Skip to main content
All CollectionsSOC 2 Framework & Audit GuidanceCompliance Implementation & Maintenance
Audit-related evidence essentials
Audit-related evidence essentials

How to ensure success with the evidence you’re uploading

Stephanie Lorraine avatar
Written by Stephanie Lorraine
Updated over a week ago

What is evidence and why is it important?

Evidence is what your auditor uses to verify your controls, processes, and policies are in place. It is the tangible proof that you upload into the Strike Graph platform.

Effective Date

You will find Strike Graph to be most beneficial if the effective date for your attachment reflects the date in which the event occurred (for example: the date of the board meeting, document signature, last policy review, or screenshot capture). This will ensure that reminders of evidence expiration are in alignment with your practices.

For a Type 2 audit in particular, it is essential that all evidence is uploaded within the predetermined audit window. Therefore, the effective date for these attachments should not be outside of the last day of the audit window.

Policy Review

Each policy should include the company name or logo, revision history table - including a date of review within the last 12 months - a policy owner, and absence of any internal comments or template language. It is also recommended that titles of policies match the evidence title/control titles.

Screenshot Best Practices

Your auditor will not accept screenshots without a date & time stamp as this information is needed to validate the relevancy of the example. Similarly, the screenshot should include the source of the screen capture (i.e. - AWS, Jira, etc).

Verify Automated Collections are Valid

If you forget to update an item before the automated collection (policy, screenshot document), evidence that seems to be valid will not be current. Make sure to double check your automated collection items prior to collection dates.

For more SOC 2-specific guidance, check out "SOC 2 Controls - Tips and Tricks".

Pay particular attention to:

SOC 2 Type 1 and Type 2 audits:

Asset Inventory:

  • Confirm that control language matches the inventory you are providing

  • At a minimum, both hardware and software assets should be included

  • All assets must be assigned an owner

  • All assets must be classified according to your company’s data classification scheme

Attestations:

  • Attestations may be included if evidence is unavailable due to a situation not occurring, e.g., you had no new hires, no terminations, no new vendors, etc.

  • Include a date range that the attestation covers. (E.g. “Company had no new hires during the monitoring period, 1/1/22-12/31/22,” or “Company had no new hires for the past year., not just “Company had no new hires.”)

  • Include letterhead and signature.

  • Be prepared to show evidence of process design, even if you are attesting that you were unable to implement the process. E.g., even if you had no new hires and provide an attestation to that effect, you will likely still need to provide evidence that there is a new hire checklist that will be implemented when the company does have a new hire.

Custom control/evidence mapping/linking:

  • Custom controls must be mapped to criteria

  • Custom evidence must be linked to controls

Policies:

  • All policies should include the following:

    • Company name/logo

    • Revision history table, including a date of review within the last 12 months

    • No internal comments/template language/examples/etc.

  • Titles of policies should match evidence titles

Vendor Risk Register:

  • Include all IT vendors which have a significant impact on your business, at a minimum. You may choose to include additional vendors.

Additional details for SOC 2 Type 2 Audits:

Readiness: Be fully ready for audit at least one week prior to kickoff so that auditors can request populations and samples. This means all controls are set, all evidence is uploaded, and your System Description is complete.

Effective dates: Set effective dates of all populations, samples, and updated evidence to be within your monitoring period.

  • All evidence must be effective during your monitoring period, including evidence such as populations and samples that are requested after your monitoring period has ended.

  • The effective date in the platform will be automatically set to the upload date; you can change it by clicking on the kebab menu for the attachment and choosing “Change Effective Date.”

Did this answer your question?