Documentary evidence is often the most overlooked phase of a compliance assessment.
In practice, I frequently encounter organisations that have invested significant effort in policies, controls, procedures, governance meetings, remediation plans and testing programmes.
Yet when an auditor, regulator, inspector or board member asks for supporting evidence, the response is often:
"We know we do it, but we need time to gather the documentation."
Unfortunately, regulators are becoming less willing to accept that answer.
Increasingly, the question is no longer:
"Are you compliant?"
The question is:
"Show me the evidence."
I wrote this article because documentary evidence is no longer a supporting activity. It is increasingly becoming the mechanism through which organisations demonstrate that compliance actually exists.
If this article helps you create a more credible, defensible and inspection-ready evidence position, it has served its purpose.
Every effective compliance assessment starts with one simple question:
Are we meeting the requirements that apply to us?
By the time an organisation reaches Documentary Evidence, four important things should already have happened:
The next question is different:
Can management demonstrate the position it relies upon with credible documentary evidence?
That question matters because modern assurance increasingly depends on demonstrable proof.
A structured documentary evidence process helps organisations:
This is the fifth article in NORVA's six-part series on practical compliance assessment.
In this article, we examine the fifth phase: Documentary Evidence.
Documentary evidence is the collection of records, artefacts, documents and supporting information that demonstrate why management's compliance position is reasonable.
It provides support for conclusions reached during the assessment process.
In practical terms, documentary evidence answers a simple question:
How do we know this conclusion is true?
Examples may include:
Importantly, documentary evidence is not simply about collecting documents.
It is about collecting documents that support reliance.
This distinction aligns closely with how evidence is viewed in audit, assurance and regulatory frameworks. They specifically emphasise the need for sufficient and appropriate evidence to support conclusions and opinions.
A practical compliance assessment can be viewed as six connected phases:
Documentary Evidence follows the Risk and Control Matrix Assessment for a reason.
RCM Assessment determines whether controls deserve management reliance.
Documentary Evidence demonstrates why that reliance is reasonable.
Put simply:
Risk and Control Matrix Assessment asks whether controls work.
Documentary Evidence asks whether that conclusion can be proved.
Many regulators, auditors and inspectors increasingly focus on evidence rather than assertions.
Across regulatory, audit, assurance and security frameworks, organisations are increasingly expected to produce:
The underlying principle is simple:
A control that cannot be evidenced may be difficult to rely upon.
That does not mean every control requires extensive documentation.
It means organisations should be able to demonstrate why their conclusions are supportable.
Many organisations ask:
Do we have evidence?
The more useful question is:
Do we have credible evidence that directly supports the position we rely upon?
There is an important difference.
Large volumes of documents do not automatically create a stronger assessment.
The objective is not document accumulation.
The objective is evidence-supported reliance.
Most mature compliance programmes operate some variation of a structured evidence lifecycle.
Determine:
Evidence should ideally be captured when activities occur.
Not recreated months later.
The assessment should consider:
Evidence should be retained in a structured and accessible manner.
Evidence should be traceable to:
Evidence should be readily available when requested.
Evidence should support the position management relies upon.
Historically, many organisations treated evidence gathering as something performed immediately before an audit.
That approach is becoming increasingly difficult to defend.
Modern audit-readiness and regulatory-readiness models emphasise evidence that is:
The expectation increasingly resembles:
"Show it now."
rather than:
"Give us three weeks to find it."
Immediate availability reduces disruption, demonstrates maturity and strengthens credibility.
One of the biggest misconceptions about evidence is that more must always be better.
That is not what most mature frameworks advocate.
PCAOB guidance links evidence requirements to risk and reliability of conclusions. Higher-risk areas generally require more persuasive evidence.
The practical objective is:
Enough evidence to support reasonable reliance.
Not:
Collect every document that exists.
Proportionality remains important.
Evidence should be aligned to:
A useful evidence repository should help demonstrate:
What requirement applies?
What risk is being addressed?
What control addresses the risk?
Who is responsible?
Did the control actually occur?
What supports that conclusion?
Can the conclusion be traced back to supporting records?
Together, these elements create a stronger basis for management reliance.
A structured evidence process can help organisations achieve:
Evidence is already available when needed.
Regulatory requests can be answered more efficiently.
Management can better understand the basis for the position being relied upon.
Less time is spent searching for historical records.
Conclusions become easier to defend and explain.
Common problems include:
Good evidence management is disciplined and purpose-driven.
Each phase of NORVA's methodology answers a different question.
What applies?
How ready do we appear to be?
What appears to be missing?
Do the controls actually work?
Can we prove it?
This distinction is important.
Assessment conclusions become more persuasive when supported by credible evidence.
Documentary Evidence should not rely on shared drives, email trails and manual recollection.
A practical assessment tool should help users:
This is why NORVA's Compliance Assessment Toolkit incorporates an evidentiary document repository directly within the assessment environment.
The objective is to make evidence part of the assessment process rather than an afterthought.
Before concluding that management's position is supportable, the assessment team should be able to answer:
If the answer is yes, the organisation is generally in a stronger position to support its assessment findings.
Documentary Evidence is not the administrative tail-end of a compliance assessment.
It is increasingly becoming one of the most important phases.
Scope tells us what applies.
Maturity Assessment tells us where we stand.
Gap Analysis tells us what appears to be missing.
Risk and Control Matrix Assessment tells us whether controls work.
Documentary Evidence tells us whether we can prove it.
Increasingly, that proof is what auditors, regulators and inspectors want to see.
Controls create confidence.
Evidence creates credibility.
I hope that helps.
If it applies, assess it. If you rely on it, document your evidence.