Audit trails & evidence
What auditors will ask about AI-touched processes, the five-part evidence record that answers them, and evidence-by-design as the cheap alternative to Q4 archaeology.
Sometime in the next two years, an auditor will ask your team a version of: 'Walk me through how this number was produced, including the AI's role.' Teams that designed for the question answer it in minutes from logs they already keep. Teams that didn't spend a bad week reconstructing — and reconstruction under audit pressure reads as weakness even when nothing was wrong. The difference is entirely a design choice made at build time, and you've already been making it in every lab.
The five-part evidence record (per AI-touched item)
- Input — the document/data as received: the invoice PDF, the extract, the transaction set. Stored or referenceable, not 'it was in someone's email'.
- Processing — what ran: which tool, which prompt version, which model (as best your vendor discloses), when. The prompt changelog from the automation course is exactly this discipline; here it becomes control documentation.
- Output — what the AI produced, before any human touched it. Preserving the raw output (not just the corrected final) is the part teams forget, and it's the part that proves the review step does something.
- Review — who looked, what they changed, what they approved, when. The named-human-with-date discipline from every gate you've built. In control language: this is your evidence that the human-in-the-loop control operated, not just existed.
- Disposition — what happened next: posted, routed, held, escalated, recovered. The anomaly-sweep disposition log generalized to everything.
Notice the pleasant surprise: the labs already produced all five parts. The AP pipeline log, the forecast assumptions log with a named owner, the anomaly disposition log — none of it was added for audit's sake; it fell out of building the workflows properly. That's the meaning of evidence-by-design: when the workflow's normal operation produces its own audit trail, compliance costs approximately two spreadsheet columns. When evidence is a separate activity bolted on later, it costs a quarter and it's always incomplete.
The questions auditors are converging on (be ready in writing)
- Inventory: 'Where is AI used in financial processes?' — your Module 1 map, kept current, answers this. An AI use the audit discovers that finance didn't disclose is a very bad meeting.
- Change management: 'What happens when the model or prompt changes?' — the Module 1 bright line: model changes are control changes; tested and logged. Ask your vendors how they notify; put it in contracts.
- Error handling: 'What's your known error rate, and what catches errors?' — the test suites and exception lanes, with their numbers. 'We measured 3% extraction exceptions, all routed to human review' is a strong answer; 'it's very accurate' is not an answer at all.
- Access: 'Who can modify the prompts, thresholds, and rules?' — segregation applies to configuration too: the person tuning the duplicate-detection threshold shouldn't be the person who benefits from a miss. Config access is the new journal-entry access.
Once a quarter, pick one AI-touched number in a report and walk it backward yourself: report → workflow → review record → raw output → prompt version → input document. Time it. Under ten minutes with no improvisation = your evidence design works. Anything else tells you which of the five parts is thin — and rehearsing on your own schedule beats rehearsing on the auditor's.