IT Operations & Cybersecurity Encyclopedia

SOC 2 access control evidence collection guide

SOC 2 access control evidence collection proves that user access is approved, appropriate, reviewed, logged, and removed when no longer needed. Strong evidence connects policies, system exports, tickets, screenshots, reviewer signoff, and audit logs into a clear story an auditor can test.

SOC 2Access controlEvidenceMFAAccess reviews

Why it matters

Prepare access evidence before the auditor asks

Access control is one of the most visible areas of a SOC 2 readiness effort because it touches identity, onboarding, offboarding, privileged roles, customer data, production systems, and administrative actions.

Good evidence is not just a screenshot. It should show who had access, why they had access, who approved it, when it was reviewed, what changed, and whether exceptions were documented.

This guide supports SOC 2 readiness planning and evidence organization. It does not replace guidance from a licensed CPA firm, auditor, attorney, or formal compliance advisor.

Practical rule: Every access control evidence item should answer who, what, when, why, who approved it, how it was enforced, and how exceptions were resolved.

Review scope

SOC 2 access evidence domains

User population

Export active users, roles, groups, external users, service accounts, disabled users, and system owners for each in-scope system.

Privileged access

Collect administrator lists, approval records, activation logs, emergency access records, and privileged access reviews.

Authentication controls

Document MFA, SSO, conditional access, password policy, device requirements, and approved exclusions.

Access lifecycle

Tie onboarding, role changes, transfers, terminations, vendor changes, and service account changes to approval tickets.

Access reviews

Retain reviewer decisions, removal tickets, retained-access justification, exception handling, and completion proof.

Audit trail

Capture logs for user, group, role, application, license, and permission changes during the audit period.

Review matrix

SOC 2 access evidence matrix

AreaWhat to verifyQuestions to answerEvidence
Identity inventoryUsers, groups, roles, service accounts, guests, disabled users, and system owners.Who has access to in-scope systems?User export, group export, role list, service account list, and owner signoff.
Privileged accessAdministrators, elevated roles, emergency accounts, PIM activations, and privileged groups.Who can administer the environment?Admin export, approval ticket, activation log, access review, and exception record.
AuthenticationMFA, SSO, conditional access, password policy, device controls, and exclusions.How is access protected?Policy screenshot, settings export, exclusion list, test evidence, and approval.
LifecycleNew hire, role change, transfer, termination, vendor onboarding, and offboarding workflows.Was access approved and removed on time?HR record, access ticket, approval, provisioning log, deprovisioning log, and timestamp.
ReviewsPeriodic access review, reviewer decisions, removals, retained access justification, and follow-up.Is access still appropriate?Access review export, reviewer signoff, removal ticket, exception log, and completion report.
Audit logsUser, group, role, application, license, service principal, and permission changes.Can changes be independently traced?Audit log export, query sample, retention proof, and investigation note.

Step-by-step review

SOC 2 access evidence collection runbook

1

Confirm in-scope systems

List the applications, infrastructure, identity platforms, databases, cloud services, and customer-data systems included in the SOC 2 scope.

2

Export access populations

Collect user, group, role, administrator, service account, guest, and disabled-user exports from each in-scope system.

3

Collect authentication settings

Capture MFA, SSO, conditional access, password, device, and exception settings with screenshots or exported policy data.

4

Sample lifecycle tickets

Match new hires, transfers, terminations, and vendor changes to access requests, approvals, provisioning, and deprovisioning evidence.

5

Document access reviews

Retain reviewer decisions, retained access justification, removal actions, follow-up tickets, and final completion proof.

6

Export audit logs

Collect logs for user creation, group changes, role assignments, permission changes, application access, and privileged activity.

7

Package evidence by control

Name files consistently, preserve timestamps, include system owner signoff, and map evidence to the control request list.

Common risks

Common SOC 2 access evidence gaps

Screenshots without context

A screenshot should show system, date, scope, user population, and why it supports the control.

Privileged roles are missed

Administrators, break-glass accounts, service principals, and service accounts need special attention.

Access reviews are incomplete

Reviews need decisions, removals, retained-access justification, and evidence that follow-up happened.

Terminated users remain active

Offboarding evidence should show timely deactivation and removal from in-scope systems.

Exceptions lack expiration

MFA exclusions, shared accounts, or legacy access should have owners, approvals, compensating controls, and end dates.

Logs are not retained

Audit logs should be available for the period the auditor needs to test.

Related support

Where IT Perfection can help

IT Perfection can help organize Microsoft 365, Azure, endpoint, and application access evidence for managed IT and co-managed IT environments.

OC Security Audit can help prepare SOC 2 readiness evidence, access control reviews, Microsoft 365 security assessment findings, and remediation priorities.

Created by Ali Hassani, CISO

Professional SOC 2 access evidence support

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Access evidence should be traceable and testable

Strong access evidence connects policy, user lists, approvals, lifecycle records, review decisions, audit logs, exceptions, and remediation proof.

FAQ

SOC 2 access control evidence FAQ

What access evidence do auditors usually request?

Common requests include user lists, admin lists, MFA evidence, access review results, onboarding and offboarding samples, permission change logs, and exception records.

Are screenshots enough for SOC 2 evidence?

Screenshots can help, but exports, logs, tickets, approvals, timestamps, and reviewer signoff usually make evidence stronger.

How often should access reviews be performed?

Frequency depends on scope and auditor expectations, but quarterly reviews are common for privileged and sensitive access.

Does this replace a CPA firm or auditor?

No. This is readiness and evidence organization guidance. Final SOC 2 audit requirements should be confirmed with the auditor or CPA firm.