Start Trial
PortalMeridianKeystoneRMM
Audit & Compliance Manual

Evidence Coverage

Coverage visibility, readiness gaps, and the relationship between controls, evidence, and audit confidence.

Audience: Compliance managers and audit leadsFocus: Coverage analysis and readiness gapsStatus: Public manual

Scope

Evidence coverage is where teams decide whether a program is genuinely supportable or merely documented. The public guide keeps the operator-facing readiness model and leaves private data-contract details out.

What the Coverage Grid Shows

The evidence coverage grid answers one question: “For each control in my program, does each connected data source actually collect evidence for it?”

Each row is a control. Each column is a connector type present in your account. Each cell shows whether automated evidence collection is set up for that control-connector combination.

Find it at: Programs → select a program → Evidence Coverage

Reading Cell States

Cell state What it means
Auto (green checkmark) An auto-generated binding exists. This connector collects evidence for this control automatically on a schedule.
Manual (blue checkmark) A manually created binding exists. You or a team member set this up explicitly.
Disabled (gray) A binding exists but has been disabled. Evidence is not being collected.
Excluded (strikethrough) The framework evidence map says this connector can provide evidence for this control, but an ingestion rule is blocking it.
Missing (red dash) No binding exists and no ingestion rule blocks it. Evidence for this control from this connector is not being collected.

If a cell shows Missing and the connector type column is present, that means: 1. The framework evidence map has no entry linking this connector type to this control (normal — not every connector provides evidence for every control), OR 2. The evidence map has an entry but no matching ControlTest exists in your program, OR 3. A binding used to exist but was deleted.

If a cell shows Excluded, an ingestion rule is explicitly preventing auto-bind from creating the binding. This is intentional — you or someone on your team set a rule to exclude it.

Understanding Auto vs. Manual Bindings

Auto Bindings

Auto bindings are created by the platform when you connect a data source. They come from the framework evidence map — a built-in list of which connector test_keys satisfy which SOC 2 criteria.

Auto bindings: - Show an Auto badge in the evidence sources tab - Can be disabled or deleted by operators - Will be re-created by re-sync if deleted and no exclude rule blocks them - Have their schedule updated automatically if the evidence map schedule changes (on next re-sync)

Manual Bindings

Manual bindings are created explicitly by an operator. They are never touched by auto-bind or re-sync — they represent your explicit intent.

Manual bindings: - Show a Manual badge in the evidence sources tab - Are not created, updated, or removed by auto-bind - Survive re-sync intact

Use manual bindings when you want specific collection behavior that doesn’t follow the framework map defaults, or when you’re collecting custom evidence that isn’t in the built-in map.

Summary Row

At the top of the coverage grid, a summary shows:

X of Y controls have automated evidence coverage

A control counts as “covered” if at least one cell for that control row is in the Auto or Manual state. Controls where all cells are Missing, Excluded, or Disabled are not covered.

This count is your primary metric when preparing for an audit. The goal is to have the covered count equal or close to the total, with any uncovered controls addressed through manual evidence uploads or explicit exclusion decisions.

Filling Coverage Gaps

Gap: Missing cell

A missing cell for a connector type that you expect to provide evidence usually means one of:

  1. Auto-bind hasn’t run yet — click Re-sync Bindings on the connector’s Ingestion Rules tab.
  2. An ingestion rule is blocking it — check the Ingestion Rules tab for exclude rules. If the cell should be green but shows red, an exclude rule may be over-broad.
  3. The ControlTest doesn’t have a test_key configured — auto-bind can’t link the evidence map entry to the control test. Check the control’s test configuration.
  4. No evidence map entry — this connector type genuinely has no built-in evidence for this control. You’ll need to either create a manual binding or accept that this control’s evidence comes from elsewhere.

To manually create a binding: click the missing cell. You’ll see the binding creation form with the connector and control pre-filled.

Gap: Excluded cell

An excluded cell means an ingestion rule is blocking the binding. To fill the gap:

  1. Go to the connector’s Ingestion Rules tab.
  2. Find the rule that’s blocking this test_key or control_ref.
  3. Either delete the exclude rule, or add a higher-priority include rule that specifically allows this entry.
  4. Click Re-sync Bindings.

Gap: Disabled cell

A disabled cell means a binding exists but isn’t running. To fix it:

  1. Go to the connector’s Evidence Sources tab.
  2. Find the binding for this control.
  3. Toggle it to enabled.

“Do I Have Enough Evidence for My Audit?” Workflow

Use this checklist when preparing for a SOC 2 audit:

  1. Open the coverage grid for your active program.
  2. Count the covered vs. uncovered controls in the summary row. Aim for full coverage for automated evidence.
  3. For each Missing cell on an important control: decide whether to fill the gap (create a binding or re-sync), exclude it deliberately (add an ingestion rule), or provide manual evidence instead.
  4. For each Excluded cell: confirm the exclusion is intentional. If not, fix the ingestion rule and re-sync.
  5. For each Disabled cell: confirm the binding is intentionally paused. If not, re-enable it.
  6. Navigate to the Evidence page and check evidence freshness. A covered control with stale evidence is still a gap for the auditor. The event log will show evidence.stale events for tests whose evidence has expired.
  7. Check the event log for control.test_failed events. A failing test means evidence was collected but the control is not passing. This is distinct from missing evidence — it’s a real finding that the auditor will see.

Coverage plus freshness plus passing tests is what an auditor needs to see. The coverage grid covers the first part; the evidence list and event log cover the rest.

Connector Types in the Grid

The column headers show the connector types that have at least one active or disabled connector in your account. Types you haven’t configured don’t appear.

If a connector type you expect isn’t showing up: - Manual connectors appear as a column if you have a manual connector.

Clicking a Cell

Clicking any cell opens a detail panel with: - The binding ID and creation method (auto or manual) if a binding exists - The current schedule - The last run time and result - A link to the evidence collected by this binding - Options to edit the schedule, disable the binding, or delete it

For Missing and Excluded cells, the panel shows why the cell is in that state and provides an action (create binding, or view the blocking ingestion rule).