your SOC 2.
Tip: Use the Strike Graph evidence expiration date to remind you to upload your evidence. For the annual performance review example, set the expiration date for the performance review documentation to be collected one year (plus ~10-20 days) from the staff’s hire date.