Compliance — Evidence

Build audit-ready evidence chains end to end

This playbook shows compliance, internal audit, and engineering leaders how to design tamper-evident evidence chains that satisfy PCAOB AS 1105 and AS 2201 audit evidence requirements, Sarbanes-Oxley Sections 302/404 certifications, EU DORA control testing, ISO/IEC 27001:2022 Annex A controls, and DOJ programme evaluation criteria.

Updated with PCAOB staff spotlight reminders on information produced by the entity (IPE) testing, DORA Article 11 incident evidence expectations, and ISO/IEC 27001:2022 logging and monitoring updates.

Related research: OMB secure software attestation, EU DORA application oversight, and AI SaaS supply chain risk.

Executive summary

Auditors and regulators now test the provenance, completeness, and integrity of evidence rather than relying on policy assertions. PCAOB AS 1105 requires sufficient appropriate audit evidence, while AS 2201 demands that internal control testing rely on evaluated IPE instead of screenshots without validation. Sarbanes-Oxley Sections 302 and 404 require quarterly and annual certifications backed by verifiable control performance, and DORA mandates ICT risk evidence that supervisors can review. ISO/IEC 27001:2022 adds monitoring, logging, and lifecycle controls, and the DOJ’s Evaluation of Corporate Compliance Programs asks whether compliance data is accessible, accurate, and used for remediation.

This guide delivers an implementation blueprint: codify evidence standards, engineer automated collection with integrity safeguards, govern retention and access, and generate auditor-ready packages that link back to control objectives. The outcome is a defensible evidence supply chain that reduces rework, speeds walkthroughs, and stands up to inspection teams, audit committees, and supervisory authorities.

Define evidence standards and ownership

Start by translating external standards into internal evidence requirements. AS 1105 emphasizes sufficiency and appropriateness; codify thresholds for population coverage, precision, and period completeness. AS 2201 requires auditors to evaluate IPE accuracy—document how reports are generated, validated, and versioned, and maintain change control histories.

Assign evidence owners by control and system, with segregation between preparers and reviewers. For SOX assertions, map each control to responsible executives under Section 302 and to process owners under Section 404(a). For DORA Article 6 governance, identify accountable roles for ICT risk management and ensure oversight records show board engagement.

Create an evidence catalogue containing: control objective, required attributes (source system, timestamp tolerance, population definition), validation steps, retention period, encryption standards, and linkages to policies and procedures. Version the catalogue and surface it inside workflow tools so preparers cannot bypass requirements.

Engineer tamper-evident collection

Replace screenshots and ad-hoc exports with system-generated evidence wherever possible. Configure application logs with signed timestamps and centralized aggregation so integrity is provable. For key reports used in SOX and regulatory audits, enforce parameter locking, automated delivery to controlled repositories, and checksum verification to satisfy AS 2201 IPE expectations.

Implement capture patterns for common controls:

  • Access and change management. Use IAM APIs to export entitlement diffs, privileged access reviews, and change approvals with workflow IDs that tie to tickets and deployment hashes. Preserve SCIM/LDAP change logs for at least the retention period applicable to SOX and ISO/IEC 27001 control evidence.
  • Configuration and security monitoring. Collect configuration baselines, vulnerability scan outputs, and detection events via pipelines that hash payloads and store them in WORM-capable buckets or append-only logs to demonstrate integrity.
  • Process controls. For reconciliations, approvals, and segregation-of-duties checks, capture system audit trails showing inputs, approvers, timestamps, and exception handling. Use workflow systems that can export machine-readable histories so sampling can be reperformed.
  • Incident and resilience testing. For DORA Articles 10–12 and ISO/IEC 27001 control testing, retain incident tickets, root-cause analyses, tabletop exercise outputs, and post-incident reports with evidence of notification timelines.

Where manual evidence is unavoidable, require dual attestation, embed photo-metadata checks, and store source files alongside instructions and reviewer sign-off. Use digital signatures or HSM-backed signing for high-risk artifacts such as configuration exports or custom report outputs.

Validate integrity, completeness, and quality

Validation must be systematic and repeatable. Establish IPE testing procedures that evaluate report logic, source tables, parameter scope, and change management alignment. Require data quality checks—record counts, control totals, and reconciliation to independent sources—for every evidence pull before it can be used in testing or certifications.

For automated feeds, enforce schema validation, hashing, and anomaly detection to identify gaps. For batch uploads, apply duplicate detection and sampling to confirm population coverage. Document validation outcomes, including defects and remediation steps, so auditors can reperform. Tie validation SLAs to control criticality and surface breach notifications to control owners and internal audit.

Where evidence relies on third-party systems (for example, SOC reports, penetration tests, or cloud provider dashboards), log provenance, collection timestamps, and API versions. Maintain bridge letters and complementary user entity control (CUEC) coverage mapping so reliance is justified.

Govern retention, access, and chain of custody

Retention policies should align with legal requirements and audit cycles—typically seven years for SOX, with shorter periods for operational telemetry unless laws require longer. Store evidence in logically separated, access-controlled repositories with least-privilege roles, MFA, and logging. Use immutability options (WORM buckets, legal holds) for high-risk evidence sets and for DORA Article 11 incident documentation.

Track chain of custody for every artifact: who collected it, how it was validated, who reviewed it, and when it was provided to auditors or regulators. Automate metadata capture and generate audit trails that link to requests, walkthroughs, and management sign-offs. For DOJ expectations on disciplinary consistency, log how evidence informed investigations and remediation decisions.

Conduct periodic access reviews to ensure only authorized personnel can modify or delete evidence. Integrate DLP and watermarking for sensitive artifacts, and maintain offsite backups with integrity verification. Document destruction workflows with approvals and exception handling for legal holds.

Deliver auditor-ready packages and dashboards

Standardize evidence packages by control: objective, population definition, walkthrough narrative, evidence files with hashes, validation results, exceptions, and remediation plans. Provide reproduction instructions so auditors can reperform using the same data sets. For AS 2201 reliance, include IPE testing results and change management references.

Build dashboards that give executives and audit committees confidence ahead of certifications: evidence collection status, validation health, exceptions by severity, and remediation cycle times. Tie DORA and ISO/IEC 27001 control families to dashboard views so supervisors and certifiers can trace coverage quickly. Maintain a request log showing when evidence was shared with external parties.

Finally, rehearse inspections. Run pre-audit walkthroughs, perform evidence completeness checks, and stress-test chain-of-custody reports. Capture lessons learned and update the evidence catalogue, validation scripts, and training so the programme improves after every audit cycle.