This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Auditors, audit windows, and testing

Can Secureframe speak with the auditor directly instead of going through the customer?

• Yes. Secureframe can connect with your auditor to clarify questions (e.g., screenshot requests). Let your Customer Success Manager know, and they can coordinate with the auditor directly.

Can Secureframe support ISO 9001 if an auditor requires 21 CFR Part 11 compliance?

• ISO 9001 itself does not require 21 CFR Part 11.
  However, some customers — especially in pharmaceuticals or drug manufacturing — must meet regulatory or contractual obligations tied to electronic records and digital signatures (e.g., FDA / DEA requirements). In those cases, an auditor may expect 21 CFR Part 11–aligned controls as part of their quality management system (QMS) implementation.

  Secureframe does not currently represent full 21 CFR Part 11 compliance as part of ISO 9001 within the platform. That requirement would need to be managed as an external regulatory need, not part of the ISO framework itself.

Difference between audit window and audit testing?

• An audit test is a point in which the auditor is actively reviewing the evidence you have uploaded. An audit window depends on the audit but, in SOC 2's case, it is a period of consecutive time where the auditor confirms your controls were in place and working.

Do all annual controls need to be completed during the audit window for SOC 2 Type 2?

• Ideally, annual controls are done during the audit window, but as long as they are done within 1 year of each other, the client should be fine. This logic applies to all annual controls, such as risk assessment and network review, and can be applied to semi-annual controls, like firewall review.

  For example, a February 2025 review is acceptable for an audit window of April 1 to June 30, 2025.

Do vendor compliance reports need to fall within the audit window?

• No. Vendor compliance reports only need to be reviewed annually. As long as the most recent available report was reviewed within the past year, it should satisfy audit requirements—even if the report date falls outside the window.

Does a user who started after the audit window need to meet MFA requirements?

• No. Users who started after the audit window are considered out of scope for that audit period and can be excluded from MFA testing results.

Does PCI have an audit window?

• Yes, PCI generally requires an annual audit window. Evidence older than six months is considered stale unless it's tested for continuity within the audit period.

Does the auditor access role permit viewing Comments in tests?

• Yes, the auditor role has access to Test and test related features such as Test Overview, Evidence, Tasks, Controls, Comments.

  https://support.secureframe.com/hc/en-us/articles/1500002973521-Admin-Super-Admin-Auditor-Custom-role-permissions

For a SOC 2 Type 2, does a penetration test NEED to be conducted during the audit window?

• Penetration tests do not necessarily need to be done during the audit window, as long as they are completed within 1 year of each other.

For our SOC 2 audit, the auditor requested additional evidence showing that our reporting channel is confidential and accessible to both internal personnel and external parties for reporting security and other concerns. We have a security email address — will screenshots be enough?

• Yes. You can provide two types of screenshots to meet the request:

  External Accessibility – A screenshot showing the security email address displayed on your public website or in a policy document. This proves that external parties can access the reporting channel.

  Confidentiality – A screenshot from internal documentation or your admin console showing that the mailbox exists and is restricted to specific personnel. This demonstrates that the channel is confidential and access-controlled.

  Providing these two screenshots should satisfy the auditor’s evidence requirements.

For SOC 2 audits, how should older release branches be handled? Do auditors need to review all previous release branches, or only the latest one? Does the observation period affect this?

• Auditors only evaluate code branches that fall within the observation period. Any branches created and released outside of the observation period are considered out of scope.

  If multiple release branches (e.g., release/174, release/175, release/176) were cut during the observation period, auditors may review all of those branches, not just the most recent one. This ensures they can verify that secure development and change management practices were consistently applied across releases during that window.

  There is no strict limit on the number of branches that can be tracked in Secureframe. The key is that branches relevant to the audit period are monitored and that your controls (e.g., peer reviews, testing, approvals) are consistently applied across them.

How can new auditors learn to navigate the Secureframe platform?

• Whether you are an auditor, partner, customer, or prospect we always have training available for our advocates.

  Please connect with success@secureframe.com and we will setup training with the appropriate team.

How do you draw the line on making changes to systems/processes during an audit window?

• For Type 1, you only need one example. For Type 2, you must always be in the review window, and changes should be tracked and remediated per SLA. Track changes through ticketing systems and make sure to address them in a timely manner.

How does Secureframe simplify the auditor experience?

• Secureframe offers auditors read-only access, partners with audit firms familiar with the platform, and ensures most audit work is completed ahead of time, making audits a smoother process.

The client has tickets, source control history, and an independent code review process, but approvals were done verbally and not documented. How should this be addressed with the auditor?

• The client’s workflow meets the intent of the control: changes are tracked via tickets, code is managed in source control, developers implement changes, and a separate individual reviews and approves changes before deployment. However, the gap is that the approval was not formally documented. Verbal or in-person approvals do not satisfy audit evidence requirements.

  The recommended approach is to be transparent with the auditor: explain that approvals did occur during the observation period but were not documented in writing, provide all available supporting evidence (tickets, commit history, deployment records), and note that the process has since been updated to require documented approval going forward (for example, written approval in tickets or pull request approvals). This is typically treated as an observation or opportunity for improvement rather than a major finding.

We are in a 12-month audit period with an auditor now, but we aren’t going to get an updated SOC-2 report until Jan 1, 2023. Do you recommend having all sections for the report preview in a good state at all times?

• Since you're in a 12-month audit period, it’s important to keep everything in good state for the entire period, not just right before your new report is due.

What happens if auditors need more information after reviewing evidence?

• They will request follow-ups to clarify or validate control effectiveness before finalizing the report.

What is the audit window for CMMC?

• The first CMMC audit is a point-in-time audit, followed by a subsequent 12-month window. For Level 2 and 3, audits are triennial (every 3 years). Level 1 requires annual self-assessment.

What is the difference between point in time test and an audit window?

• A point-in-time test involves providing evidence from a specific date, usually requiring just one piece of evidence. An audit window allows evidence to be pulled over a period (3-12 months), and auditors will select a sample of evidence to evaluate. Anything outside the audit window is out of scope.

When should I complete tabletop exercises? What if I am slightly out of my audit window?

• Tabletop exercises should be done annually and within the audit window. If you miss the window, note the reason and reschedule. Keep a record of the scheduling change in case it’s questioned later.

Will all the work we’ve done up to this point with our previous auditor (no longer working with them) work for this current window now that we moved to Secureframe?

• The real question is, "Have you been operating your controls?" A SOC 2 is about the activity, not the auditor. What matters is whether you operated your controls and can provide evidence of that. The customer is responsible for governing their environment.

Will auditors typically request endpoint evidence for employees who left during the audit window?

• No, auditors usually do not request endpoint evidence for employees who have left during the audit window. Once personnel leave and the Secureframe Agent is uninstalled from their devices, those devices are cleared from the Asset Inventory. Auditors generally focus on active employees and their endpoints, so evidence for departed users is not required.

Data room and evidence

Is there a method to track where documents in the data room are utilized as evidence?

• At this time, we do not display what data room documents are used as evidence. However we do have an open feature request for this. I'm more than happy to add a vote on your behalf, and you'll be notified once it's live.

Is there a way to delete evidence from the Data Room?

• Currently, there is no way to delete evidence, only archive it. Engineering can delete it upon request if needed.

What is the maximum file size that can be uploaded to a data room?

• 500 MB is the largest file size that can be uploaded to the data room at this time.

Additional customer questions

What happens during audit walkthroughs?

• Audit walkthroughs involve interviews, questions, and observations with the auditors. These meetings often lead to follow-up questions and additional requests.

How can I add the email of an external auditor in the documentation?

External auditors can be added to Secureframe through the "Audits" module, located in the left-hand navigation panel within the Monitoring view.

What does "auditor spd" mean?

At Secureframe, Auditor SPD refers to Service Provider Dashboard and this is typically a Secureframe instance to assist partners with partner related activities.

Also known as Auditor APC, [Auditor Partner Console](https://support.secureframe.com/hc/en-us/articles/38955364460947-Auditor-Partner-Console-Dashboard-Guide).