Two organisations can hold evidence for the same control and not be holding the same proof. One has a PDF exported from a system three months ago, renamed, and dropped into a shared drive. The other has a timestamped, source-linked signal read directly from the system that enforces the control, with a record of when it was last refreshed and a tamper-evident trail behind it. Both will tell an auditor "we have evidence of this control." Only one of them is making a claim the auditor can independently trust. Evidence has tiers of trust, and the gap between the bottom and the top is now the difference between passing and failing scrutiny.
This is the evidence maturity ladder. It is framework-agnostic: it applies whether you answer to SOC 2, ISO 27001, NIST, a financial-sector regulator, or a healthcare authority. The frameworks are converging on the same expectation from different directions, and the organisations that have climbed the ladder are spending less effort at audit time, not more. The companion articles on continuous evidence as a continuous output and tamper-proof audit trails cover the engineering substrate. This piece is about the ladder itself: what sits on each rung, why auditors stopped treating the rungs as equal, and what makes evidence trustworthy at the top.
What sits on each rung
Rung one: uploaded files. PDFs, screenshots, exported spreadsheets, a policy document with a signature page. This is where most compliance programmes still live. The fatal weakness is not the format, it is the disconnection: an uploaded file is a copy of something that was true at the moment of export, with nothing tying it to the system it came from and nothing proving it has not been edited since. It is stale before the auditor opens it.
Rung two: structured submissions. Controlled forms and evidence claims captured inside a platform rather than emailed around. This is a real improvement: the data is typed, attributed, and time-stamped on capture. But it is still a human asserting a state of the world. The platform knows who claimed the control was operating; it does not know whether it actually was.
Rung three: connected evidence. Read-only facts pulled from the systems you already run: identity providers, ticketing systems, cloud configuration, log pipelines. The control state is observed, not asserted. This is the rung where evidence stops being a description of the system and starts being a reading of it.
Rung four: verified telemetry. Connected evidence that is also source-linked, timestamped, hash-chained, and freshness-scored. You can see where each fact came from, when it was last refreshed, and whether the record has been altered since. This is the rung where evidence becomes defensible against the question every serious auditor now asks: how do you know this is current and unmodified?
Rung five: continuous assurance. Drift, staleness, and control failures surface as signals the moment they happen, not as findings discovered at audit time. The audit becomes a verification of an already-current record rather than a reconstruction of the past. This is the top of the ladder, and it is where the regulatory direction points.
Why auditors stopped treating the rungs as equal
The auditing profession itself has moved up the ladder, which means the evidence it accepts has to move with it. The PCAOB amended its core audit-evidence standards (AS 1105 and AS 2301) to address technology-assisted analysis, letting auditors examine entire transaction populations rather than samples and testing every item that meets defined criteria. The amendments are effective for fiscal years beginning on or after 15 December 2025, after SEC approval in 2024. Crucially, the same amendments make the auditor responsible for evaluating the reliability of the electronic information used. As PCAOB Chair Erica Williams put it, the changes help the standards "keep pace with changes in the use of technology." When the auditor is testing the whole population and is on the hook for where the data came from, rung-one evidence has nowhere to hide.
This is not an isolated move. "Continuous Controls Monitoring" is now a named product category that Gartner defines as technologies to reduce losses through continuous monitoring and reduce audit cost through continuous auditing of controls. SOC 2 already encodes the principle in its own structure: a Type I report attests control design at a single point in time, while a Type II report attests that controls operated effectively across a period of six to twelve months, and Type II is what enterprise customers and regulated clients actually weight. Period-of-time, operating evidence already outranks snapshot evidence in mainstream attestation. The ladder is not a Novantra invention; it is the implicit grading scheme auditors already apply.
The cost of staying on the bottom rung is not theoretical. In May 2024 the SEC charged the audit firm BF Borgers and its owner with massive fraud affecting more than 1,500 filings, imposing combined penalties of fourteen million dollars and permanently suspending both from practising before the Commission. The mechanism is the rung-one failure made literal: staff copied workpapers from previous engagements, changed only the relevant dates, and passed them off as current. Recycled, undated, unverifiable evidence is exactly what the upper rungs are designed to make impossible.
What makes proof trustworthy at the top
Three properties separate trustworthy evidence from a stack of files: it is fresh, its source is known, and tampering is detectable.
Freshness and reproducibility are now explicit requirements, not nice-to-haves. ISO 27001:2022 requires, in its monitoring and measurement clause, that the methods used produce comparable and reproducible results to be considered valid, and that documented information be retained as evidence of the results. NIST CSF 2.0, released in February 2024, added a sixth function, Govern, that elevates continuous oversight and improvement to a first-class outcome rather than a periodic task. In the EU financial sector, DORA became applicable on 17 January 2025 with no transition period, mandating ongoing operational-resilience testing and continuous monitoring of dependencies. The common thread is that proof is expected to be current and to be produced by a method you can repeat, not assembled once a year.
Tamper-evidence is the third property, and the regulatory consensus has settled on detection rather than prevention. The SEC's 2022 amendment to Rule 17a-4 permits an audit-trail approach, in which changes are logged and detectable, as an alternative to traditional write-once media. The accepted standard became: you must be able to prove a record has not been silently altered. That is precisely the guarantee a hash-chained log provides and an uploaded PDF cannot.
The same direction holds outside the Western frameworks. In the UAE, ADHICS V2 pairs an annual independent audit with quarterly self-assessment and tight breach-reporting timelines, codifying a cadence rather than a once-a-year scramble. Saudi Arabia's SAMA Cyber Security Framework expects continuous monitoring with maturity that climbs toward measured, KPI-driven oversight. Different regulators, same instruction: move up the ladder.
The architectural answer
Most tools live on rungs one and two because their architecture only ever sees what a human uploads or types. Climbing the ladder is not a process change you can will into existence on top of a binder; it is an architectural property. A platform either reads evidence from your real systems and proves where it came from, or it does not.
This is where Novantra is built to operate. Novantra's connected-evidence model reads control state from the systems you already run rather than asking your team to re-describe it, putting you on rung three by default. Novantra's verified telemetry source-links and freshness-scores those readings, and Novantra's hash-chained audit and operation ledger make every record tamper-evident, which is rung four. From there, Novantra's continuous-assurance signals surface drift and staleness as they happen, which is rung five. Because Novantra's Sovereign deployment runs this entire stack inside your own infrastructure with customer-controlled keys and database-per-organisation isolation, the climb does not cost you residency or control. For why that deployment model is the foundation rather than an add-on, see sovereign by architecture; for the discipline shift sitting above the tooling, see continuous assurance is the new compliance.
The question to ask of any governance platform is simple, and it is the question auditors are now asking of you: not "do you have evidence," but "which rung is it on." Most platforms collect compliance. The work now is to prove it.