Audit fieldwork evidence request fulfillment
on the engagement record, not in a spreadsheet the auditor watches over your shoulder

The PBC list arrives as a spreadsheet, the team fills in cells, the auditor pulls a copy at the end of fieldwork. The chain of custody is the spreadsheet; the evidence is screenshots and email attachments referenced in the cells. When the next year audit opens, the chronology is lost because nothing is on a maintained record. The fix is making the PBC list a structured engagement: each request is an item, each response is an artefact on the item, each follow-up is a state transition, and the activity log captures every change with timestamp and user attribution.

The team builds a SOC 2 evidence deck and a fieldwork response binder that describe what should be happening rather than pulling from the live record. The auditor compares the binder to the operating record and finds the inconsistencies. The fix is responding from the live record: cite the engagement, the finding, the scan, the activity log entry, the policy version in document management. If the live record cannot answer the question, the gap is the audit finding, not a missing summary.

The auditor asks for twelve access reviews selected at random across the quarter; the team produces twelve access reviews from the easiest week to retrieve. The auditor reads the sample as a control failure when the population is non-random. The fix is capturing the sample selection criteria, the random-or-judgmental method, the named selector, and the selected sample IDs on the request item before the response is assembled, so the audit reads against the same sampling decision the team made.

A request lands in a shared inbox or a Slack channel and waits for whoever has bandwidth. Three days pass and the named owner is still ambiguous. The auditor escalates and the team scrambles. The fix is routing each request to a named owner with RBAC at the moment the PBC list is ingested, with a documented response deadline on the item and notifications pushing pending and overdue requests to the named owner rather than to the room.

The walkthrough goes well, the auditor leaves satisfied, and no one documents what was demonstrated. The next year audit asks for the same walkthrough and the person who gave it has left. The team re-walks an updated process and the auditor reads the change as undocumented. The fix is capturing the walkthrough note on the request item with the named attendees, the demonstrated step sequence, and the artefact references discussed, so the next cycle reads against a defensible prior.

A SOC 2 report from a prior cycle, raw finding records, configuration baselines, and customer data samples all leave the team as email attachments. The chain of custody is the email server. When a regulator-driven inquiry asks how a sensitive artefact was shared, the team cannot answer. The fix is releasing through the branded client portal or watermarked document export, with the countersigned NDA gating the release and the access scope carrying an expiry tied to the audit close.

The original auditor request identifier (the PBC line item number or RFI reference), the audit reference (SOC 2 Type 2 observation period, ISO 27001 surveillance audit, PCI DSS quarterly check, internal audit cycle), the control area (CC6.1 logical access, CC7.1 vulnerability management, A.5.34 privacy, Requirement 10 logging), and the requested artefact (policy, configuration, log, sample, walkthrough, attestation). The fields are what allow the next cycle to read continuous with the prior cycle rather than starting from a fresh spreadsheet.

For sampling requests, the population description, the sample size, the selection method (random with a documented seed, judgmental with a documented rationale, statistical with a documented confidence level), the named selector, and the selected sample identifiers. Sample-related findings against the platform are reproducible across audit cycles because the selection method lives on the engagement rather than in the head of one operator.

The named internal owner responsible for assembling and submitting the response, the RBAC role granted to that owner on the engagement, the documented response deadline, and the escalation path when the deadline approaches. Notifications push pending and overdue requests to the owner on the documented cadence so the queue does not silently fall behind.

The artefacts attached as the response (the document version, the CSV export, the watermarked PDF, the configuration snapshot, the walkthrough note) with the provenance for each: where the artefact was pulled from (which engagement, which finding, which scan, which activity log query), the named owner who pulled it, the capture timestamp, and the redaction or watermarking applied. The auditor reads the artefact and the provenance together so the chain of custody is reconstructable.

The release channel (branded client portal scoped to the named auditor reviewer, watermarked download via signed URL, NDA-gated walkthrough, in-person review at a structured walkthrough), the countersigned NDA reference where applicable, the access expiry tied to the audit close date, and the named owner responsible for revoking access at audit close. Access without a revocation owner is access that drifts beyond the audit window.

The auditor acceptance or follow-up note (request fulfilled, clarification needed, re-pull requested, deficiency asserted), the linked follow-up items, the management response where a deficiency is asserted (the named owner, the remediation plan, the target evidence, the next-cycle deadline), and the timestamp of every state transition. The follow-up chronology lives on the original item rather than as a new thread so the audit lookback reads as one record per request.

The retention discipline that decides what evidence is kept and for how long runs on the audit evidence retention workflow, the certification cycle the fieldwork supports runs on the compliance audits workflow, and the control mapping that turns one canonical control into many framework citations runs on the control mapping crosswalks workflow.

The deficiency log feeds the control gap remediation workflow, the customer-facing release pipeline that reuses the same SOC 2 and pentest attestation runs on the customer security evidence room, the cyber-insurance audience packaging runs on the cyber insurance security evidence workflow, and the leadership read-out lands on the security leadership reporting workflow.

No request sits in a shared inbox waiting for someone with bandwidth. Each PBC item routes to a named owner with the RBAC scope to respond and a documented deadline that shows up on the notification queue.

No fresh summary authored for the audit. Responses cite the engagement, the finding, the scan, the activity log entry, or the policy version so the auditor reads the live operating evidence rather than an interpretation.

No drift between what the auditor asked for and what the team produced. The selection method, the named selector, and the selected identifiers land on the request item before the response is assembled.

No freeform email attachments. Sensitive artefacts release through the branded portal or a watermarked export with NDA gating, access expiry tied to audit close, and a named revocation owner.

No new threads for clarifications, re-pulls, or deficiency assertions. The follow-up chronology lives as state transitions on the original request item so the audit lookback reads as one record per request.

The next audit opens against the prior engagement so the carry-forward observations, the documented samples, the named responders, and the deficiency log all read continuous rather than rebuilt from a fresh spreadsheet.