Executive summary
Many organisations have access controls. Fewer can prove those controls work. The gap between control existence and control evidence is where audit findings live — and where regulatory risk accumulates.
When auditors ask for evidence, scrambling begins. Screenshots are gathered manually. Spreadsheets are reconciled. Explanations are constructed. This reactive posture signals that governance is documentation, not operation — and auditors know the difference.
Common evidence failures
Access reviews completed but not documented
What happens: Managers review access lists, make decisions, and move on. But the decisions aren't recorded — no timestamp, no rationale, no evidence that review actually occurred.
The audit problem: "We did the review" isn't evidence. Auditors need to see who reviewed what, when, what they decided, and why. Verbal confirmation doesn't satisfy regulatory requirements.
Result: Access review controls are marked as ineffective — not because reviews didn't happen, but because they can't be proven.
Removal actions without completion evidence
What happens: A leaver is flagged, a ticket is raised, and access is supposedly removed. But there's no verification that removal actually completed across all systems.
The audit problem: Auditors sample leavers and check system access. Finding active accounts for departed users is a common, career-limiting audit finding.
Result: Offboarding controls fail testing because the ticket says "done" but the systems say otherwise.
Exceptions granted but not tracked
What happens: Emergency access is granted via email. Temporary permissions are added to meet a deadline. These exceptions exist outside formal workflow and governance.
The audit problem: Exceptions must be documented, time-bound, approved, and reviewed. Informal exceptions are ungoverned access — exactly what controls are supposed to prevent.
Result: Discovered exceptions trigger findings about control bypass, inadequate exception governance, and elevated risk.
Policies that don't match reality
What happens: Policy says quarterly access reviews. Reality is annual reviews, or ad-hoc reviews, or reviews that never completed. Policy says 24-hour leaver deprovisioning. Reality is "when we get to it."
The audit problem: Policy creates expectation. Failing to meet policy is a control failure. Better to have realistic policy you can evidence than aspirational policy you can't.
Result: Policy-reality gaps become audit findings about control design, implementation, or operating effectiveness — all of which are reportable.
Why evidence gaps persist
Evidence problems aren't about intent — they're about infrastructure:
Controls designed for action, not evidence
Processes focus on getting things done, not proving they were done. Evidence is an afterthought, bolted on during audit season.
Fragmented systems
Access decisions happen in tickets, emails, spreadsheets, and multiple IAM tools. No single system captures the full evidence trail.
Manual reconciliation
Evidence requires stitching together data from multiple sources. This manual effort doesn't happen continuously — only when auditors ask.
Ownership ambiguity
Nobody owns evidence quality. IAM teams own controls. GRC teams own audits. The gap between them is where evidence falls through.
Point-in-time snapshots
Evidence is gathered for audit periods, not maintained continuously. Between audits, evidence quality degrades and gaps accumulate.
Legacy system limitations
Older systems don't log the right events or retain logs long enough. Critical evidence simply doesn't exist in some environments.
What auditors actually look for
Understanding the auditor's lens helps explain why evidence matters:
Control design: Is the control designed to address the risk? Does policy exist, and does it make sense? This is the easiest test to pass.
Control implementation: Is the control actually in place? Are the tools configured, the processes defined, the roles assigned? This requires configuration evidence.
Operating effectiveness: Does the control work consistently over time? This is where most failures occur — and it requires continuous evidence, not point-in-time screenshots.
Auditors test operating effectiveness through sampling. They pick random access reviews, random leavers, random exceptions — and check if evidence exists. A single missing evidence item in a sample can extrapolate to a finding about control effectiveness.
What audit-ready governance looks like
Organisations that pass audits cleanly build evidence into their control design:
Evidence by default
Every control action automatically generates a timestamped, attributable record. Evidence isn't gathered — it's produced.
Single source of truth
Access decisions, reviews, and exceptions flow through centralised systems that maintain complete audit trails.
Continuous reconciliation
Systems are compared continuously, not just at audit time. Discrepancies are detected and resolved before auditors find them.
Policy-reality alignment
Policies reflect what's actually achievable. Commitments are realistic and measurable. No aspirational controls that can't be evidenced.
Exception governance
All exceptions are logged, time-bound, approved, and reviewed. Exception evidence is as rigorous as standard control evidence.
Retention discipline
Logs and evidence are retained for the full audit lookback period. Nothing critical ages out before it can be reviewed.
How Solluna Caelum approaches this
We help organisations build evidence into governance, not bolt it on afterward:
1. Evidence gap assessment: Map current controls against evidence requirements. Identify where evidence is missing, incomplete, or manually gathered.
2. Control redesign: Modify control processes to generate evidence automatically. Build logging, timestamps, and attribution into workflows.
3. System consolidation: Where possible, centralise access governance to reduce fragmentation and create unified audit trails.
4. Reconciliation automation: Implement continuous comparison between policy intent and system reality. Surface discrepancies proactively.
5. Audit preparation: Build evidence packages that map directly to control objectives. Reduce auditor effort and demonstrate mature governance.
Tired of scrambling before every audit?
If evidence gathering is a fire drill — or if findings keep recurring because controls can't be proven — let's build governance that's audit-ready by design.
Related taxonomy: Audit Evidence · Control Effectiveness · Compliance Documentation · Access Certification · Reconciliation · Exception Governance