Each year we publish an update on what SOC 2 auditors are actually looking for in awareness-evidence reviews. The 2026 update is based on the audits our customers ran in 2025 — approximately 70 SOC 2 audits across our customer base, with the auditor pool spanning Big-Four, mid-tier, and specialist firms.
The headline shift from 2024 to 2025 is the auditor focus on individual-employee evidence rather than aggregate completion metrics. Aggregate completion was the headline metric for awareness control evidence for most of the platform category's history; auditors are now consistently asking for individual-employee evidence, traced to assessment outcomes rather than module-completion records.
Three specific questions are now standard in awareness-evidence walkthroughs across audit firms we have worked with:
(1) For employee X (sampled from your population), what awareness training has the employee completed, and what was the assessment outcome? An aggregate completion report does not answer this; the auditor wants to see the per-employee record, with assessment provenance.
(2) For an employee who failed the assessment on first attempt, what was the remediation pathway, and what is the evidence that the remediation completed? "Failed once, passed twice" is a perfectly defensible record if the platform shows the trajectory; "failed once" with no follow-on evidence is a finding.
(3) For new joiners in the audit period, when did they enrol in awareness training, and how long after their start date did the enrolment occur? Onboarding lag is increasingly a finding category; auditors expect awareness enrolment within the first calendar week and remedial action where the lag is longer.
Operational implications. Customers preparing for SOC 2 Type II audits should validate that their platform produces per-employee evidence with the trajectory of training and assessment outcomes — not just aggregate completion. They should validate the remediation-evidence chain for first-attempt-failure cases. And they should validate the new-joiner enrolment-timing reporting.
GetCheckmark's evidence pack produces all three by default in the standard compliance report. Customers who have moved from competitor platforms commonly cite this as the single most material improvement in their audit-evidence position.
The next update (2027) will cover the impact of the EU AI Act on awareness-training methodology — an area where the regulatory landscape will likely shift within the next twelve months.