Audit pack export

Auditors ask one question on repeat: 'show me evidence of control X over the audit period.' The export action assembles every evidence record from a chosen window, grouped by control, into a single JSON dossier. Pipe through GPG sign, email the auditor, move on.

SOC 2 evidence export
Evidence export package.

Running the export

  1. MFI → Tools → SOC 2 → Evidence → Action menu → Export audit pack
  2. Wizard prompts for window: typically the audit's observation period (e.g., 12 months)
  3. Optionally filter by control codes (default: all active)
  4. Click Generate; system assembles in 5-30 seconds depending on volume
  5. Download starts automatically; file is signed JSON

Output shape

{
  'institution': 'Acme Microfinance',
  'odpc_registration_no': 'DC-12345',
  'window_start': '2025-07-01T00:00:00Z',
  'window_end':   '2026-06-30T23:59:59Z',
  'generated_at': '2026-07-05T09:14:00Z',
  'generated_by': 'florence@acme.org',
  'controls': {
    'CC6.1-MFA': {
      'cadence': 'daily',
      'records_count': 365,
      'pass_rate': 0.997,
      'records': [
        {'at': '2025-07-01T08:00:00Z', 'pass': true, 'summary': '7/7 users MFA', 'details': {...}},
        ...
      ]
    },
    ...
  },
  'signature_sha256': 'a3b1...'
}

Worked scenarios

Scenario — Annual SOC 2 audit kickoff

Setting: July, the first week. Auditors send their initial evidence list.

CharacterRole
Florence AchiengDPO + audit liaison
Aisha HassanCEO
Schellman Compliance, Inc.External auditor

Timeline

  1. Mon 09:00: Schellman sends a 47-item evidence-request list.
  2. Mon 09:30: Florence opens MFI → SOC 2 → Export audit pack.
  3. Mon 09:31: Window: 2025-07-01 → 2026-06-30. Controls: all active. Generate. (Wizard runs)
  4. Mon 09:32: Download: audit_pack_2025-07-01_2026-06-30.json (1.8 MB).
  5. Mon 10:00: Florence signs with GPG, emails Schellman.
  6. Mon 14:00: Schellman confirms receipt. Says 'this covers 31 of our 47 items'.
  7. Tue: Florence handles the remaining 16 items individually — most are policy docs from /policy_pack/.
  8. Fri: All evidence delivered. Schellman starts fieldwork. (Audit kickoff complete)

Outcome — 31 of 47 items answered in 30 minutes via the export. Compared to last year's manual scramble (4 weeks), Florence saved ~3 weeks of work.

Reference

Export wizard options

OptionDefaultUse case
Window startToday − 365 daysMatch audit observation period
Window endTodayEnd at the audit cutoff
Controls filterAll activeSubset for targeted ask
Include detailsTrueSet False for summary-only export
Include manual overridesTrueAuditor wants to see compensating controls too
Sign with GPGFalse (manual sign)True embeds signature if GPG key configured

Troubleshooting

SymptomLikely causeFix
Export wizard times outWindow too large or details JSON too verboseShrink window or use 'summary-only' mode; re-export in batches per quarter.
Auditor can't open the fileMost auditors expect PDF; you sent JSONRun the auditor-pack post-processor (Settings → SOC 2 → Convert to PDF) which renders a tabular PDF + attaches the JSON as appendix.
Pass rate looks lower than expectedIncludes the cron skips as failuresAdjust filter to exclude state=skipped; or re-classify in the wizard.
Multiple records on the same day for the same controlCron ran twice (manual run + auto)By design; both records preserved. Take the later one for the day in the auditor narrative.

See also

Was this page helpful?