Skip to main content
All CollectionsAuditor Experience
Audit Package Control Evidence
Audit Package Control Evidence

This article covers the structure for control evidence package

Faraz Yaghouti avatar
Written by Faraz Yaghouti
Updated over a week ago

Audit Package

Drata audit package contains data from four sources:

1. Monitored Evidence

For monitored controls, we automatically attach relevant evidence based on audit dates selected by the auditors.

Controls including monitored evidence

Almost all monitored controls (except for controls related to personnel compliance) include this type of evidence. To see a full list of these controls, please go to 'Controls' and filter by 'Monitored'. To see sample evidence, open a control from the list, select 'View Raw Results', pick a date (assuming this will be auditor's sampled selected date), and then select 'Download event details'.

2. Manual Evidence

In the audit package, we include linked policies and/or external files/URLs.

Controls including manual evidence:

Manual evidence attached to any control should be available in the audit package. To see this evidence for a specific control, select that control, go to 'Control Evidence', and select 'Download Files'.

3. Personnel Evidence

In the audit package, we produce three folders, one for current employees, another for new hires, and a third for former employees, which contain all the necessary information for the auditor's selected personnel samples. Additionally, we produce a policy acceptance overview CSV for each category. The policy acceptance overview provides a summary and breakdown of the sampled personnel’s policy acceptance statuses on active policies. To see sample personnel evidence, go to 'Personnel', select any employee or contractor, go to the menu above, and select 'Download'.

Note: The downloaded PDFs have different levels of information based on the status of the personnel. Additionally, the ‘Policy acceptance overview’ CSV excludes offboarded personnel from your sampling.

Controls including personnel evidence:

Any controls related to personnel compliance should include this evidence. (Some examples: DCF-32, DCF 36, DCF-37, DCF-39, DCF-40, DCF 44, DCF 45, DCF-48, DCF-49, DCF-50, DCF-51, DCF-52).

Note: You may only see a subset of these controls depending on your frameworks.

4. Special Evidence

These are controls with special treatment in Drata. Data for each control can be found in different part of the application.

For current personnel, the associated PDFs have additional sections (aka 'Special Evidence'—including background check, accepted policies, device data, etc. For former personnel, less information will be included in the PDF.

Controls including special evidence:

Control

Data Location

DCF-16

Evidence Library Page -> Report with creation date within audit time period.

DCF-20

Generate a Zip including all Assets in the asset section

DCF-21

Reports/docs Page -> Document with the type Architecture Diagram and creation date within Audit time period.

DCF-22

Evidence Library Page -> Document with the type Network diagram and creation date within audit time period.

DCF-26

Evidence Library Page -> Document with the type BCP/DR and creation date within audit time period.

DCF-46

Setting -> HR -> Sample employment agreement

DCF-47

Sample job description from HR page

DCF-56, 57, 129, 132

Generate a .zip containing all the vendors with their attached evidence - No date limitations.

DCF-64

Setting -> Company Info -> Sample MSA

DCF-65

Setting -> Company Info -> Privacy policy URL

DCF-66

Setting -> Company Info -> Terms of Service URL

DCF-145

Setting -> Key Personnel Info -> Board of directors CSV

Note: To learn more about how the Control Evidence Package is generated, and how to see updated evidence, go to this Audit Hub help article, and scroll down to the "The Auditor can also have additional functionality that allows them to:" section.

Did this answer your question?