What counts as evidence?

• Policies, procedures, risk registers, data/model cards, evaluations, approvals, training records.
• Runbooks, logs, dashboards, incidents, CAPA outcomes, supplier attestations, CE documentation.

Requirement–control–evidence matrix

• Every requirement maps to control(s) with owner, metric, threshold and URL to evidence.
• Keep an index HTML/CSV at the root of the pack for quick searching.

Folder structure & snapshots

• Snapshot per release: R2025-11-05/ with subfolders for RMS, Data, Model, Security, Oversight, PMM, Incidents, CAPA, Supplier, CE.
• Immutable snapshot for assessments and serious incidents.

Approvals & sign-offs

• Named approvers; time stamps; decision rationale; links to risks and change tickets.

Third-party attestations

• Vendor safety/security attestations; SBOMs; evaluation summaries; breach obligations; service descriptions.

Handling auditor requests

• Request tracker; response owners; turnaround SLAs; redaction policy; secure data room.

Sampling & redaction

• Pre-prepared redacted examples; synthetic cases; statistical sampling plan for logs/records.

Integrity & chain of custody

• Hashing/signing for key artifacts; change logs; read-only exports; custody register.

PMM/incident/CAPA evidence

• Link incident → evidence bundle → CAPA → effectiveness check → risk update.

Executive brief & demo script

• One-page summary; system architecture; where evidence lives; 10-minute live demo path.

Common audit pitfalls

• Evidence that doesn’t match the requirement; missing approvals; stale snapshots; no PMM link.

Readiness checklist

• Matrix complete; snapshots available; approvals recorded; redaction ready; demo path rehearsed.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.