Control Owners: Responsibilities & Evidence Gathering
      Back to home
      1. Trustero Support
      2. Phase 3: Operationalize Controls
      3. Control Owners: Responsibilities & Evidence Gathering

      Best Practices for Providing Manual Evidence

      A checklist for collecting and uploading manual evidence correctly into your account

      Accurately capturing and uploading manual evidence is critical to ensuring that Trustero’s GRC AI features provide maximum value within your account. By following this guide, you enable Trustero’s AI to conduct thorough, ongoing audits and give you an accurate snapshot of your overall compliance and security posture. This helps you identify gaps before an auditor does and ensures that key protective safeguards remain in place to mitigate risk.

      Essential Checklist for Manual Evidence

      1. Screenshots Must Show When and Where
        • Every screenshot you take as evidence should show the date and time (timestamp) it was taken.
        • It must also show the name of the application or tool you're using.
      2. Picking the Right Date
        • When you add evidence to a control it is automatically assigned a date based on when you added the evidence.
        • Make sure the date is during your audit period so the auditor will consider it valid. If you are adding it before or after your audit period, you can move it into your audit by updating the relevant date. (See Evidence Relevant Date for details on adjusting dates.)
      3. Reporting Things That Didn't Happen (Nonoccurrence)
        • Sometimes, you need to show that something did NOT happen, like not hiring new staff during the audit.
        • In this case, write a clear explanation in the Add Evidence text field labeled for nonoccurrence.
      4. Description Caption and Naming Convention for the Evidence
        • Label your evidence descriptively to facilitate easier understanding and processing, both by auditors and by our AI systems. 
        • Use a structured file name format: [Source]-[Content]-[Purpose]
        • Examples names for evidence files: 
          1. Jira - employee onboarding checklist - new hires
          2. HRIS - security training records - all employees
          3. HRIS - user list - Bring Your Own Device (BYOD) - laptop
          4. HRIS - user list - BYOD mobile phone

      Supported Content Types 

      Ensure that manual evidence is submitted in one of the supported formats listed below to maintain clarity and accessibility. This enables both auditors and our AI systems to process the evidence effectively:

      • .csv - Comma-Separated Values
      • .doc - Old Microsoft Word 
      • .docx - Microsoft Word
      • .jpeg, .jpg - JPEG Image
      • .md - Markdown
      • .pdf - Portable Document Format
      • .png - Portable Network Graphics
      • .ppt, .pptm, .pptx - Microsoft PowerPoint 
      • .xlsx - Microsoft Excel
      • .numbers - Apple numbers
      • .doc - Old Microsoft word

      Content types that cannot be read by Trustero AI include: 

      • Links
      • Password-protected documents
      • Images within PDFs - including scanned documents

      By sticking to these points, you can make sure the evidence you submit will meet the standards required by auditors. Remember, clarity is key—make sure your evidence is clear and within the required timeframe to avoid any confusion.

      Trustero Tip: For real examples of passing evidence, refer to the Trustero demo account: Demo - SOC 2 - All Passing - v3

      Additional information about the demo account can be found in this product announcement: What Good Looks Like: Demo Examples

      Visual Examples

      • Timestamp and Tool Name

      • Selecting the Relevant Date When Adding Evidence

      • Nonoccurrence