What counts as SOC 2 evidence?
What Counts as SOC 2 Evidence?
SOC 2 evidence is any artifact that demonstrates your security controls are implemented and operating effectively. Auditors need proof — not promises — that your organization follows the policies it claims to follow.
Evidence falls into several categories:
| Evidence Type | Examples | Used For |
|---|---|---|
| Screenshots | Access control settings, MFA configs, firewall rules | Proving configuration at a point in time |
| Configuration exports | IAM policies, security group rules, encryption settings | Machine-readable proof of controls |
| Logs | Audit trails, access logs, change management records | Proving ongoing operation |
| Policy documents | Information security policy, incident response plan | Proving governance exists |
| Tickets/records | Change requests, access reviews, incident reports | Proving processes are followed |
How Much Evidence Do Auditors Need?
For a SOC 2 Type I audit, auditors need evidence that controls are designed and implemented at a single point in time. For Type II, they need evidence covering the entire audit period (typically 3–12 months), showing controls operated consistently.
Most organizations collect 50–200 pieces of evidence per audit. The exact number depends on the Trust Services Criteria in scope (Security, Availability, Processing Integrity, Confidentiality, Privacy).
Where Does Screenata Fit?
Screenata automates the collection of application-level evidence — the screenshots, configuration exports, and control validations that GRC platforms like Drata and Vanta cannot capture automatically. Instead of manually taking screenshots and organizing them, Screenata records your workflow and generates audit-ready evidence with full traceability.