Evidence requirements for SOC 2® Type I or Type II determine what you need to provide during your audit so the auditors can assess whether your implementation of controls is actually working, not just looking good on paper.
This post breaks down the different types of documentation and evidence needed for each type of audit so you can prepare effectively and avoid surprises.
Evidence Requirements for Type I
SOC 2® Type I focuses on control design at a specific point in time. Auditors want to confirm that your foundational controls are in place and correctly documented. The emphasis is on what exists, not yet on how well it’s working.
What auditors expect:
To meet SOC 2® Type I evidence requirements, you should be ready to present:
Up-to-date security policies and procedures covering areas like access control, encryption, incident response, and business continuity. These should be formally approved and version-controlled.
Organizational charts or team directories that define roles and responsibilities related to compliance.
System configuration evidence screenshots or read-only access to show that settings like MFA, password policies, and logging are enabled.
Template documentation, such as onboarding checklists, NDA forms, and acceptable use policies.
Acknowledgement records proving employees have reviewed and accepted policies (e.g., e-signatures, platform exports).
The goal is to prove that the framework exists. You don’t need to show ongoing activity yet, just that controls are well-designed and ready to operate.
For a more strategic overview of how SOC 2® works, especially for younger companies, our SOC 2 guide for founders breaks it down step-by-step.
Evidence Requirements for Type II
Type II audits go several steps further. Here, it’s not enough that controls exist, you have to show they’ve been executed consistently over a defined audit period, typically 3 to 12 months.
You and your auditor agree on the audit window at the beginning of the engagement. It’s important to note: the longer the audit window, the higher the expectations around consistency and quality of evidence.
A 3-month period is often used for your first Type II report. It’s a way to demonstrate early operational consistency without a long delay to market.
A 6-month window is common when clients request a bit more operational history or if you want to expand credibility without committing to a full year.
A 12-month audit period is typically expected by larger enterprise clients or security-conscious industries (e.g., finance, healthcare), and demonstrates robust control maturity over time.
What auditors expect:
You’ll need to provide real, time-bound evidence that your controls have been operating effectively. This includes:
System logs that verify user activity and security events, such as login attempts, MFA usage, account deactivations, and firewall changes across the entire audit window.
Change management records, like tickets or internal notes, prove that updates to systems followed your defined process.
Screenshots with timestamps, pulled at multiple points in time, to confirm that settings and processes remained consistent.
Incident reports or post-mortems, if any security events occurred, and evidence of how they were resolved.
Training logs and completion records, showing employees consistently complete required security awareness or compliance training.
Onboarding and offboarding data tied to documented processes. You’ll need to match real employee lifecycle events with supporting checklists, logs, and confirmations.
In practice, this means you’re showing: “We did what we said we would, and here’s the evidence over time.”
This is where many teams benefit from automation. Platforms like Humadroid help you collect and centralize evidence continuously, and version control, under specific SOC 2® controls, so you’re not scrambling weeks before the audit.
For foundational context on how SOC 2 Type II compares to Type I, we’ve also explained the difference between Type I and Type II and what kind of audit model fits your current maturity.
Evidence Format: What Works Best
To reduce friction during your audit, standardize your evidence collection:
Save screenshots with timestamps in filenames
Use shared folders organized by control area
Maintain an audit trail in your ticketing system (e.g., Jira, Zendesk, GRC tools)
Keep sign-off records exportable (e.g., PDFs or system exports)
A well-prepared evidence pack saves hours of back-and-forth during audit fieldwork.
If you’re unsure whether your audit will require short-term snapshots or long-term logging, see our guide on point-in-time vs period auditing.
Summary Table
Requirement Type | Type I Evidence | Type II Evidence |
---|---|---|
Policies and procedures | ✅ Required | ✅ Required |
Screenshots | ✅ One-time snapshot | ✅ Multiple with timestamps |
System logs | ❌ Not required | ✅ Required |
Tickets & workflows | ❌ Optional | ✅ Required |
Operational history | ❌ Not assessed | ✅ Must be demonstrated |
Training & HR records | ✅ Example docs | ✅ Matched to actual activity |
It’s never about perfection. it’s about common sense and the ability to prove what you do and learn from any mistake.
Type I says you’re ready. Type II says you’re reliable.
If you’re planning for Type II, the sooner you start collecting real evidence, the smoother the audit will be.
Platforms like Humadroid are designed to help you do just that, by enabling evidence tracking in real time, across teams and processes.