Practical checklist

SOC 2 Evidence Collection Checklist

Use this checklist to organize evidence, ownership, and review records before an independent CPA firm performs a SOC 2 examination.

Governance and scope

  • Confirm the system, services, locations, people, vendors, and Trust Services Criteria in scope.
  • Assign a control owner and evidence owner for each requirement.
  • Document management approvals, risk decisions, exceptions, and remediation commitments.
  • Maintain a current system description and responsibility matrix.

Identity, access, and workforce

  • User provisioning and termination records.
  • Multifactor authentication coverage and configuration evidence.
  • Privileged-access lists and periodic access reviews.
  • Background screening, confidentiality, training, and acknowledgement records where applicable.

Technology and operations

  • Endpoint, cloud, email, logging, vulnerability, backup, and monitoring reports.
  • Change-management tickets, approvals, testing records, and deployment history.
  • Incident response plans, exercises, incidents, lessons learned, and follow-up actions.
  • Vendor inventory, due diligence, agreements, and ongoing review records.

Evidence quality checks

  • Evidence clearly identifies the source system, collection date, reviewer, and relevant period.
  • Screenshots include enough context to show the system and setting being represented.
  • Recurring controls include samples across the examination period, not only the most recent instance.
  • Exceptions are documented rather than hidden or explained only verbally.

Important boundary

This checklist supports readiness and evidence organization. The independent CPA firm defines examination requirements, selects samples, evaluates control design and operation, and issues the SOC 2 report.

Explore SOC 2 readiness