SOC 2 Type II Readiness Data & Evidence Checklist for Fintechs

A current information-security policy document with explicit version, owner, last-reviewed date (within 12 months), and approval signature. Auditors flag policies whose review trail predates the audit window even if the content is sound.

Documented risk-assessment register with each identified risk, likelihood/impact rating, the control mitigating it, and the owner. Auditors will sample three risks and trace each through to a working control.

List of every sub-service organization that handles customer data (cloud providers, observability, customer support tooling) with the SOC 2 / ISO 27001 report on file and the date of last review. Carve-out vs. inclusive method choice must be documented.

Current org chart with reporting lines plus an explicit segregation-of-duties matrix showing who can develop, deploy, approve, and access production. SoD violations are the most-cited finding for fintech startups.

Per-system access review with reviewer, review date, accounts reviewed, accounts removed, and exceptions noted. Auditors will sample one quarter and trace a removed-account decision end-to-end.

JIRA / ServiceNow ticket trail for every joiner / mover / leaver. Termination de-provisioning must show same-day removal of production access — auditors will sample one terminated employee.

Identity-provider report showing MFA enrollment for 100% of employee accounts and the configured MFA policy for production access. Service-account exceptions must be documented with compensating controls.

Logs of every privileged session (sudo, db admin, IAM role assumption) with timestamp, user, action, and target system. Retention typically 12 months minimum.

Git history showing every production-bound merge has at least one approving review by someone other than the author. Auditors will sample five recent merges to production.

CI/CD deployment record with deployer, source commit, target environment, and completion status for every production deploy in the audit window.

Documented break-glass procedure for emergency changes with retroactive review requirement. Each break-glass invocation must have a post-event ticket explaining why, who approved, and what was changed.

Inventory of every system that stores customer data with the data classes present (PII, financial, behavioral) and the classification (public / internal / confidential / restricted). The inventory must match the system architecture diagram.

Configuration evidence (KMS key policy, TLS certificate inventory, RDS encryption screenshots) for every system in the data inventory. Cleartext stores in dev/staging that mirror prod data structurally are a finding.

If subject to CCPA / GDPR, log of every access / deletion / portability request with intake date, response date, and the systems searched. Response-time SLA breaches are findings.

Documented use of synthetic data for non-production environments. Auditors increasingly view 'we mask in staging' as inferior to fully-synthetic test data and ask the question explicitly.

Per-incident record with detection time, severity (P0 / P1 / P2), remediation actions, root cause, and post-mortem link. Auditors sample one P1+ incident and trace end-to-end.

Map showing which alerts cover which systems with SLAs for response. Systems not covered must have a documented exception.

Quarterly restore-test results from production backups with elapsed restore time and integrity check. 'We have backups' without a restore-test record is a finding.

Current BC/DR plan with explicit last-tested date (within 12 months) and the test results. Tabletop exercises count if documented.