Glossary term
Glossary term
Governance and Compliance
The records, documents, system data, and observations used to support audit conclusions. Examples include policies, approvals, training records, monitoring outputs, incident reports, and configuration evidence. Evidence quality depends on source reliability, completeness, timeliness, and the ability to reproduce or independently confirm it.
ISO 19011 and IIA Standards both establish evidence quality requirements applicable to AI internal audit.
Drata, Vanta, and Secureframe provide automated evidence collection for SOC 2 and ISO 27001 audits extensible to AI controls.
Anthropic, AWS, and Microsoft publish SOC 2 Type II reports as audit evidence available to enterprise customers under NDA.