IT Operations & Cybersecurity Encyclopedia
SOC 2 access control evidence collection guide
SOC 2 access control evidence collection proves that user access is approved, appropriate, reviewed, logged, and removed when no longer needed. Strong evidence connects policies, system exports, tickets, screenshots, reviewer signoff, and audit logs into a clear story an auditor can test.
Why it matters
Prepare access evidence before the auditor asks
Access control is one of the most visible areas of a SOC 2 readiness effort because it touches identity, onboarding, offboarding, privileged roles, customer data, production systems, and administrative actions.
Good evidence is not just a screenshot. It should show who had access, why they had access, who approved it, when it was reviewed, what changed, and whether exceptions were documented.
This guide supports SOC 2 readiness planning and evidence organization. It does not replace guidance from a licensed CPA firm, auditor, attorney, or formal compliance advisor.
Practical rule: Every access control evidence item should answer who, what, when, why, who approved it, how it was enforced, and how exceptions were resolved.
Review scope
SOC 2 access evidence domains
User population
Export active users, roles, groups, external users, service accounts, disabled users, and system owners for each in-scope system.
Privileged access
Collect administrator lists, approval records, activation logs, emergency access records, and privileged access reviews.
Authentication controls
Document MFA, SSO, conditional access, password policy, device requirements, and approved exclusions.
Access lifecycle
Tie onboarding, role changes, transfers, terminations, vendor changes, and service account changes to approval tickets.
Access reviews
Retain reviewer decisions, removal tickets, retained-access justification, exception handling, and completion proof.
Audit trail
Capture logs for user, group, role, application, license, and permission changes during the audit period.
Review matrix
SOC 2 access evidence matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| Identity inventory | Users, groups, roles, service accounts, guests, disabled users, and system owners. | Who has access to in-scope systems? | User export, group export, role list, service account list, and owner signoff. |
| Privileged access | Administrators, elevated roles, emergency accounts, PIM activations, and privileged groups. | Who can administer the environment? | Admin export, approval ticket, activation log, access review, and exception record. |
| Authentication | MFA, SSO, conditional access, password policy, device controls, and exclusions. | How is access protected? | Policy screenshot, settings export, exclusion list, test evidence, and approval. |
| Lifecycle | New hire, role change, transfer, termination, vendor onboarding, and offboarding workflows. | Was access approved and removed on time? | HR record, access ticket, approval, provisioning log, deprovisioning log, and timestamp. |
| Reviews | Periodic access review, reviewer decisions, removals, retained access justification, and follow-up. | Is access still appropriate? | Access review export, reviewer signoff, removal ticket, exception log, and completion report. |
| Audit logs | User, group, role, application, license, service principal, and permission changes. | Can changes be independently traced? | Audit log export, query sample, retention proof, and investigation note. |
Step-by-step review
SOC 2 access evidence collection runbook
Confirm in-scope systems
List the applications, infrastructure, identity platforms, databases, cloud services, and customer-data systems included in the SOC 2 scope.
Export access populations
Collect user, group, role, administrator, service account, guest, and disabled-user exports from each in-scope system.
Collect authentication settings
Capture MFA, SSO, conditional access, password, device, and exception settings with screenshots or exported policy data.
Sample lifecycle tickets
Match new hires, transfers, terminations, and vendor changes to access requests, approvals, provisioning, and deprovisioning evidence.
Document access reviews
Retain reviewer decisions, retained access justification, removal actions, follow-up tickets, and final completion proof.
Export audit logs
Collect logs for user creation, group changes, role assignments, permission changes, application access, and privileged activity.
Package evidence by control
Name files consistently, preserve timestamps, include system owner signoff, and map evidence to the control request list.
Common risks
Common SOC 2 access evidence gaps
Screenshots without context
A screenshot should show system, date, scope, user population, and why it supports the control.
Privileged roles are missed
Administrators, break-glass accounts, service principals, and service accounts need special attention.
Access reviews are incomplete
Reviews need decisions, removals, retained-access justification, and evidence that follow-up happened.
Terminated users remain active
Offboarding evidence should show timely deactivation and removal from in-scope systems.
Exceptions lack expiration
MFA exclusions, shared accounts, or legacy access should have owners, approvals, compensating controls, and end dates.
Logs are not retained
Audit logs should be available for the period the auditor needs to test.
Related support
Where IT Perfection can help
IT Perfection can help organize Microsoft 365, Azure, endpoint, and application access evidence for managed IT and co-managed IT environments.
OC Security Audit can help prepare SOC 2 readiness evidence, access control reviews, Microsoft 365 security assessment findings, and remediation priorities.
Created by Ali Hassani, CISO
Professional SOC 2 access evidence support
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Access evidence should be traceable and testable
Strong access evidence connects policy, user lists, approvals, lifecycle records, review decisions, audit logs, exceptions, and remediation proof.
FAQ
SOC 2 access control evidence FAQ
What access evidence do auditors usually request?
Common requests include user lists, admin lists, MFA evidence, access review results, onboarding and offboarding samples, permission change logs, and exception records.
Are screenshots enough for SOC 2 evidence?
Screenshots can help, but exports, logs, tickets, approvals, timestamps, and reviewer signoff usually make evidence stronger.
How often should access reviews be performed?
Frequency depends on scope and auditor expectations, but quarterly reviews are common for privileged and sensitive access.
Does this replace a CPA firm or auditor?
No. This is readiness and evidence organization guidance. Final SOC 2 audit requirements should be confirmed with the auditor or CPA firm.