Evidence Collection: Why Screenshots Aren't Working Anymore

Screenshots were the compliance industry's workaround for a problem nobody wanted to solve: how do you prove to an auditor that something happened in a system, when the audit is six months after the fact?

The problem with screenshot evidence

A screenshot of your AWS IAM password policy dated July 15 tells the auditor what the policy looked like on July 15. It says nothing about the other 364 days of the observation period. It also can't be verified — anyone with Photoshop can create one in sixty seconds.

Audit firms are catching up. In the last 18 months, we've seen a noticeable shift toward auditors asking for programmatically-generated evidence with verifiable timestamps, rather than manually captured screenshots.

What good evidence looks like now

Direct API pulls from the source system, with cryptographic timestamps, refreshed on a schedule. For each control, the evidence pipeline should show:

• The raw data from the source system (IAM policy JSON, branch protection settings, access log queries)
• A timestamp proving when the data was retrieved
• A mapping to the specific control the evidence supports
• A freshness indicator so you can see when evidence has gone stale

What changes in practice

The operational win isn't just audit-ready evidence — it's the ability to catch drift before the auditor does. If your IAM password policy was weakened by a well-meaning engineer during a hotfix, continuous evidence shows the change within hours. Screenshots discover it nine months later, during audit prep.

Where to start

Identify your top 10 controls by SOC 2 weight: access management, encryption, logging, change control, backup. Wire direct-API evidence for those first. For the remaining controls, screenshot evidence is fine in the short term — but every quarter, automate one more. By the time your Type II observation period starts, screenshots should be the exception, not the rule.