SOC 2 Audit Evidence Package Checklist
Preparing for a SOC 2 audit means having the right evidence ready for every control that your auditor will test. This checklist maps the documentation your auditor will ask for to the specific Trust Services Criteria (TSC) it satisfies, across all five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Use it to work through your evidence package before your audit window closes and avoid the gaps that most commonly delay or derail first submissions.
Key Takeaways
- Auditors require a retest attestation as a separate document from the original pentest report (missing this is the most common reason evidence is rejected on first submission)
- CC4.1 requires testing by an independent third party; an internal team's pentest does not fully satisfy the separate evaluation requirement
- GRC tools like Drata, Vanta, and Secureframe automate a large portion of SOC 2 evidence collection but they cannot test whether authentication controls like password complexity or MFA bypass protections are actually enforced
- Each Trust Services Category (Availability, Confidentiality, Processing Integrity, Privacy) requires its own evidence set (only Security is mandatory for all reports)
- Multi-tenant SaaS companies need explicit tenant isolation testing findings in their pentest report or risk a gap in Confidentiality controls
- The pentest must be conducted within the audit period (testing that falls outside the window cannot be submitted as evidence)
.png)
.avif)
.avif)