Why does your SOC 2 auditor keep asking for more evidence?
March 6, 20262 min readSOC 2 Evidence Collection
Common Reasons for Additional Evidence Requests
| Reason | Example | How to Prevent |
|---|---|---|
| Missing timestamp | Screenshot has no date visible | Include system clock or page timestamp |
| Wrong environment | Captured staging instead of production | Always capture from production |
| Unclear what's shown | Cropped too tightly, context lost | Include URL bar and page header |
| Insufficient sample size | Provided 5 PRs, auditor needs 25 | Ask auditor for expected sample sizes upfront |
| Missing period coverage | Evidence only shows one month of a 6-month period | Collect evidence throughout the observation period |
| Policy-evidence gap | Policy claims control the evidence doesn't demonstrate | Align policies with what you can actually prove |
The Cycle That Frustrates Startups
- You submit evidence
- Auditor reviews it 3-5 business days later
- Auditor requests additional or clearer evidence
- You spend 2-3 hours re-collecting
- Submit again, wait another 3-5 days
- Repeat
This cycle can extend an audit by weeks. The fix is frontloading quality: make sure every piece of evidence is clear, timestamped, and from the right environment before the first submission.
How to Minimize Follow-Up Requests
Before the audit:
- Ask your auditor for their evidence request list (most have a standard template)
- Ask what sample sizes they expect for population testing
- Confirm which environment they want to see (production, always)
During evidence collection:
- Include the browser URL bar in every screenshot
- Show a visible date/time in every capture
- Name files descriptively: "aws-iam-mfa-enforcement-2026-03.png"
- Organize evidence by control (CC6.1, CC7.2, CC8.1)
If the auditor asks for more:
- Clarify exactly what they need before recollecting — ask for a specific example of acceptable evidence
- Address all requests in one batch rather than one at a time