Audit

What an auditor will ask. What Comply already logs.

A controls review wants three things: did the policy exist at the time, did the system enforce it, and can you prove neither was tampered with after the fact.

Evidence packets help security and compliance teams answer the audit question without reconstructing a story from scattered logs.

Did the policy exist at the time?

Every policy carries versioned state. Governance manifests export the policy, role, principle, integration, and classification state that applied during a selected window.

The evidence: a scoped Governance Manifest for the audit window.

Did the system enforce the policy?

Pre-request decisions, post-response decisions, human approvals and denials, classification changes, and consequential policy events write to the audit log with actor, action, target, request details, outcome, policy version, and timestamp.

The evidence: filtered audit log exports for the window under review.

Can you prove the audit log was not rewritten?

The hash chain verifies against persisted audit state. Tamper with a historical entry and verification identifies the chain break.

The evidence: a chain verification result shipped alongside the exported log.

Compliance frameworks the architecture supports

Tamper-evident logging, least-privilege enforcement, role-aware access, human approval for consequential actions, and exportable evidence packets support SOX, HIPAA, GDPR, and SOC 2 controls reviews. Specific contractual commitments belong in executed customer agreements.