What is evidence and why is it important?
Evidence is what your auditor uses to verify your controls, processes, and policies are in place. It is the tangible proof that you upload into the Strike Graph platform.
Effective Date
You will find Strike Graph to be most beneficial if the effective date for your attachment reflects the date in which the event occurred (for example: the date of the board meeting, document signature, last policy review, or screenshot capture). This will ensure that reminders of evidence expiration are in alignment with your practices.
For a Type 2 audit in particular, it is essential that all evidence is uploaded within the predetermined audit window. Therefore, the effective date for these attachments should not be outside of the last day of the audit window.
Policy Review
Each policy should include the company name or logo, revision history table - including a date of review within the last 12 months - a policy owner, and absence of any internal comments or template language. It is also recommended that titles of policies match the evidence title/control titles.
Screenshot Best Practices
Your auditor will not accept screenshots without a date & time stamp as this information is needed to validate the relevancy of the example. Similarly, the screenshot should include the source of the screen capture (i.e. - AWS, Jira, etc).
Verify Automated Collections are Valid
If you forget to update an item before the automated collection (policy, screenshot document), evidence that seems to be valid will not be current. Make sure to double check your automated collection items prior to collection dates.
For more SOC 2-specific guidance, check out "SOC 2 Controls - Tips and Tricks".
Pay particular attention to:
SOC 2 Type 1 and Type 2 audits:
Confirm that control language matches the inventory you are providing
At a minimum, both hardware and software assets should be included
All assets must be assigned an owner
All assets must be classified according to your company’s data classification scheme
Attestations may be included if evidence is unavailable due to a situation not occurring, e.g., you had no new hires, no terminations, no new vendors, etc.
Include a date range that the attestation covers. (E.g. “Company had no new hires during the monitoring period, 1/1/22-12/31/22,” or “Company had no new hires for the past year., not just “Company had no new hires.”)
Include letterhead and signature.
Be prepared to show evidence of process design, even if you are attesting that you were unable to implement the process. E.g., even if you had no new hires and provide an attestation to that effect, you will likely still need to provide evidence that there is a new hire checklist that will be implemented when the company does have a new hire.
Custom controls must be mapped to criteria
Custom evidence must be linked to controls
All policies should include the following:
Company name/logo
Revision history table, including a date of review within the last 12 months
No internal comments/template language/examples/etc.
Titles of policies should match evidence titles
Include all IT vendors which have a significant impact on your business, at a minimum. You may choose to include additional vendors.
Additional details for SOC 2 Type 2 Audits:
Readiness: Be fully ready for audit at least one week prior to kickoff so that auditors can request populations and samples. This means all controls are set, all evidence is uploaded, and your System Description is complete.
Effective dates: Set effective dates of all populations, samples, and updated evidence to be within your monitoring period.
All evidence must be effective during your monitoring period, including evidence such as populations and samples that are requested after your monitoring period has ended.
The effective date in the platform will be automatically set to the upload date; you can change it by clicking on the kebab menu for the attachment and choosing “Change Effective Date.”