Tracing from framework to evidence (the auditor walk)

This is the classic external-auditor question. The walk goes framework section → controls → tests → evidence → (optionally) linked policies.

1. Start in the framework. Open Frameworks → ISO 27001:2022 (or whichever). The detail view shows each section with a control-count and compliance %. Click into the section of interest, e.g. A.8.5 Secure authentication.

2. Follow the control mappings. The gap analysis lists how many controls are mapped to that section and how many are implemented. Open any mapped control (e.g. IA-02 Multi-factor authentication) from the Controls library.

3. Check the test history. On the control detail modal, the "Test history" panel shows date, result, type (manual/automated/hybrid), tester, and notes. A control marked "implemented" without any tests is a yellow flag.

4. Open the backing evidence. Evidence attached to either the test (via evidence_ids) or the control (via control_id on the evidence record) is what the auditor actually asks for — SSO config screenshot, MFA enforcement policy PDF, Okta access report CSV, etc. Download it from the Evidence page.

5. Cross-reference the policy. If the control implements a policy-level commitment ("all staff must use MFA"), the Policies view modal for that policy has a "Linked controls" panel. Auditors like seeing both sides of the link.

6. Point at acknowledgments. If the related policy has a published attestation campaign, the campaign progress and per-user acknowledged_at + IP is defensible evidence that the workforce received and accepted the requirement.

A well-linked tenant turns this walk into a 5-minute guided tour. A poorly linked tenant turns it into a spreadsheet hunt.