Auditrail
Get started

Documentation

Learn how to use Auditrail to collect evidence, map controls, and export audit packages.

Quick Navigation

How Auditrail Works

Auditrail helps you track evidence for compliance controls across one or more security frameworks. It organizes your evidence collection and provides a clear view of what's complete, what's missing, and what needs attention.

The platform is organized around Controls and Evidence. Each control represents a requirement from your security framework. Evidence items are the documents, files, or notes that demonstrate compliance with those controls.

Your dashboard shows the overall status: how many controls are Complete, Partial, or still Missing evidence. This helps you focus on what needs attention next.

Supported Frameworks

Auditrail currently supports the following compliance and security frameworks:

ISO27001:2022

93 controls included

The international standard for information security management systems (ISMS). Covers organizational controls, people controls, physical controls, and technological controls.

This template includes 93 controls you can map evidence to.

SOC2:2023

20 controls included

Service organization control reporting framework for service providers storing customer data in the cloud. Focuses on security, availability, processing integrity, confidentiality, and privacy.

This template includes 20 controls you can map evidence to.

Each framework includes its controls pre-loaded in the system. You can select which frameworks to use for your organization and map evidence across multiple frameworks simultaneously.

The Audit Flow

The typical workflow in Auditrail follows these steps:

1

Create Evidence

Start by adding evidence to your collection. Evidence can be files you upload, text you write, or links to external resources.

Sign in to create evidence →
2

Map Evidence to Controls

Link your evidence to the relevant controls. One piece of evidence can support multiple controls, and one control can have multiple pieces of evidence.

Sign in to map controls →
3

Review Your Status

Use the Dashboard to see which controls are complete (have evidence), partial (some evidence but may need more), or missing (no evidence yet).

Sign in to view dashboard →
4

Export Your Audit

When you're ready, create an export that packages all your evidence and control mappings into a downloadable snapshot for auditors or stakeholders.

Sign in to create exports →

Next Action

The dashboard guides you with a "next action" recommendation, showing what step you should take next based on your current progress.

Evidence Best Practices

Here are tips for effective evidence management:

  • Be specific: Use clear, descriptive titles for evidence. Include dates, version numbers, or other context that makes it easy to understand what the evidence shows.
  • Keep it current: Update evidence when policies, procedures, or configurations change. Old evidence may not demonstrate current compliance.
  • Link appropriately: Connect evidence to all relevant controls, but don't over-link. Each control should have evidence that directly demonstrates compliance.
  • Use text notes wisely: Text evidence is great for quick notes, explanations, or references. For formal documents, upload files instead.
  • Organize by framework: If you use multiple frameworks, filter by framework to focus on one set of controls at a time.

Supported File Types

Auditrail accepts a wide range of file types commonly used in compliance documentation:

Documents

PDF Word (DOCX) Excel (XLSX) PowerPoint (PPTX) RTF

Text Files

Plain Text (TXT) Markdown (MD) CSV JSON XML

Images

PNG JPEG GIF WebP

In-Browser Preview

PDF, text files, images, and some other formats can be previewed directly in your browser. Other file types (like Word documents and spreadsheets) are securely stored and available for download.

All files are validated by MIME type to prevent security issues. Executables and HTML files are not permitted.

Exports Explained

Exports create a snapshot of your audit state at a specific point in time. This is useful for:

  • Sharing your compliance status with auditors or stakeholders
  • Creating historical records of your audit progress
  • Generating reports for compliance reviews

When you create an export, you can choose to export a specific framework or all frameworks. The export includes all evidence linked to the selected controls, along with the current status of each control.

Exports run in the background. You can track their status on the Exports page. When an export is complete, you can download it as a file to share or archive.

Point-in-Time Snapshots

Each export is a point-in-time snapshot. Changes you make to evidence or controls after creating an export won't affect that export, so it remains a stable record of your audit state at that moment.

Team Collaboration

Auditrail is designed for teams. Multiple team members can collaborate on evidence collection and control mapping within your organization.

Organization Isolation

Each organization's data is completely isolated from others. Evidence, controls, and exports are scoped to your organization and never visible to other organizations.

Team Members

Invite team members to your organization. All members can view and manage evidence, map controls, and create exports. Changes are visible to all team members in real-time.

Audit Trail

The system maintains a complete audit trail of all changes, including who created or modified evidence items, when controls were mapped, and when exports were generated.

Security & Privacy

All data is encrypted in transit and at rest. Auditrail follows security best practices and is designed to meet the same compliance standards it helps you achieve. Learn more on our Security page.

Frequently Asked Questions

What does "Missing" mean for a control?

A control is marked as Missing when it has no evidence linked to it. This means you haven't yet provided documentation to demonstrate compliance with that control requirement.

What's the difference between "Complete" and "Partial"?

Complete means the control has evidence that fully demonstrates compliance. Partial means some evidence exists, but it may be incomplete or insufficient to fully satisfy the control requirement. Review partial controls to see what additional evidence might be needed.

Can I link one evidence item to multiple controls?

Yes. One evidence item can support multiple controls. For example, a security policy document might demonstrate compliance with several related controls. Simply link the evidence item to each relevant control.

What types of files can I upload as evidence?

You can upload various file types including documents (PDF, Word, etc.), images, spreadsheets, and more. The system preserves the original file for your records.

How do I know what to do next?

Check your Dashboard for the "next action" recommendation. This suggests the most logical next step based on your current audit status, such as adding evidence, mapping controls, or creating an export.

Can I edit or delete evidence?

Yes, you can edit evidence to update its content, title, or description. You can also delete evidence if it's no longer needed. Deleting evidence will remove it from any controls it was linked to.

What happens if an export fails?

If an export fails, you'll see an error status on the Exports page. You can try creating a new export, or check if there are any issues with your evidence or control mappings that might have caused the failure.

Back to top ↑

Ready to get started?

Create your account and start organizing your compliance audit today.

Get started for free