Audit pack export
Auditors ask one question on repeat: 'show me evidence of control X over the audit period.' The export action assembles every evidence record from a chosen window, grouped by control, into a single JSON dossier. Pipe through GPG sign, email the auditor, move on.

Running the export
- MFI → Tools → SOC 2 → Evidence → Action menu → Export audit pack
- Wizard prompts for window: typically the audit's observation period (e.g., 12 months)
- Optionally filter by control codes (default: all active)
- Click Generate; system assembles in 5-30 seconds depending on volume
- Download starts automatically; file is signed JSON
Output shape
{
'institution': 'Acme Microfinance',
'odpc_registration_no': 'DC-12345',
'window_start': '2025-07-01T00:00:00Z',
'window_end': '2026-06-30T23:59:59Z',
'generated_at': '2026-07-05T09:14:00Z',
'generated_by': 'florence@acme.org',
'controls': {
'CC6.1-MFA': {
'cadence': 'daily',
'records_count': 365,
'pass_rate': 0.997,
'records': [
{'at': '2025-07-01T08:00:00Z', 'pass': true, 'summary': '7/7 users MFA', 'details': {...}},
...
]
},
...
},
'signature_sha256': 'a3b1...'
}
Worked scenarios
Scenario — Annual SOC 2 audit kickoff
| Character | Role |
|---|---|
| Florence Achieng | DPO + audit liaison |
| Aisha Hassan | CEO |
| Schellman Compliance, Inc. | External auditor |
Timeline
- Mon 09:00: Schellman sends a 47-item evidence-request list.
- Mon 09:30: Florence opens MFI → SOC 2 → Export audit pack.
- Mon 09:31: Window: 2025-07-01 → 2026-06-30. Controls: all active. Generate. (Wizard runs)
- Mon 09:32: Download: audit_pack_2025-07-01_2026-06-30.json (1.8 MB).
- Mon 10:00: Florence signs with GPG, emails Schellman.
- Mon 14:00: Schellman confirms receipt. Says 'this covers 31 of our 47 items'.
- Tue: Florence handles the remaining 16 items individually — most are policy docs from
/policy_pack/. - Fri: All evidence delivered. Schellman starts fieldwork. (Audit kickoff complete)
Outcome — 31 of 47 items answered in 30 minutes via the export. Compared to last year's manual scramble (4 weeks), Florence saved ~3 weeks of work.
Reference
Export wizard options
| Option | Default | Use case |
|---|---|---|
| Window start | Today − 365 days | Match audit observation period |
| Window end | Today | End at the audit cutoff |
| Controls filter | All active | Subset for targeted ask |
| Include details | True | Set False for summary-only export |
| Include manual overrides | True | Auditor wants to see compensating controls too |
| Sign with GPG | False (manual sign) | True embeds signature if GPG key configured |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Export wizard times out | Window too large or details JSON too verbose | Shrink window or use 'summary-only' mode; re-export in batches per quarter. |
| Auditor can't open the file | Most auditors expect PDF; you sent JSON | Run the auditor-pack post-processor (Settings → SOC 2 → Convert to PDF) which renders a tabular PDF + attaches the JSON as appendix. |
| Pass rate looks lower than expected | Includes the cron skips as failures | Adjust filter to exclude state=skipped; or re-classify in the wizard. |
| Multiple records on the same day for the same control | Cron ran twice (manual run + auto) | By design; both records preserved. Take the later one for the day in the auditor narrative. |
See also
Was this page helpful?

