Build evidence for audits
Build evidence for audits
Section titled “Build evidence for audits”An audit, a security questionnaire, or an RFP all ask the same thing in different words: for each requirement, show us the proof. The slow part is never the answer — it’s the hunting. You know the evidence exists somewhere across policies, architecture docs, prior attestations and process descriptions, but lining each requirement up against the right document by hand takes days, and a single missed item is the one the reviewer circles.
This walkthrough shows you how to turn that into a repeatable flow: put your evidence and the requirement list in front of SUPERWISE Chat together, ask it to build a requirement-to-evidence matrix, convert that into an audit-ready packet, export it for your reviewers — and file the finished packet back as a versioned record for next time.
We’ll use a running example: responding to a vendor security questionnaire with 40-odd numbered requirements. By the end you’ll have a capability matrix mapping each requirement number to a specific document, a clean summary of where the gaps are, and an exported packet ready to hand to BizDev and Product Quality.
Step 1 — Gather your evidence into a Knowledge collection
Section titled “Step 1 — Gather your evidence into a Knowledge collection”Evidence you’ll reuse belongs in Knowledge, not stapled to a single message. A Knowledge collection is a curated set of documents the assistant can search and cite by name, which is exactly what an auditor wants to see.
- Open Knowledge and create a collection — call it something durable like
Security Evidence — 2026. - Choose the right scope so the right people can reach it:
- Personal if it’s only yours while you draft.
- Folder to share it with a project team.
- Tenant to make it available across your organization.
- Add your source documents with Add Source → File Upload: security policies, your architecture overview, access-control and data-handling procedures, prior SOC 2 / ISO attestations, business-continuity plans — whatever you’d point an auditor to. Supported types include PDF, DOC/DOCX, XLS/XLSX, PPT/PPTX, CSV, TXT, Markdown and more, up to 100 MB per file.
Each document is read, split into passages and indexed so the assistant can retrieve the exact relevant section — not just the filename — when it builds your matrix.
For the full walkthrough of building collections, see Upload a file.
Step 2 — Point the conversation at your evidence
Section titled “Step 2 — Point the conversation at your evidence”Start a new conversation and bind it to the collection you just built so every question is answered from that evidence and cited back to it.
- Open the Knowledge dropdown in the conversation and select your
Security Evidence — 2026collection, or - Use an Assistant that already has the collection linked — an “Audit Assistant” you configure once with the right tone, a system prompt like “You are a compliance analyst. Cite the source document for every claim and flag anything you cannot substantiate,” and your evidence collection attached. After that, every audit you run starts pre-loaded.
To set up that reusable assistant, see Choosing an assistant.
For this kind of careful, evidence-grounded work, pick the Research tier in the composer before you send. It runs the full retrieval-and-reasoning path so answers are drawn from your documents rather than general knowledge.
Step 3 — Bring the requirement list into the conversation
Section titled “Step 3 — Bring the requirement list into the conversation”The requirement list is the other half of the context. The cleanest way is to attach the questionnaire (or RFP section, or control checklist) directly to your message:
- Drag the file onto the composer, paste it, or use the + menu → Attach file.
Now the assistant has both sides in view at once: the requirements from the attachment and the evidence from your collection. That’s the combination that makes the next step work — it can read each requirement and search your evidence for the match.
If your requirement list is short, you can simply paste it into the message instead of attaching a file — either works.
Step 4 — Ask for the requirement-to-evidence matrix
Section titled “Step 4 — Ask for the requirement-to-evidence matrix”Now ask for the mapping. Be explicit that you want requirement numbers tied to specific, cited documents — and that gaps should be called out, not glossed over.
Example prompt
Using the attached questionnaire and our evidence collection, build a capability matrix. For each requirement, give me a table with: requirement number, the requirement summary, the specific document(s) that provide evidence, a short quote or section reference, and a status of Met, Partial, or Gap. Where you find no supporting evidence, mark it Gap and say so plainly — do not guess.
What you’ll see come back is a table along these lines:
| Req # | Requirement | Evidence | Reference | Status |
|---|---|---|---|---|
| 2.1 | Data encrypted in transit | Data Handling Policy | §4.2, “TLS 1.2+ for all external traffic” | Met |
| 3.4 | Annual access reviews | Access Control Procedure | §6, “quarterly access recertification” | Met |
| 5.2 | Documented incident response plan | — | No supporting document found | Gap |
Every “Met” row carries a citation you can click to open the exact passage it came from, so you (and later your reviewer) can verify the claim instead of taking it on faith.
Iterate freely. Use the Refine this button under the response to tighten the table, or ask follow-ups like “Show me only the Partial and Gap rows” or “Group these by control family.”
Step 5 — Convert the matrix into an audit-ready packet
Section titled “Step 5 — Convert the matrix into an audit-ready packet”A raw table isn’t yet a deliverable. Ask the assistant to assemble the evidence summary your reviewers actually need to read.
Example prompt
Turn this matrix into an audit-ready evidence summary. Start with a one-paragraph executive overview (how many requirements are Met, Partial, and Gap), then the full matrix, then a “Gaps and next steps” section listing each gap with a suggested owner and remediation action.
You now have a complete packet: an at-a-glance scorecard, the cited matrix, and an action list for the gaps — all grounded in your real documents.
Step 6 — Export and share
Section titled “Step 6 — Export and share”Send the finished packet to BizDev, Product Quality, or your auditor in a format they can file.
- Use the conversation menu or message overflow → Export as PDF for a polished, shareable document, or Export as Markdown if a colleague wants to edit it.
- The PDF preserves the matrix, the summary and the citation references, so anyone reviewing it can see not just that a requirement is met but where the proof lives.
Full options are in Export a conversation.
Step 7 — File the completed packet back as a versioned record
Section titled “Step 7 — File the completed packet back as a versioned record”The packet you just produced is itself evidence for the next audit. Close the loop by adding it back to Knowledge.
- Save the exported packet, then in your evidence collection use Add Source → File Upload
to add it — name it clearly, e.g.
Vendor Security Questionnaire — Completed 2026-06. - The next time a similar questionnaire arrives, the assistant can draw on your previous completed packet as a starting point, so you’re updating last time’s work rather than starting from zero.
Over a few cycles your collection becomes a living audit archive: current evidence, plus a versioned trail of every completed response. That history is what turns audits from an annual fire drill into routine maintenance.
What you end up with
Section titled “What you end up with”- A requirement-to-evidence matrix that ties each requirement number to a specific, cited document.
- A clear, honest view of your gaps — labeled, not buried — with suggested next steps.
- An exported packet ready to hand to reviewers, who can verify every claim against the source.
- A versioned audit archive in Knowledge that makes the next round faster.
Because every match points back to a real document and every gap is stated plainly, your reviewers can trust the packet — and you can stand behind it.
Keep going
Section titled “Keep going”- Upload a file — build and curate the Knowledge collections this flow relies on.
- Choosing an assistant — set up a reusable Audit Assistant pre-loaded with your evidence.
- Export a conversation — every format and how to share the finished packet.
- Search the web — pull in an external standard or framework reference when your evidence sits outside your documents.