How It WorksPricingBlogStart Free Trial
All answers

How do I collect SOC 2 evidence across multiple engineering teams?

March 6, 20262 min readFirst-Time SOC 2

The Multi-Team Challenge

When you grow from one engineering team to multiple, SOC 2 evidence collection becomes more complex. Each team may use different repositories, deployment pipelines, and access controls. The auditor needs consistent evidence across all of them.

Standardize Before the Audit

AreaWhat to StandardizeWhy
Branch protectionSame rules on all production reposConsistent change management evidence
CI/CD pipelineSame test and review requirementsUniform deployment controls
Access controlsSame RBAC model across reposConsistent access evidence
PR templateSame PR template for all teamsUniform change documentation
Deployment processSame deployment pipelineConsistent deployment evidence

The Coordination Model

Option 1: Designated Compliance Coordinator

Assign one person (often the CTO or an engineering lead) to:

  • Set compliance standards for all teams
  • Collect evidence from each team's repositories and systems
  • Run quarterly access reviews covering all teams
  • Serve as the auditor's primary contact

Option 2: Distributed Evidence Collection

Each team lead collects evidence for their systems:

  • Team lead takes screenshots of their repo settings
  • Team lead verifies branch protection and CI rules
  • Central coordinator reviews and organizes all evidence

Evidence Checklist Per Team

For each engineering team, collect:

  1. GitHub repository branch protection settings
  2. Team member list with roles
  3. CI/CD pipeline configuration
  4. Sample PRs (5 per team for auditor sampling)
  5. Access review for team-specific systems

Common Problems

  • Inconsistent branch protection: Team A requires 2 reviewers, Team B requires 0. Standardize.
  • Shadow repositories: Teams creating repos outside the main organization. Audit your GitHub org regularly.
  • Different deployment methods: Some teams deploy via CI, others deploy manually. Bring all teams onto the same pipeline.
  • Scattered evidence: Evidence stored in different team folders, Slack channels, or personal drives. Use one central evidence library.

Related Questions

First-Time SOC 2

Can I use my SOC 2 report to skip security questionnaires?

A SOC 2 report reduces security questionnaire burden by 60-80% but doesn't eliminate questionnaires entirely. Most enterprise buyers accept a SOC 2 report in place of detailed control questions, but still ask about data handling specifics, incident history, and business continuity that SOC 2 doesn't fully cover.

First-Time SOC 2

How do I handle emergency changes and hotfixes during a SOC 2 observation period?

Emergency changes during a SOC 2 observation period are acceptable if you document them properly. Create a post-deployment PR within 24 hours, record the justification for bypassing normal review, and get retroactive approval. Having 2-3 documented emergency changes during an observation period won't cause audit findings.

First-Time SOC 2

How do I handle SOC 2 when my team has no security background?

Most startup teams going through SOC 2 for the first time have no security background — and that's fine. SOC 2 isn't about being a security expert. It's about documenting what you do, fixing obvious gaps, and proving your controls work. You can learn enough to pass an audit without hiring a security person.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.