Audit Package
Drata audit package contains data from four sources:
1. Monitored Evidence
For monitored controls, we automatically attach relevant evidence based on audit dates selected by the auditors.
Controls including monitored evidence
Almost all monitored controls (except for controls related to personnel compliance) include this type of evidence. To see a full list of these controls, please go to 'Controls' and filter by 'Monitored'. To see sample evidence, open a control from the list, select 'View Raw Results', pick a date (assuming this will be auditor's sampled selected date), and then select 'Download event details'.
2. Manual Evidence
In the audit package, we include linked policies and/or external files/URLs.
Controls including manual evidence:
Manual evidence attached to any control should be available in the audit package. To see this evidence for a specific control, select that control, go to 'Control Evidence', and select 'Download Files'.
3. Personnel Evidence
In the audit package, we produce three folders, one for current employees, another for new hires, and a third for former employees, which contain all the necessary information for the auditor's selected personnel samples. Additionally, we produce a policy acceptance overview CSV for each category. The policy acceptance overview provides a summary and breakdown of the sampled personnel’s policy acceptance statuses on active policies. To see sample personnel evidence, go to 'Personnel', select any employee or contractor, go to the menu above, and select 'Download'.
Note: The downloaded PDFs have different levels of information based on the status of the personnel. Additionally, the ‘Policy acceptance overview’ CSV excludes offboarded personnel from your sampling.
Controls including personnel evidence:
Any controls related to personnel compliance should include this evidence. (Some examples: DCF-32, DCF 36, DCF-37, DCF-39, DCF-40, DCF 44, DCF 45, DCF-48, DCF-49, DCF-50, DCF-51, DCF-52).
Note: You may only see a subset of these controls depending on your frameworks.
4. Special Evidence
These are controls with special treatment in Drata. Data for each control can be found in different part of the application.
For current personnel, the associated PDFs have additional sections (aka 'Special Evidence'—including background check, accepted policies, device data, etc. For former personnel, less information will be included in the PDF.
Controls including special evidence:
Control | Data Location |
DCF-16 | Evidence Library Page -> Report with creation date within audit time period. |
DCF-20 | Generate a Zip including all Assets in the asset section |
DCF-21 | Reports/docs Page -> Document with the type Architecture Diagram and creation date within Audit time period. |
DCF-22 | Evidence Library Page -> Document with the type Network diagram and creation date within audit time period. |
DCF-26 | Evidence Library Page -> Document with the type BCP/DR and creation date within audit time period. |
DCF-46 | Setting -> HR -> Sample employment agreement |
DCF-47 | Sample job description from HR page |
DCF-56, 57, 129, 132 | Generate a .zip containing all the vendors with their attached evidence - No date limitations. |
DCF-64 | Setting -> Company Info -> Sample MSA |
DCF-65 | Setting -> Company Info -> Privacy policy URL |
DCF-66 | Setting -> Company Info -> Terms of Service URL |
DCF-145 | Setting -> Key Personnel Info -> Board of directors CSV |
Note: To learn more about how the Control Evidence Package is generated, and how to see updated evidence, go to this Audit Hub help article, and scroll down to the "The Auditor can also have additional functionality that allows them to:" section.