Audit Question Map
The audit questions your framework is designed to answer, mapped to specific evidence requirements. Useful as ongoing reference for audit preparation.
15–25 pages · Markdown + PDFSERVICES · COMPLIANCE← BACK TO SERVICES
Evidence Collection
Audit-ready logging and decision-trail documentation for your AI systems — designed so that when an auditor asks, you can answer.
Evidence Collection is the engagement that establishes ongoing audit trails for your AI systems. We design the logging, decision documentation, and operational records required by SOC 2, ISO 42001, EU AI Act, and similar frameworks — then implement them so the evidence accumulates automatically. The work survives the engagement: when an auditor arrives in 18 months, the evidence is already there.
// THE PROBLEM
What we're solving when you hire us for thisMost AI deployments log model inputs and outputs for debugging, but not in a form that auditors recognize as evidence. Compliance frameworks expect documented decisions about model selection, recorded human oversight interactions, audit trails of model behavior changes, and evidence of risk monitoring. Engineering teams know how to log; they don't necessarily know what to log for audit purposes.
Evidence Collection bridges that gap. We design the logging and documentation framework, implement it (in advisory or implementer mode), and verify that the resulting evidence streams answer the questions auditors actually ask. The deliverable is infrastructure your auditors will recognize on first review.
// HOW WE RUN IT
The five phases of an Evidence Collection engagement01
Audit Question Mapping
We work with you to identify the audit questions you expect to face: framework requirements, customer due-diligence checklists, regulatory examination patterns. Each question becomes an evidence requirement.
Duration 2–3 days · Output: audit question map02
Evidence Gap Analysis
Against the questions, we audit your current logging and documentation. Each requirement is rated: fully evidenced, partially evidenced, or unevidenced. Gaps drive the engagement design.
Duration 3–4 days · Output: gap analysis03
Evidence Framework Design
We design the evidence collection framework: what logs to capture, how to structure them, what decision artifacts to maintain, where they're stored, how they're retained. Design respects engineering practicality — evidence that's expensive to maintain doesn't get maintained.
Duration 4–5 days · Output: framework design + approval gate04
Implementation
We work with your engineering team to deploy the evidence collection: logging configurations, documentation templates, retention policies, access controls. Implementation includes testing that the evidence is actually captured under operational conditions.
Duration 7–10 days · Output: deployed framework05
Validation & Handoff
We test the framework by running the audit questions through it: 'Show me the decision to use this model.' 'Show me a month of model behavior changes.' 'Show me the human oversight interactions for system X.' If the framework can't answer, we revise. Final deliverable includes runbook.
Duration 3–4 days · Output: validation report + runbook// WHAT YOU RECEIVE
Deliverables, named and specificEvidence Gap Analysis
Current-state assessment of what's evidenced and what isn't, with severity ratings.
Gap analysis documentEvidence Framework Design
Specification of what to log, how to log it, where to store it, and how long to retain it. Framework-aligned, engineering-realistic.
Design document + configuration templatesImplementation Artifacts
Deployed logging configurations, documentation templates, retention policies — committed to your repos or delivered as patches.
Code + configurationAudit Response Runbook
Documentation for using the evidence framework when an actual audit arrives: how to query, how to package responses, how to escalate questions.
Runbook + playbooksCompliance Handoff Session
Working session with your compliance, security, and engineering teams to walk through the framework and runbook.
90-minute session// ENGAGEMENT SHAPE
Specific numbers, not approximations3–5 weeks
Implementation phase varies2 practitioners
Compliance-fluent, both seniorDaily async updates
By 18:00 client timezoneAdvisory or implementer
Per SOW preferencePer-system or org-wide
Written in SOW$22,500
Advisory mode; implementer higherContinuous
Reviewable artifacts each week30-day support
For audit preparation Q&A// WHEN THIS IS RIGHT
Honest fit criteria// THE RIGHT FIT
—
You're approaching SOC 2 Type II, ISO 42001, or similar audit and your AI systems lack documented evidence trails.
—
Customer security questionnaires increasingly ask AI-specific compliance questions you can't answer with current logging.
—
An external audit revealed evidence gaps in your AI deployments and you need them closed before the next examination.
—
You're proactively building compliance infrastructure for AI deployments before regulatory pressure forces it reactively.
// THE WRONG FIT
—
You need general compliance consulting — generalist firms cover SOC 2 / ISO work cheaper than we do. We're the right fit when the AI-specific evidence is the gap.
—
Your AI deployments are too small or too new for audit pressure — engagement value is proportional to audit exposure.
—
Your engineering team can't make changes during the engagement — implementation requires their participation.
—
You want pre-built evidence templates without customization — frameworks vary too much across deployments for templates alone to work.
// RELATED ENGAGEMENTS
Where this connects to the rest of our workAI Risk Assessment
Companion engagement that produces the framework-aligned risk documentation; Evidence Collection produces the ongoing evidence to support it.
DETAILS →
Policy Drafting
Companion engagement that produces the internal policies the evidence framework documents adherence to.
DETAILS →
Neural Hardening
Often pairs with Evidence Collection — Hardening produces the operational controls, Evidence Collection documents that they exist.
DETAILS →
Evidence Collection engagements start from $22,500. Reply within 24h. NDA before scope.
BOOK THIS ENGAGEMENT →