Skip to main content
Evidence is the proof that your controls are implemented and operating effectively. Auditors do not take your word for it — they want screenshots, logs, configuration exports, and reports. Regentra streamlines evidence collection with both automated and manual workflows.

Automated Evidence via Integrations

When you connect integrations like Microsoft Entra ID, AWS, GCP, or Level.io, Regentra can pull evidence automatically and attach it to the relevant controls.
  • MFA enrollment status for all users
  • Conditional access policy configurations
  • User provisioning and de-provisioning logs
  • Group membership and role assignment snapshots
Automated evidence is refreshed on a schedule. Regentra pulls fresh data from connected integrations so your evidence stays current without manual effort.

Manual Evidence Upload

Not everything can be automated. For controls that require human-generated evidence, you can upload files or add links directly.
1

Open the control

Navigate to the control that needs evidence and open its detail page.
2

Go to the Evidence section

Scroll to the Evidence tab on the control detail page.
3

Upload or link

Click Add Evidence and choose:
  • Upload file — PDFs, screenshots, spreadsheets, configuration exports, or any relevant document
  • Add link — URL to an external dashboard, monitoring tool, or shared document
4

Add context

Provide a description of what the evidence demonstrates and how it relates to the control.
Common types of manual evidence:
  • Signed policy acknowledgment records
  • Meeting minutes from security reviews
  • Vendor assessment questionnaires
  • Physical security photos
  • Training completion certificates

Evidence Attached to Controls

Every piece of evidence in Regentra is attached to one or more controls. This creates a direct audit trail: Framework requirement → Control → Evidence When an auditor asks “How do you satisfy HIPAA § 164.312(a)(1)?”, you can show them the control, its implementation notes, and every piece of evidence supporting it — all in one place. Because controls map across frameworks through the CCF, evidence attached to a shared control counts toward every mapped framework. Upload once, satisfy many.

Monitoring Signals and Compliance Status

Some evidence is not a static document but a live signal — an ongoing check that something is still true. Regentra’s monitoring signals track:
  • MFA enforcement — is MFA still enabled for all users?
  • Encryption status — are storage resources still encrypted?
  • Logging configuration — are audit logs still being captured?
  • Patch compliance — are devices still up to date?
When a monitoring signal detects a change (e.g., MFA was disabled for a user), the associated control’s status is flagged for review.
A control marked as Implemented can be automatically flagged as Needs Review if a monitoring signal detects drift. This ensures your compliance posture reflects reality, not just a point-in-time snapshot.

Evidence Expiration and Refresh Cycles

Evidence does not last forever. Auditors expect to see current proof, not year-old screenshots. Regentra manages evidence freshness through:
  • Expiration dates — set an expiration on any piece of evidence. When it expires, the associated control is flagged for review.
  • Automated refresh — evidence from connected integrations is refreshed on a configurable schedule (daily, weekly, or monthly).
  • Review reminders — the dashboard highlights controls with stale or expired evidence so your team knows where to focus.
Set evidence refresh cycles to match your audit cadence. If you undergo annual SOC 2 audits, ensure all evidence has been refreshed within the audit period. For HIPAA, keep evidence current year-round since OCR investigations can happen at any time.