Cyber Horizon
Back to Blog
AuditEvidenceCompliance

Audit Evidence: What Auditors Actually Accept (and Reject)

12 July 2026·8 min read·Cyber Horizon Team

Strip away the frameworks and jargon, and an audit is one question asked hundreds of times: “prove it.” Most audit pain isn’t control pain — the controls usually exist. It’s evidence pain: the proof is scattered, undated, reconstructed after the fact, or shows a single moment when the auditor needs a year.

The distinction that explains everything: design vs operation

Auditors test controls in two ways, and each needs different evidence. A design test (ISO 27001 Stage 1, SOC 2 Type I) asks: is the control sensibly built? A policy, a configuration, an architecture diagram can answer it. An operating-effectiveness test (SOC 2 Type II, ISO surveillance) asks: did the control run, every time it should have, across the whole period? That needs a trail — tickets, logs, recurring records — because a screenshot from audit week proves nothing about February.

What makes a piece of evidence admissible

AttributeWhy auditors insist on it
DatedEvidence must place the control inside the audit period. Undated screenshots are the #1 rejection.
AttributableIt must show which system it came from (URL, tenant, hostname visible) and, where relevant, who performed the action.
CompleteA full population, not a curated excerpt — auditors pick their own samples from your list, not your best three.
ContemporaneousProduced when the control ran, not reconstructed for the audit. Backfilled records are findings-in-waiting.
System-generated where possibleExports and logs outrank hand-made documents; they’re harder to accidentally (or deliberately) polish.

How sampling works — and why populations matter

For recurring controls (access reviews, change approvals, onboarding), the auditor asks for the full population for the period — every change merged, every joiner — then selects a sample themselves (commonly 10–25 items depending on frequency). Two implications: you can’t cherry-pick, and gaps in the population are findings even if every sampled item passes. If your ticketing system can’t produce “all production changes between January and June”, that inability is itself the problem.

Evidence that gets rejected

  • Undated or crop-to-hide screenshots — no system context, no timestamp, no credibility.
  • The heroic audit-week harvest: 200 artefacts all created the same Tuesday, for a period spanning a year.
  • Policies as proof of practice — a password policy is design evidence; it says nothing about whether MFA was enforced in March.
  • Spreadsheets with no provenance: who compiled it, from what system, when?
  • “The tool does it automatically” with no output shown — automation is great, but the auditor still needs the artefact.

Collecting continuously instead of cramming

  • Attach evidence to controls, not to audits — one artefact then satisfies every framework that asks (SOC 2, ISO, CAF, customer questionnaires).
  • Automate the recurring 80%: pull IdP user lists, cloud configs, scan results and endpoint status via integrations on a schedule.
  • Make workflows self-evidencing: if changes ship through reviewed PRs and incidents live in tickets, your evidence is a byproduct of working.
  • Set evidence freshness SLAs per control (e.g. quarterly exports) and alert on staleness — the audit-week panic is just a freshness monitor you didn’t build.
  • Version and retain: keep evidence for at least the audit cycle plus one, immutable once collected.

The bottom line

Auditors don’t reject controls; they reject proof. Make evidence dated, attributable, complete and continuous — collected where the work happens, mapped once to every framework — and audits shrink from a quarterly crisis to a sampling exercise over records you already have.

Evidence that collects itself

Cyber Horizon’s integrations pull evidence from your cloud, identity and dev stack on a schedule, stamp it with source and date, and map it across 72 frameworks — so audit week is a query, not a quarter.

Book a Demo