SOC 2 Type II covers a period, not a moment. The AICPA Trust Services Criteria require an auditor to assess whether controls operated effectively over time — typically six to twelve months. That is a fundamentally different question than "did your firewall policy exist on audit day." Yet most mid-market companies treat the annual audit the same way: a quarterly warning arrives, someone opens a shared folder, and the scramble begins. Screenshots are taken, exports are pulled, and a collection assembled that represents a few sample points across a year of operations. The auditor sees what the team had time to find. What they do not see is every access event, every configuration change, every ticket opened and closed in between.
The gap between what SOC 2 demands and how most organizations respond is not a matter of bad intent. It is a structural problem. The systems where controls actually operate — identity providers, SaaS administration consoles, ticketing platforms, cloud infrastructure logs — generate evidence continuously. But that evidence is stored inside platforms the business runs for other purposes, retrieved on demand, and assembled by hand each year. The record is not kept independently. It is reconstructed, and reconstruction is always incomplete.
This article examines why point-in-time evidence collection breaks down, where proof actually lives, and what changes when a company keeps a continuous, independently maintained record across its full technology stack.
01 / Why point-in-time collection fails
Auditors operating under AICPA standards use sampling. They cannot review every event across a twelve-month period, so they select a representative set and test against it. The implicit assumption is that what is true at the sample points is representative of the whole period. When evidence is assembled manually, that assumption is often wrong — not because controls were absent, but because controls drift between samples and the drift goes undocumented.
A specific example: access reviews. Most SOC 2 programs schedule a quarterly access review of key systems. A reviewer exports a user list, marks the appropriate people as approved, and files the record. But what happened between reviews? A contractor joined in month two and was never added to the formal list because no one flagged the provisioning event as requiring a review cycle update. An employee changed roles in month four. The access review documentation says everything was in order at the quarterly checkpoint. The auditor samples the documentation and passes the control. The in-between period is invisible.
The cost of this approach compounds over time. The two weeks before each audit window closes are not a compliance function — they are a project. People are pulled from their actual work. System owners field requests they do not fully understand. Tickets are raised to get exports that should have been retained automatically. The annual scramble is treated as a cost of doing business, but it is actually a cost of not having a record.
There is a subtler problem as well. When evidence is assembled by the team being assessed, the independence of the record is compromised by definition. Self-graded controls are not the same as independently verified ones. An auditor reviewing documentation the company assembled from its own systems, at its own discretion, is working with a curated selection. The curation may be honest, but it is not independent.
02 / Where proof actually lives
The systems a company already operates contain the proof of how controls ran. They do not require new instrumentation. They require continuous, structured collection from the right places.
Identity providers like Okta log every authentication event, every provisioning action, every access policy change. That log is the access control record. It does not need to be summarized into a quarterly spreadsheet; it needs to be retained, structured, and independently held so that any point in the coverage period can be examined. Microsoft 365 administration logs capture permission changes, conditional access policy modifications, and guest user additions across the entire tenure period — not just what was current on the day someone ran an export. Salesforce permission sets and profile changes are similarly logged at the platform level.
Ticketing systems like Jira or ServiceNow contain the change management record. Vulnerability management platforms log scan results and remediation timelines. Endpoint device management tools hold configuration baselines and patch status histories. None of these require a company to build something new. They already exist. The question is whether the evidence they generate is being collected, retained outside the source system, and held in a form that an auditor can rely on.
The answer, for most mid-market companies, is no. Evidence exists inside the source systems. But source systems change. Retention policies expire. Administrators run cleanup scripts. A log that existed in October may not be retrievable in March. Evidence that was never pulled out of the platform it was born in is evidence that exists at the platform's discretion, not the company's.
A control that operated perfectly but cannot be proven is a failed control on audit day. The evidence is not the proof of the control — the retained, independent record of that evidence is.
03 / The risk surface GRC tools introduce
The market response to audit fatigue has been a category of GRC platforms that integrate directly with company systems, ingest data, and automate evidence collection. The appeal is clear: instead of manual exports, the tool connects to Okta or AWS and pulls what it needs. Auditors can log into the platform and review structured evidence without requiring the company to run a project.
The problem is what those integrations require. To ingest evidence from a system, the GRC platform needs a persistent, credentialed connection. That connection typically requires read access to the systems it monitors. Depending on the integration, that can mean access to user directories, message contents, file metadata, HR records, or customer data structures. The company has solved its audit-fatigue problem by granting a third-party platform standing access to its most sensitive systems.
The data-possession question is worth asking directly: does proving that a control operated require sharing the underlying business data that the control protects? The answer is no. Proving that access to a Salesforce instance was reviewed quarterly does not require exporting customer records. Proving that Microsoft 365 conditional access policies were in force does not require exporting email. Evidence of control operation is structural and administrative — log entries, configuration states, policy versions, approval records. It lives at the governance layer, not the data layer.
A well-designed evidence approach collects from the governance layer only. It never touches the underlying business data the controls are meant to protect. That boundary is not a feature — it is the correct scope of what audit evidence is.
04 / What continuous, independent collection changes
A company that maintains a continuous, independently kept record across its full technology stack answers the auditor's question with a pull, not a project. The evidence for the coverage period already exists. It was collected at the time the events occurred, held outside the source systems, and structured for the frameworks the company operates under. Nothing needs to be assembled. The record is the evidence.
This changes the audit itself. Instead of sampling a curated collection, the auditor can examine a full-population record. Access events for the entire coverage period are available, not a quarterly snapshot. Configuration change logs span the full twelve months, not the week before the audit. The sampling problem does not disappear — auditors still test against the record — but the record is complete rather than reconstructed.
The enterprise sales impact is concrete. Security questionnaires from prospective customers — the lengthy spreadsheets that stall mid-market deals for weeks — ask whether a company can prove its controls. A company with a continuous evidence record answers those questions from the record. The information security section of a vendor assessment is no longer a research project; it is a query. Deal cycles that stall on security diligence move faster when the answer to "can you prove it" is already documented.
05 / Governing the systems a company already runs
The practical implication of continuous evidence is that governance needs to reach the systems where work actually happens. Salesforce, Microsoft 365, Google Workspace, AWS, Okta — these are not peripheral systems. They are where the company operates. The access policies, configuration baselines, administrative actions, and change records in those systems are the evidence of how controls ran. Governance that does not reach those systems is governance that exists only on paper.
Bylaw governs the systems companies already run. It collects the evidence those systems generate at the governance layer — administrative logs, configuration states, policy versions, approval records — and holds it independently of the source systems. The underlying business data never moves. Customer records, employee files, financial transactions — none of that is within the scope of what audit evidence requires, and none of it is what Bylaw collects. The record is the governance layer only.
The result is a company that is always audit-ready. Not audit-ready as a status achieved after a scramble, but audit-ready as a continuous state. The coverage period is fully documented at every point within it. When the auditor asks for evidence, the company pulls the record. The annual scramble is replaced by a pull of what was already kept.
SOC 2 Type II was designed to assess whether controls operated over time. Continuous, independent evidence collection is the only way to answer that question honestly, completely, and without the quarterly project that erodes every compliance team it touches.
See it on your company.
This is the desk work of the office we embed. A structured governance review shows you, on your own documents and systems, exactly where your proof is strong, fragile, and missing — in plain language, no data required.