Evidence Review Workflow

Evidence is reviewed to ensure it actually proves control implementation. Compliance officers approve or reject evidence with feedback.

Review Process

Step 1: Access Review Queue

1. Go to Compliance → Evidence → For Review
2. See all pending evidence awaiting approval
3. Sort by:
   • Oldest First: Review in order received
   • By Control: Group by requirement
   • By Submitter: See who uploaded
4. Filter by control type to review by framework

Step 2: Review Evidence

For each pending piece:

1. Read Metadata:

   • System it applies to
   • Control it’s evidence for
   • Type of evidence
   • Submission date
   • Submitter name

2. Review Description:

   • Does submitter explain what this proves?
   • Is it clear and specific?
   • Does it match the control being proven?

3. Review Attached Files:

   • Download and examine files
   • Verify they match description
   • Check signatures if attestations
   • Verify dates are accurate

4. Assess Sufficiency:

   • Does this evidence actually prove the control exists?
   • Is it recent enough?
   • Is it reliable/trustworthy?

Step 3: Approve or Reject

Approve

If evidence is sufficient:

1. Click Approve
2. Click Yes, approve this evidence
3. Evidence immediately counts toward compliance score
4. Appears in audit-ready reports

Reject

If evidence is insufficient:

1. Click Reject
2. Select reason:
   • “Insufficient detail”
   • “Expired or too old”
   • “Wrong control”
   • “Not credible/verifiable”
   • “Other”
3. Write Feedback:

   "This policy is outdated (v1.0 from 2024).
   Please upload current version and test results
   showing policy is actually being enforced."

4. Click Reject

Submitter is notified with feedback. Task created to collect replacement evidence.

Standards for Approval

Evidence should be:

• Relevant: Directly proves the control
• Current: Dated within last 12 months (unless one-time control)
• Specific: References exact control/requirement
• Verifiable: Can be independently verified
• Reliable: From authoritative source (audit log, signed statement, etc.)
• Complete: All necessary information present

Control-Specific Standards

SOC 2 Evidence

CC6.1: Access Control

• ✓ Policy document outlining access rules
• ✓ Audit log showing access enforcement
• ✓ MFA enablement report
• ✗ Generic “access is controlled” statement

CC7.2: System Monitoring

• ✓ Audit trail export with sample entries
• ✓ Alert rule configuration
• ✓ Log retention policy
• ✗ Undated screenshot

ISO 42001 Evidence

4.3: Risk Management

• ✓ Risk assessment document
• ✓ Mitigation controls list
• ✓ Test results proving mitigations work
• ✗ “We manage risks” statement

4.4: Governance Monitoring

• ✓ Policy deployment records
• ✓ Violation logs
• ✓ Audit trail
• ✗ Verbal assurance

EU AI Act Evidence

Article 8: Risk Management

• ✓ Risk assessment for high-risk AI system
• ✓ Documentation of mitigations
• ✓ Monitoring procedures
• ✗ Incomplete or partial documentation

Bulk Review

Review multiple pieces at once:

1. Go to Compliance → Evidence → For Review
2. Click Select Multiple
3. Check evidence you want to review
4. Click Review Selected
5. See summary:
   • Total selected: 5
   • By control
   • By type
6. Can approve/reject all as group (if similar) or individually

Evidence Expiration Management

Upcoming Expiration

Evidence expiring soon appears highlighted:

• Yellow: Expires in 30 days
• Red: Expires in 7 days

Renewal Workflow

1. Click evidence expiring soon
2. Click Renew
3. Upload new evidence for same control
4. Old evidence marked “Archived”
5. New evidence becomes “Current”

Set up Expiration Reminders:

• Settings → Compliance → Reminders
• Get email 60/30/7 days before expiration
• Assigns renewal task to responsible party

Compliance Score Impact

Evidence directly affects compliance score:

Approved Evidence → Increases Control Completion
Rejected Evidence → Control stays "Incomplete"

Example:
Control: ISO 42001 4.3 (Risk Management)
Evidence Status:
  ✓ Risk Assessment (approved) +20%
  ✓ Mitigation Controls (approved) +20%
  ✗ Monitoring Plan (rejected) 0%
  ? Test Results (pending review) 0%

Current Score: 40%
Maximum Score: 100%

To improve score:

1. Review rejected evidence feedback
2. Collect/submit better evidence
3. Complete pending reviews
4. Renew expired evidence

Audit Export

Export all approved evidence for auditors:

1. Compliance → Evidence → Export for Audit
2. Choose:
   • Date range
   • Controls to include
   • Format (PDF package, ZIP of files)
3. Click Export
4. Share with auditors

Exported package includes:

• All approved evidence files
• Review decision records
• Submitter and approver names
• Dates and signatures
• Framework mapping

Related Topics

• Evidence Connectors
• Manual Evidence Upload
• Compliance Reports