Evidence Management Lifecycle for IT Compliance

Planning and request creation

Cumulus Bank's audit program manager creates a Compliance Audit record for the upcoming review: GMRI-2026 Resilience & Storage Compliance Audit - Q3. The audit type is set to Internal Audit, the observation window runs from July 1 through September 30, and the execution window is October 5 through October 15.

Under this audit, the manager creates an evidence request: Provide proof that all production S3 buckets use server-side encryption. The request is assigned to Jordan Chen, a cloud infrastructure engineer, with a due date tied to the audit timeline. The manager advances the request status from Draft to Sent to Client, which sends Jordan a notification and adds the request to Jordan's Evidence Hub queue.

Fulfillment and artifact creation

Jordan goes to the Evidence Hub app and opens the assigned request. Reading the instructions, Jordan understands that the auditor needs an export showing encryption settings for all production S3 buckets. Jordan creates a new evidence artifact on the request: AWS S3 Bucket Encryption Configuration Export, and sets the classification to Confidential.

After pulling the configuration export from AWS Config, Jordan uploads the CSV file to the artifact's Files tab and changes the artifact status from Draft to Submitted. The compliance team is notified that the evidence is ready for review.

Review and verification

Rachel Anderson, the IT compliance analyst, opens the artifact from the evidence request's Artifacts tab. She clicks into the Files tab and opens the CSV in the evidence artifact previewer, which renders the file inline without requiring a download. Scanning the export, Rachel confirms that every production bucket in the list shows Encryption: AES-256.

Satisfied that the evidence meets the compliance requirement, Rachel sets the artifact status to Verified - Accepted. The artifact record and all attached files immediately lock, becoming read-only. No further edits to the artifact or its files are allowed.

Rejection and resubmission

In an alternate scenario, suppose Rachel's review reveals that three buckets in the us-west-2 region show no encryption. Rachel sets the artifact status to Verified - Rejected and fills in the Observation Statement field with feedback: 3 buckets in us-west-2 region show no encryption (bucket-analytics-staging, bucket-logs-raw, bucket-temp-uploads). Please remediate and resubmit evidence after encryption is enabled.

Jordan receives a notification, remediates the encryption gaps, pulls a fresh AWS Config export, and creates a new artifact with the corrected evidence. This time, Rachel verifies that all buckets are encrypted and accepts the artifact.

Request closure

Once all artifacts linked to the evidence request have been verified and accepted, the audit program manager marks the request itself as Accepted. The request, all its linked artifacts, and the parent audit remain accessible for reporting and external review.

Audit trail and external review

When the external auditor arrives to perform the compliance audit review, they sign in to the Evidence Hub with a user account that has read access to the compliance records. The auditor navigates to the compliance audit's Evidence tab and reviews each evidence request and its verified artifacts. They open Jordan's S3 encryption artifact, preview the CSV inline, and see the same evidence Rachel accepted.

Because the artifact was locked at the moment of verification, the auditor has confidence that the file hasn't been altered since the compliance team approved it. The full artifact history—who submitted it, when, who verified it, and any rejection feedback—provides a complete chain of custody that satisfies the compliance reporting requirements.