Compliance & Legal

How to collect soc 2 audit evidence as Small HR Teams

Compliance & LegalFor Small HR Teams3 apps11 steps~22 min to set up

Every SOC 2 audit cycle, your 2-person HR team becomes the collection point for evidence that touches every system you manage: termination records in Paylocity or ADP, access review confirmation emails buried in Gmail threads, onboarding checklists you built in Notion, offer letters in Google Drive, and background check completions scattered across whatever vendor your company chose last year. The auditor sends a request list with 40 line items. You spend two weeks chasing managers over Slack, re-exporting payroll reports, and reformatting spreadsheets so they match the auditor's template. There is no single place that holds all of it, and every audit you start from scratch.

Build this on Starch → See the apps used

Compliance & LegalFor Small HR Teams3 apps11 steps~22 min to set up

Outcome

What you'll set up

A living evidence tracker that pulls HR data directly from Paylocity or ADP on a schedule and surfaces the specific records an auditor asks for — employee roster, termination dates, payroll run history — without a manual export

An email triage workflow that flags incoming audit requests, access-review confirmations, and vendor security questionnaires so nothing sits unanswered in a shared inbox for two weeks

A central evidence library in Notion, searchable by control ID, that auto-detects stale documents and tells you what still needs to be collected before the auditor's deadline

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Knowledge Management Email Agent Task Manager

Data sources & config

Starch syncs your Paylocity data on a schedule (employee records, payroll runs, termination history) and connects directly to ADP if that's your payroll system. Gmail is synced on a schedule so the email agent reads audit-related threads and drafts replies. Notion is synced on a schedule as the evidence library backbone. Google Drive and any HR document storage (BambooHR, Greenhouse) are reachable via Starch's integration catalog — the agent queries them live when building evidence bundles. Background check portals without a direct API are automatable through your browser — no API needed.

Prompts to copy

Build me a SOC 2 evidence tracker. Pull employee headcount, hire dates, and termination dates from Paylocity on a schedule. For each control in the HR trust service category — background checks, access provisioning, offboarding — show me the evidence status: collected, pending, or missing. Let me attach a document or note to each control and flag items overdue.

Monitor my Gmail inbox for emails related to our SOC 2 audit — auditor requests, access review confirmations from IT, background check completion notices from Checkr. Triage them by urgency, summarize the ask in one sentence, draft a reply where one is needed, and create a task for anything that requires me to collect or upload a document.

Build me an evidence library in Notion. Auto-categorize uploaded documents by control area (access management, HR, vendor management). Flag any document older than 12 months as potentially stale. Build a search that lets me find evidence by control ID or keyword so I can pull what the auditor needs in under a minute.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Paylocity (or ADP) as a scheduled-sync provider. Starch will pull your employee roster, hire and termination dates, and payroll run history automatically — this covers the HR evidence categories most auditors hit first.

2 Connect Gmail as a scheduled-sync provider. The Email Agent monitors your inbox for audit-related threads — flagging messages from your auditor, access review confirmations, and vendor security responses as they arrive.

3 Connect Notion via scheduled sync. This becomes the evidence library: one database, organized by SOC 2 control ID, where documents land and where the auditor can eventually see a clean index.

4 Tell Starch what your control list looks like. Paste in your auditor's HR control IDs or describe them in plain language ('I need evidence for background checks, access provisioning on hire, access removal on termination, and annual access reviews'). Starch maps each control to the data source that satisfies it.

5 For controls backed by Paylocity data — termination dates, payroll run history — Starch auto-populates the evidence status based on the scheduled sync. You see immediately which controls have data and which are missing records.

6 For controls that require document uploads — signed offer letters, background check completions, manager access-review sign-offs — Starch creates a task in the Task Manager with a due date and the name of the person responsible for submitting it.

7 The Email Agent drafts follow-up emails for any outstanding evidence requests — one click to send to the manager who hasn't returned their access review form, another to the IT team asking for the user access log export.

8 As documents arrive via email or upload, the Knowledge Management app auto-categorizes them by control area, attaches them to the correct Notion control record, and updates the evidence status from 'pending' to 'collected'.

9 One week before the auditor's deadline, run a gap report: ask Starch 'which HR controls still have missing or stale evidence?' and get a plain-language list with the responsible person and last-updated date for each.

10 At audit time, generate an evidence package: Starch pulls the relevant Paylocity records, attached documents, and email threads for each control into a structured export the auditor can review — no reformatting spreadsheets by hand.

11 After the audit, update the evidence library with the auditor's findings and any remediation notes. Starch flags controls where documentation is now more than 12 months old so next year's prep starts with a complete, current baseline instead of a blank spreadsheet.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 SOC 2 Type I prep — 150-person company, 40-item HR evidence request

Sample numbers from a real run

Controls auto-satisfied from Paylocity sync (hire/term roster, payroll runs)	14
Controls requiring document collection (background checks, offer letters, access reviews)	18
Controls requiring manager confirmation emails	8
Hours spent on manual evidence collection in prior audit	32
Hours spent with Starch workflow in current audit	9

In April 2026, your auditor sends a 40-item HR evidence request with a two-week window. Fourteen of those items — termination dates for the 6 employees who left in the past year, the current employee roster with start dates, and the last 4 payroll run records — are already in Starch because Paylocity syncs on a schedule. You mark those 14 controls 'collected' in under 10 minutes. The remaining 26 require documents or confirmation emails. The Email Agent finds 9 relevant emails already in your Gmail — background check completion notices from Checkr and 3 IT access-removal confirmations — and attaches them to the correct Notion control records automatically. Starch drafts follow-up emails to the 7 managers who haven't submitted access review sign-offs and the IT lead who needs to export the user access log. By day 5 of a 14-day window, you have 33 of 40 controls satisfied. The final 7 are flagged in the Task Manager with owner names and due dates. You spend 9 hours total on this audit compared to the 32 hours your team logged last year chasing the same information across the same systems.

Measurement

How you'll know it's working

Days from auditor request to complete evidence package (target: under 10 business days)

Percentage of HR controls auto-satisfied from scheduled sync data without manual export

Number of outstanding evidence items still open 5 days before auditor deadline

Hours spent on evidence collection compared to prior audit cycle

Percentage of Notion evidence documents flagged as stale (older than 12 months) at audit kickoff

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Drata or Vanta (compliance automation)

Strong for engineering and security controls; HR evidence collection still requires manual uploads and chasing managers, and neither tool connects to Paylocity or ADP in a way that surfaces HR records in the format a small team can actually use without a dedicated IT admin.

Spreadsheet + shared Google Drive folder

Free and familiar, but there's no automatic pull from Paylocity, no inbox monitoring for incoming evidence, and no way to detect stale documents — which means every audit starts with the same manual discovery process.

Notion alone (manual wiki)

Good for storing documents once you have them, but no connection to Paylocity or Gmail means you're still exporting and uploading by hand, and there's no task creation or follow-up drafting built in.

Your HRIS vendor's built-in reporting (Paylocity, BambooHR)

Can export the HR records an auditor wants, but only covers payroll and employee data — it doesn't connect to email, document storage, or the cross-functional access reviews that make up the other half of the HR evidence list.

On Starch RECOMMENDED

One platform — knowledge management, email agent, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Does Starch actually connect to Paylocity, or do I have to export files manually?

Starch syncs your Paylocity data on a schedule — employees, payroll runs, benefits, time-off records — so the records are already in Starch when the auditor asks. ADP is also a scheduled-sync provider. You don't export anything; the data is there when you need it.

We use BambooHR, not Paylocity. Does this still work?

Yes. BambooHR is reachable from Starch's integration catalog — the agent queries it live when your evidence tracker needs the data. It won't have the same scheduled-sync depth as Paylocity or ADP, but employee records, termination dates, and hire history are queryable when an app or automation runs.

Is Starch SOC 2 certified itself?

Not yet — Starch is not currently SOC 2 Type II certified. If your company's vendor security review requires a certified tool for data processing, that's worth flagging with your security team before you wire in payroll data. It's on the roadmap.

Can Starch collect evidence from tools that don't have an API — like our background check vendor's portal?

If the portal is web-based and you can log in and click through it, Starch can automate it through your browser — no API needed. That means it can navigate to completed background check records, pull the confirmation, and attach it to the right control in your evidence library. It's not instantaneous, but it removes the manual step entirely.

What about access review evidence? That usually means chasing IT and every department head.

The Email Agent monitors Gmail for incoming access-review confirmations and flags them as they arrive. For the ones that haven't come in, it drafts follow-up emails to the right people — you review and send. Starch can also build a lightweight access-review workflow where managers confirm via a form that feeds directly into the evidence tracker, though that requires describing the workflow to Starch and connecting whatever form tool you use.

We don't have a dedicated compliance tool. Will Starch replace one?

Starch won't replace Drata or Vanta if you're managing a full SOC 2 Type II program across engineering, security, and HR. What it replaces is the manual HR evidence piece — the payroll exports, the inbox chasing, the Notion reorganization every audit cycle. If your compliance posture is early-stage and HR evidence collection is the bottleneck, Starch handles that without requiring you to buy a six-figure compliance platform.

Can the evidence library in Notion actually stay current between audits, or will it go stale like every other Notion we've built?

Starch detects when documents in the knowledge management app haven't been updated in over 12 months and surfaces them as stale. It won't force anyone to update them, but it will tell you which records need attention before the auditor asks — which is a different situation than discovering the gap on day one of the audit window.