← Back to Insights

SOC 2 Compliance Engineering: Controls That Generate Evidence

Metasphere Engineering 7 min read
Compliance DevSecOps Security Architecture

Your 18-person engineering team just landed a major enterprise prospect. The procurement team sent over the security questionnaire and one non-negotiable requirement: SOC 2 Type II before contract signature. Six weeks to audit. You look around and take inventory. No audit logs in immutable storage. Access reviews done manually via email with a reply-all chain from Q3 that nobody archived. Zero deployment audit trail because the senior engineer who deploys to production does it from his laptop via kubectl apply. Three engineers pulled from feature work for four weeks. Screenshots collected from eight different systems into a shared Google Drive folder. The report arrived, barely. Three months later, every control had drifted back to its previous state. The whole thing was theater.

If this sounds painfully familiar, you are not alone. This exact scenario plays out at company after company. The alternative is not complicated. SOC 2 Trust Service Criteria map almost directly to engineering practices that mature teams already maintain regardless of compliance requirements. The difference between compliance-as-sprint and compliance-as-practice is whether controls are built into how the organization operates year-round, or bolted on in a panic the month before each audit window.

SOC 2 compliance controls silently drift after audit, creating evidence gaps at re-auditAnimated timeline showing five SOC 2 compliance controls (MFA, encryption, logging, access review, vulnerability scan) all green at audit. Over six months, logging config changes to amber, access review is skipped turning amber, and vulnerability scanning is disabled turning red. At re-audit, evidence gaps are highlighted for each drifted control. Final annotation: without continuous enforcement, controls drift within 90 days.Compliance Control Drift After AuditAudit WindowMFAEncryptionLoggingAccess ReviewVuln ScanSOC 2 Audit PassedMonth 1Month 2Month 3Month 4Month 5Month 6Time passes after audit...~LoggingConfig changed silently~Access ReviewQ2 review skippedVuln ScanDisabled by deploy3 of 5 controls driftedMFAEnc~Log~AccessVulnRe-Audit: Evidence Gaps Found!Logging4 months incomplete data!Access ReviewNo Q2 review evidence!Vuln ScanNo scans for 2 monthsWithout continuous enforcement, controls drift within 90 days.

What SOC 2 Security Actually Requires

The Security Trust Service Criterion (required for any SOC 2 report) covers nine control families. Most have natural technical implementations that also make the organization more secure. This is the part that teams keep missing. These are not arbitrary hoops. They are genuinely useful security practices.

Logical access controls require that system access is restricted to authorized users and revoked when someone leaves. In engineering terms: SSO with MFA enforced at the identity provider (Okta, Azure AD, Google Workspace), access provisioning tied to your HR system via SCIM, automated deprovisioning that disables accounts within 24 hours of offboarding, and quarterly access reviews. You should want these controls regardless of what auditors require.

Change management requires that changes to systems are authorized, tested, and documented. In engineering terms: all infrastructure changes via infrastructure as code with pull request review and approval, all code changes via PR with CI gating, and deployment logs stored as immutable evidence. The CI/CD pipeline is your change management evidence generator. Every merge becomes a documented, approved, tested change with an audit trail that writes itself. No screenshots. No scrambles. It just works.

Infrastructure Controls That Generate Evidence Automatically

The SOC 2 evidence collection problem largely disappears when infrastructure generates auditable records as a side effect of normal operations. This is the core shift from compliance-as-sprint to compliance-as-practice. Teams that make this shift reduce evidence preparation from 3-4 weeks per audit cycle to 2-3 days. That is not a typo. Days, not weeks. For how this integrates at the infrastructure layer, see our approach to cloud-native platform engineering.

AWS CloudTrail, GCP Cloud Audit Logs, and Azure Activity Logs capture every API call to cloud infrastructure: timestamp, actor identity, request parameters, and response. Archive these to S3 with Object Lock enabled, and they become immutable evidence of who accessed what and when. An auditor asking “do you log access to production systems?” gets answered by pulling a CloudTrail export with a date range filter. No manual screenshots. No 48-hour scramble. Just a query.

VPC flow logs prove network segmentation is working. Automated vulnerability scanner reports (Qualys, Nessus, or Trivy running on schedule) prove scanning cadence. Endpoint management enrollment records from Jamf or Intune prove devices are managed and encrypted. GitHub or GitLab audit logs prove PR approval workflows. Each of these is an engineering investment that satisfies specific SOC 2 control requirements as a natural byproduct of doing your job well.

Here is the key insight: if you are already running a well-instrumented DevSecOps practice, you have 60-70% of the SOC 2 evidence collection problem solved before you engage an auditor.

Access Reviews Without the Quarterly Scramble

Periodic access reviews consistently surface as SOC 2 findings for organizations that run them manually. And the failure mode is always the same. Quarterly calendar reminder fires. Someone exports a spreadsheet of user accounts from each system. Managers reply-all with approvals. Security team reconciles responses. This process takes 2-3 weeks per quarter, produces stale data, and generates unreliable evidence. Auditors are very experienced at spotting access reviews completed three days before the observation window closes. They will call it out.

Automated access review platforms, or compliance tools like Vanta and Drata that integrate directly with your identity provider and SaaS applications, run continuous access monitoring and generate structured review workflows on schedule. Reviewers see current access data and approve or revoke directly in the workflow, producing audit-ready evidence automatically.

The prerequisite is SSO coverage. If your application estate authenticates through a single identity provider, access review automation is straightforward. Organizations that achieve 95%+ SSO coverage before pursuing SOC 2 complete access reviews in hours instead of weeks. If you have dozens of separate user stores across legacy applications, automation is much harder and quarterly manual reviews remain necessary until SSO coverage improves. Make SSO migration the first investment before engaging an auditor. Do not negotiate on this. Every application behind SSO is one fewer manual access review.

The access review process is where manual compliance breaks down most visibly. Quarterly manual reviews take weeks and produce unreliable evidence. Automated continuous reviews through SSO integration complete in hours and generate audit-ready records automatically.

Vendor Risk Management at Scale

Third-party vendor risk assessment is a SOC 2 requirement that scales poorly with manual process. This is the one that quietly spirals. Each vendor relationship requires a risk assessment, review of their security documentation, and ongoing monitoring. An organization with 50 SaaS vendors and annual review cycles will have at least 10-15 assessments expire silently in any given year using purely manual tracking. Nobody notices until the auditor does.

The practical approach: prefer vendors who have their own SOC 2 Type II reports and share them on a regular cadence. For vendors without SOC 2, require completion of a standardized security questionnaire (SIG Lite is the industry standard) and set review intervals based on data sensitivity and access level. Automate renewal reminders and evidence collection so vendor assessments do not expire silently. The security program integration here is direct: vendor risk becomes a tracked, time-bounded obligation rather than a calendar item someone might remember.

One pattern that saves significant time: during vendor evaluation, check whether the vendor shares their SOC 2 report via a trust center (Vanta Trust Center, SafeBase, Whistic). This eliminates the manual NDA and report request cycle that adds 2-3 weeks to vendor onboarding. That cycle is pure waste. Eliminate it.

SOC 2 compliance built into engineering practices costs less, produces better evidence, and scales with your organization. The teams that treat controls as useful security infrastructure rather than audit theater maintain clean reports year after year. No scrambles. No pulled engineers. No Google Drive folders full of screenshots. The controls just run, the evidence collects itself, and the audit is a formality instead of a fire drill.

Build SOC 2 Controls That Generate Evidence Automatically

Scrambling for SOC 2 evidence six weeks before the audit is a symptom of compliance as an afterthought. Metasphere builds technical controls that satisfy SOC 2 requirements as a natural output of how your infrastructure operates.

Engineer Compliance

Frequently Asked Questions

What is the difference between SOC 2 Type I and Type II?

+

Type I verifies control design on a single date. Type II covers a 6-12 month observation period and verifies controls operated effectively throughout. Type II carries significantly more weight because it demonstrates sustained discipline. Most enterprise procurement teams require Type II before signing contracts above a certain ARR threshold. Start with a 6-month Type II observation period to minimize time to report.

What are the SOC 2 Trust Service Criteria?

+

SOC 2 covers five Trust Service Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Most B2B SaaS companies pursue Security only or Security plus Availability. The Security category covers logical access, change management, risk assessment, and incident response. Adding categories is driven by customer requirements and typically adds 2-4 weeks of audit scope.

Which technical controls satisfy the most SOC 2 requirements?

+

Seven controls satisfy the broadest cross-section: MFA for all system access, SSO for applications, audit logging to immutable storage (S3 Object Lock), RBAC with documented provisioning and deprovisioning, vulnerability scanning with SLAs (30-day critical, 90-day high), endpoint management with encryption and remote wipe, and CI/CD-enforced change management. These seven cover roughly 70% of Security TSC requirements.

How do you automate SOC 2 evidence collection?

+

Most evidence comes from infrastructure tooling, not screenshots. CloudTrail proves API activity. SSO logs prove access provisioning. Vulnerability scanner outputs prove scanning cadence. CI/CD logs prove change management. Compliance platforms like Vanta and Drata integrate with these sources to collect evidence continuously. Teams using automated collection reduce evidence preparation from 3-4 weeks to 2-3 days per audit cycle.

What is the biggest mistake companies make pursuing SOC 2?

+

Treating it as a project rather than a program. Companies implement controls for the audit window, collect the report, and let controls drift within 90 days. Auditors detect evidence gaps that suggest controls were only active during the observation period. Companies with consistently clean audits operate controls year-round because those controls are genuinely useful security practices, not theater.