Audit-ready export
One click. Every policy, every piece of evidence, every framework mapping — packaged the way auditors actually want it.
19 of 26 SOC 2 requirements satisfied with linked evidence. The remaining 7 are flagged for fixes below.
Evidence locked at export time
Auditors get a tidy zip file with each section already labeled to their request list.
Policy binder
11 sections
Every approved policy & procedure with version + signature page.
Control matrix
26 controls
SOC 2 requirement → AuditPilot control → status, with evidence links.
Evidence bundle
8 artifacts
Screenshots, exports, BAA PDFs, training rosters — already named & timestamped.
Cover letter
Auto-signed
Owner attestation, scope statement, period of performance.
SOC 2 controls passing
17 / 26
Each contributes to your coverage %.
BAAs on file
3 / 4
PHI-handling vendors with current BAA.
Training complete
6 / 10
Annual workforce HIPAA & phishing.
Incidents closed
2 / 3
With timeline + risk assessment.
2 of 4 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC6.1 Logical Access — User Authentication | Multi-factor authentication enforced for all users AP-AC-001 | Failing | 1 Microsoft 365 MFA enforcement export |
CC6.2 User Provisioning | Unique user accounts (no shared logins) AP-AC-002 | Passing | 1 Microsoft 365 MFA enforcement export |
CC6.3 Access Reviews | Access reviewed quarterly AP-AC-003 | In progress | 1 Q1 access review sign-off |
CC6.4 Termination | Departing workforce access revoked within 24 hours AP-AC-004 | Passing | None — upload to satisfy |
2 of 4 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC6.7 Restricted Information Transmission | Full-disk encryption on all workstations AP-DV-001 | Failing | 1 BitLocker compliance report — Sept 2026 |
CC7.1 Detection of Security Events | Endpoint protection (antivirus / EDR) installed and current AP-DV-002 | Passing | 1 Bitdefender protection coverage |
CC7.1 System Operations | Operating system and security patches applied within 30 days AP-DV-003 | In progress | None — upload to satisfy |
CC6.1 Logical Access | Automatic screen lock after 10 minutes of inactivity AP-DV-004 | Passing | None — upload to satisfy |
2 of 3 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
A1.2 Backup and Recovery | Daily encrypted backups with offsite copy AP-DP-001 | Passing | 1 Datto backup verification — week 14 |
A1.3 Recovery Testing | Quarterly backup restore test documented AP-DP-002 | Needs review | 1 Datto backup verification — week 14 |
CC6.7 Transmission of Confidential Info | Email and file transfer encrypted in transit AP-DP-003 | Passing | None — upload to satisfy |
2 of 3 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC6.6 Boundary Protection | Business-grade firewall with active subscription AP-NS-001 | Passing | 1 Firewall subscription renewal — SonicWall TZ470 |
CC6.6 Boundary Protection | Guest Wi-Fi isolated from clinical network AP-NS-002 | In progress | None — upload to satisfy |
CC6.6 Remote Access | VPN required for remote access to clinical systems AP-NS-003 | Passing | None — upload to satisfy |
2 of 2 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC7.2 Logging | Audit logs retained for at least 6 years AP-ML-001 | Passing | None — upload to satisfy |
CC7.2 Detection of Anomalies | Failed login alerts configured AP-ML-002 | Passing | None — upload to satisfy |
1 of 2 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC7.4 Incident Response | Documented incident response plan AP-IR-001 | Passing | None — upload to satisfy |
CC7.5 Recovery Testing | Annual incident response tabletop exercise AP-IR-002 | In progress | None — upload to satisfy |
1 of 2 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC9.2 Vendor Management | BAA on file for every vendor handling PHI AP-VM-001 | Failing | None — upload to satisfy |
CC9.2 Vendor Risk | Vendor risk assessed before onboarding AP-VM-002 | Passing | None — upload to satisfy |
1 of 2 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC1.4 Workforce Competence | Annual HIPAA training completed by every workforce member AP-TR-001 | Passing | 1 Annual HIPAA training roster |
CC2.2 Communication of Security Awareness | Quarterly phishing simulation AP-TR-002 | Needs review | None — upload to satisfy |
2 of 2 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC1.1 Control Environment | Approved HIPAA Privacy & Security policy binder AP-PO-001 | Passing | 1 HIPAA Privacy & Security policy binder v3.1 |
CC3.2 Risk Assessment | Annual risk analysis on file AP-PO-002 | Passing | None — upload to satisfy |
1 of 1 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
CC6.4 Physical Access | Server / network closet physically secured AP-PH-001 | Passing | None — upload to satisfy |
1 of 1 passing
| SOC 2 requirement | AuditPilot control | Status | Evidence |
|---|---|---|---|
A1.2 Availability — Recovery | Documented contingency / disaster recovery plan AP-BC-001 | Passing | None — upload to satisfy |
Already working with an auditor?
We can deliver this package directly to their secure portal — most of our auditor partners accept AuditPilot exports without re-formatting. Generated Apr 20, 2026.