Evidence is the product of an audit
Auditors don't evaluate your security philosophy — they sample evidence that a control operated as described, over the whole period. A perfect policy with no proof of execution fails the test. The work isn't being secure; it's demonstrating it.
The three kinds of evidence
- Existence — the control is documented (a policy, a configured setting).
- Operation — it ran (a ticket trail, an access-review export, a scan log).
- Consistency — it ran every time across the period, not just the week before the audit.
Type II audits live and die on the third one.
Collect continuously, not at the end
The panic happens when teams reconstruct ten months of evidence in two weeks. Instead:
- Automate captures. Quarterly access reviews export and archive themselves. Change tickets link to deploys. MFA enforcement screenshots on a schedule.
- Timestamp everything. Auditors check that evidence falls inside the observation window.
- Centralize. One evidence repository per control, not a scavenger hunt across Slack, email, and someone's laptop.
Map evidence to controls once
Build a control matrix that lists, for each control, exactly what evidence proves it and where that evidence lives. Maintained once, it turns every future audit from an excavation into a hand-off.
The best audit is a boring one — the auditor asks, you point, the evidence is already there.