Preparing decision evidence for an audit
When a review arrives — internal audit, regulator, due diligence, dispute — the questions are always the same: who approved this, when, on what basis, and can you prove the record hasn’t changed since. The expensive part is reconstructing answers you could have been recording all along.
What reviewers actually ask
- Authority: who made the call, and were they entitled to?
- Process: did the decision follow your own stated policy — the right approvals, in the right order?
- Basis: what information and alternatives were considered at the time?
- Integrity: is the record contemporaneous, and can you show it hasn’t been altered since?
- Follow-through: did what was approved actually happen?
Why reconstruction fails
Most organisations answer audits by archaeology: exporting email threads, scrolling chat history, and interviewing whoever is left. It’s slow, and it’s weak — threads show discussion, not approval; documents are editable after the fact; and the person who knew the basis for the call may have left. Evidence assembled after the question is asked is always worth less than a record made at the time.
What good decision evidence looks like
| Property | In practice |
|---|---|
| Contemporaneous | The record was created when the decision was made — not reconstructed for the audit. |
| Attributed | Named driver, named approver, named reviewers — roles, not “the team”. |
| Complete | The decision, the why, the alternatives rejected, the policy route it followed. |
| Tamper-evident | History is append-only; every edit, approval, and bypass is itself on the record. |
| Exportable | You can hand the reviewer a package, not a screen-share of your chat history. |
Preparing before the request arrives
- Inventory your decision types. Which kinds of decisions would a reviewer care about — spend over a threshold, data handling, security exceptions, vendor selection?
- Write the approval policy down. Who must sign each type, in what order, and what triggers escalation or re-approval.
- Centralise the records. One system of record beats five tools and a folder convention — especially under time pressure.
- Test the export. Run the drill: pick last quarter’s riskiest decision and assemble its evidence. Time it. That’s your audit readiness.
How Traceway implements this
Traceway writes every decision to an insert-only, tamper-evident history — approvals, edits, and bypasses included — with roles routed by decision type, so following your policy and proving you followed it are the same act. When the review comes, you export the evidence instead of reconstructing it.
Stop losing the why.
Traceway is the system of record for decisions — AI capture, real governance, an audit-grade trail, and a chain from strategy to the work. Coming 2026.
Join the waitlist →