Preparing Evidence for an Audit
Generate and export audit-ready evidence packages for compliance reviews.
Evidence packages bundle the full remediation trail into exportable, integrity-verified artifacts. This guide covers how to generate and prepare them for an auditor.
Identify the scope
Determine which work items fall within the audit period. You can filter by date range, severity, compliance framework, or verification status to narrow the set.
Generate evidence packages
Basirah creates evidence packages automatically when work items reach verified closure. For items that were resolved during the audit period, packages should already exist. You can also generate packages on demand for any work item — useful for documenting risk acceptance decisions.
Verify integrity
Each evidence package includes SHA-256 integrity hashes. Before sharing with auditors, verify that the hashes match to confirm the package hasn’t been altered since generation.
Export in the right format
Choose the export format that fits your auditor’s needs: PDF for human-readable reports, JSON for ingestion into GRC platforms, or CSV for spreadsheet analysis. All formats include the integrity manifest.
For periodic compliance reviews, export all evidence packages within a date range at once rather than downloading them individually.