Evidence freshness is not a pre-audit checkbox — it is a recurring discipline that scales with the number of controls you maintain. Without it, every audit cycle starts with the same discovery: the access review logs are from last year, the policy version on file was superseded three quarters ago, and the vendor certification you planned to rely on expired six months ago.
Why Stale Evidence Quietly Breaks Audits
Stale evidence rarely announces itself. It accumulates between cycles — a quarterly access review that was completed but never filed, a policy that was updated on the intranet but not in the evidence repository, a vendor SOC 2 report that was received but not reviewed for control coverage.
The cost surfaces during fieldwork. The auditor asks for evidence supporting a control, and the team begins the scramble: tracking down the system owner who approved the change, locating the archived report, reconstructing the evidence trail. Time that should be spent on review is spent on archaeology.
Stale evidence breaks audits in three ways:
| Failure mode | What happens | Prevention |
|---|---|---|
| Expired observation period | Evidence is older than the audit window | Tag each artifact with its observation period |
| Superseded artifact | The referenced policy/process no longer matches current operations | Version-track every evidence item |
| Orphaned evidence | The control changed but the evidence wasn't re-collected | Link evidence to controls; flag unmapped items |
Each failure is preventable with a repeatable freshness check. The question is what cadence to use and how to classify controls so that high-risk evidence is reviewed more often.
What "Fresh Enough" Means Per Control
Not all evidence ages at the same rate. A network firewall rule that is reviewed monthly generates fresh evidence every thirty days. An information security policy that is reviewed annually has a twelve-month observation window. Treating both on the same review cycle wastes effort on the first and risks the second.
A freshness classification uses two dimensions: the control's change frequency and the impact if evidence is stale.
| Control type | Change frequency | Impact of stale evidence | Recommended review cadence |
|---|---|---|---|
| Access reviews | Monthly or quarterly | High — expired access is a compliance gap | Quarterly |
| Change management | Continuous | Medium — missing a change breaks the control trail | Per-change, reviewed quarterly |
| Policy documents | Annually | Medium — outdated policy is still a finding | Annual, plus trigger on revision |
| Vendor evidence | Per relationship | High — expired certification is an audit gap | Quarterly or per renewal cycle |
| Incident records | Ad-hoc | Low — historical records do not expire | Per-incident, spot-check annually |
| Training records | Annual | Medium — expired training is a process gap | Annual |
The rule of thumb: if the control produces evidence on a schedule, align the freshness review with that schedule. If the control is event-driven (incidents, changes), review the evidence collection process, not the individual artifacts.
Making the Check Recurring
A recurring freshness check does not require a dedicated tool — spreadsheets can track evidence dates and flag items past their review date. But a recurring process stops working when the person who maintains the spreadsheet changes roles or the sheet accumulates more rows than anyone audits.
The discipline itself is simple, regardless of the tool:
- List every control and its current evidence artifact
- Tag each artifact with its observation period — the date range it covers
- Set the next review date based on the control's change frequency
- Review on a fixed cadence — monthly for high-change controls, quarterly for the rest
- Flag expired items — evidence past its review date is a gap until refreshed
The cadence should be driven by the control profile, not the audit calendar. A quarterly review of high-change controls means the evidence is never more than three months stale, regardless of when the next audit lands.
Escalating Low-Confidence Items
Not every stale evidence item is urgent. A training record that expired last week is less critical than an access review that was never conducted. The escalation path should distinguish between evidence that needs refreshing and evidence that signals a control failure.
| Signal | Likely cause | Action |
|---|---|---|
| Artifact past review date | Missed collection cycle | Request collection from control owner |
| Artifact exists but does not match current control design | Process changed, evidence not updated | Re-collect against current design |
| No artifact for a scoped control | New control or decommissioned evidence | Either collect or de-scope |
| Artifact references a superseded policy version | Policy updated, evidence not refreshed | Update evidence to reference current policy |
The escalation itself is a notification — the control owner receives a list of flagged items with their status and a deadline for resolution. If the deadline passes, the item escalates to the audit lead or compliance manager.
The goal is not zero stale evidence — that is unrealistic in any organisation with more than a handful of controls. The goal is no surprises: knowing which evidence is stale before the auditor asks, and having a plan to refresh it.
FAQ
How often should I review evidence for freshness?
Align the cadence with the control's change frequency. Quarterly for most controls covers the common SOC 2 observation periods. Monthly for high-change controls (access reviews, user provisioning). Annual for stable controls (policies, training programmes). The key is consistency, not speed.
What counts as stale evidence?
Evidence that falls outside its useful observation period. For a quarterly access review, the evidence is stale when the next quarter's review is due. For an annual policy, the evidence is stale twelve months from the review date. The observation period is the guide, not calendar time.
Can I automate evidence-freshness checks?
Partially. A tool can track review dates, flag expired items, and surface gaps — but the evidence itself must be reviewed by a human who understands the control. Automation handles the reminder and tracking; human judgment handles the refresh decision. If a tool tells you an access review is stale, you still need to run the review and collect the evidence.
What if evidence expires mid-cycle?
It happens. The response depends on the control's risk profile. For a high-severity control (production access, change approval), collect fresh evidence immediately and note the gap. For a medium-severity control (training records, policy attestations), plan the refresh within the current quarter and flag it in the audit readiness report. Auditors accept mid-cycle evidence gaps if they are documented and managed — the same principle of documented traceability that applies to audit scoping.
An evidence tracker that surfaces age and status turns stale-evidence surprises into routine maintenance. In Compass by Truvara, the evidence tracker grid lists every artifact, its observation period, and its current status — carried forward, updated, new, or flagged as a gap. The agent proposes freshness updates; you approve or reject each change. Compass reads the evidence you keep — it does not pull live logs from your operational stack on a schedule. Join the preview cohort.