Compliance

The SOC 2 evidence tax: why your control evidence is eating your engineering calendar

Most SOC 2 programs fail at collection, not at design. A look at why evidence gathering takes three times longer than it should — and the pattern we use to cut it down.

TZ

Taha Zubair

Founder, Cloud Upload · · 4 min

soc-2complianceaudit-prep

Ask any engineering manager at a Series B what they hate most about SOC 2, and the answer won’t be “the controls.” It will be “the screenshots.” The evidence-collection phase of a SOC 2 audit is where teams who passed the design review quietly drown.

Key takeaway

The SOC 2 evidence tax is not an auditor problem. It is a collection architecture problem — and almost every company pays it unnecessarily because they treat evidence as a quarterly project instead of a byproduct of how they already work.

What the evidence tax actually looks like

A typical Series B company with 40 controls will be asked for somewhere between 120 and 200 pieces of evidence across a 12-month observation window. That number is deceptive because each “piece” is actually a sample. An auditor doesn’t want one access review — they want the list of access reviews completed each quarter, plus proof of who performed them, plus proof that revocations happened when required.

The total evidence artefact count at the end of a clean SOC 2 Type II is usually 600 to 1,200 individual files. At a company where nobody was designing for collection, every one of those files is a ticket, a Slack thread, or a frantic Friday export.

Where the time actually goes

We’ve tracked hours across a dozen audits. The breakdown is consistent:

  • ~15% — controls that need human judgment (incident postmortems, vendor reviews, risk assessments).
  • ~25% — controls where the evidence exists but is in the wrong format (a dashboard screenshot instead of a CSV, a Slack message instead of a ticket).
  • ~60% — controls where the evidence exists, is in the right format, and just needs to be extracted from the system that already has it.

That last bucket is the tax. Every hour an engineer spends exporting a report that their tooling could export automatically is an hour the audit cost them, not the auditor.

The four patterns that collapse the tax

1. Treat every control as a stream, not a snapshot

The wrong question is “what evidence do we have for Q2?” The right question is “how does evidence for this control get produced every time the underlying event happens?” Access granted → ticket opened with approver, reason, expiration. Deployment to production → artefact signed, SBOM archived, approver logged. If you design the event to emit evidence, the quarterly pull is a query, not a scavenger hunt.

2. Pick one system of record per control

SOC 2 evidence lives across Jira, GitHub, Slack, Okta, AWS, your SIEM, your ITSM, and three spreadsheets nobody updated in six months. Pick one destination per control. Every artefact for that control lands there in a standard format. The auditor gets a CSV; the engineer gets a one-line export.

Pattern

For technical controls, the system of record is almost always the one closest to the event. Access reviews → identity provider. Change management → Git. Incident response → ticketing. Vulnerability management → scanner. Pull it there, not into a shared drive.

3. Automate the evidence bundle, not the control

Engineers hear “automate” and reach for policy-as-code or drift detection. That is the second-order problem. The first-order problem is: can someone press one button and get a zipped folder of everything an auditor needs for a given control for a given quarter? Until that is true, compliance will remain manual labour regardless of how sophisticated your controls are.

4. Close the sample-size loop early

Auditors sample — typically 25 items from any population of more than 25. If your Q2 access-review evidence has 40 reviews and the auditor picks 25, you need each of those 25 to have complete evidence attached. If one review is missing the approver’s name, the finding isn’t “missing approver on one review” — it’s “no population-level evidence that approvals are captured.” Sampling failures are disproportionately expensive. Close the loop before the auditor picks.

What to change in the next sprint

  • Pick the three highest-volume controls from your current audit and write down where the evidence lives today. Most teams cannot name this.
  • For each of those three, identify one system of record and move all collection there.
  • Build a scripted export per control — even if it’s a CLI invocation that runs once per quarter. The export is the control, not the system that holds the data.
  • Pre-sample internally before the auditor does. Pick 25 items yourself and walk the evidence. The gaps you find are the ones the auditor will find.

A clean SOC 2 Type II is not a function of control sophistication. It is a function of whether every event that matters emits evidence the moment it happens. Design for that, and the evidence tax drops by an order of magnitude.

Last updated March 12, 2026 ← All briefings