How many screenshots do auditors actually need for SOC 2?
March 6, 20261 min readSOC 2 Evidence Collection
Evidence Volume by Audit Type
| Audit Type | Configuration Evidence | Population Samples | Total Pieces |
|---|---|---|---|
| Type I | 40-60 screenshots | None | 40-60 |
| Type II (3-month window) | 40-60 screenshots | 10-15 per control tested | 80-120 |
| Type II (12-month window) | 40-60 screenshots | 20-25 per control tested | 120-200 |
How Auditors Determine Sample Size
Auditors follow AICPA sampling guidance. For population-based testing, the sample size depends on how many times the control operated during the audit period:
| Population Size | Typical Sample |
|---|---|
| 1-5 events | Test all |
| 6-50 events | 5-10 samples |
| 51-250 events | 15-20 samples |
| 250+ events | 25 samples |
For example, if you merged 300 PRs during a 12-month audit period, the auditor samples 25 PRs to verify change management controls.
What Gets Screenshotted Most
| Control Area | Screenshots Needed |
|---|---|
| Access controls (CC6) | MFA settings, user lists, role assignments, access reviews — 10-15 screenshots |
| Change management (CC8) | Branch protection, CI config, sample PRs — 5-10 screenshots + population |
| System monitoring (CC7) | Alerting config, logging settings, incident records — 5-10 screenshots |
| Logical access (CC6) | Firewall rules, security groups, encryption — 5-10 screenshots |
| Risk management (CC3) | Risk assessment document, vendor reviews — 3-5 documents |
How to Reduce the Burden
- Automate infrastructure evidence with GRC platforms or API integrations
- Use Screenata for application-level screenshots with built-in timestamps
- Maintain controls consistently — auditors request more samples when they find exceptions
- Organize by control — create folders matching TSC criteria (CC6.1, CC7.2, CC8.1) so evidence is easy to find during the audit