Control 3.12: Evidence Collection and Audit Attestation
Control ID: 3.12 Pillar: Compliance & Audit Regulatory Reference: SOX 404 (Internal Controls), PCAOB Auditing Standards (AS 2201), FINRA 3120 (Supervisory Control System) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish standardized evidence collection workflows, attestation procedures, and audit documentation practices that support regulatory examination readiness and internal audit effectiveness for Microsoft 365 Copilot governance controls, enabling the firm to demonstrate control effectiveness through verifiable, organized, and complete evidence packages.
Why This Matters for FSI
Regulatory examinations and internal audits require documented evidence that governance controls are designed effectively and operating as intended. For Copilot governance, this means demonstrating that audit logging is active, retention policies are enforced, communication compliance is monitoring, supervisory review is occurring, and every other control in this framework is functioning as documented.
SOX Section 404 requires that management assess and report on the effectiveness of internal controls over financial reporting. For publicly traded financial institutions, this includes controls over AI-assisted financial processes. PCAOB Auditing Standard 2201 (formerly AS5) provides the framework for external auditors to evaluate internal control effectiveness. FINRA Rule 3120 requires annual testing of supervisory procedures.
Without systematic evidence collection, firms face:
- Examination failures: Inability to produce evidence of control effectiveness during FINRA or SEC examinations
- Audit findings: Internal and external auditors document control deficiencies when evidence is unavailable
- SOX material weaknesses: Missing evidence of control operation can result in material weakness findings
- Regulatory sanctions: Repeated failure to produce evidence can result in enforcement actions
Evidence collection for Copilot governance is uniquely challenging because controls span multiple Microsoft 365 admin portals (Purview, Entra, M365 Admin, SharePoint Admin, Defender) and the evidence consists of screenshots, configuration exports, log data, policy documents, and review records distributed across systems.
Control Description
This control establishes the evidence collection framework for Copilot governance, including evidence types, collection workflows, attestation procedures, evidence pack assembly, and evidence integrity measures.
Evidence Collection Framework
| Evidence Category | Description | Sources | Collection Frequency |
|---|---|---|---|
| Configuration evidence | Screenshots and exports proving controls are configured correctly | Admin portal screenshots, PowerShell exports, policy configurations | Quarterly |
| Operational evidence | Records proving controls are operating effectively | Audit logs, review records, alert data, dashboard exports | Monthly |
| Testing evidence | Results of control testing activities | Test plans, test results, exception documentation | Annually (SOX), Quarterly (FINRA 3120) |
| Attestation evidence | Signed statements confirming control status | Management attestations, supervisor certifications, reviewer sign-offs | Annually |
| Remediation evidence | Documentation of control deficiency remediation | Finding reports, remediation plans, retest results | As needed |
Evidence Pack Structure for Copilot Governance
Evidence Pack: [Quarter/Year] - FSI Copilot Governance
|
+-- 01-Executive-Summary/
| +-- executive-summary.pdf
| +-- control-effectiveness-dashboard.pdf
| +-- attestation-letter.pdf
|
+-- 02-Pillar-1-Readiness/
| +-- [Evidence organized by control]
|
+-- 03-Pillar-2-Security/
| +-- [Evidence organized by control]
|
+-- 04-Pillar-3-Compliance/
| +-- 3.1-Audit-Logging/
| | +-- uaa-status-screenshot.png
| | +-- copilot-audit-event-sample.csv
| | +-- retention-policy-config.pdf
| | +-- sentinel-integration-status.png
| +-- 3.2-Retention-Policies/
| | +-- retention-policy-list.pdf
| | +-- retention-label-config.pdf
| | +-- retention-coverage-report.pdf
| +-- [Continue for each control...]
|
+-- 05-Pillar-4-Operations/
| +-- [Evidence organized by control]
|
+-- 06-Testing-Results/
| +-- sox-404-testing-workpapers.pdf
| +-- finra-3120-annual-testing.pdf
| +-- control-testing-summary.pdf
|
+-- 07-Attestations/
| +-- management-attestation.pdf
| +-- cco-attestation.pdf
| +-- ciso-attestation.pdf
|
+-- 08-Remediation/
| +-- open-findings.pdf
| +-- remediation-tracker.pdf
| +-- closed-findings-evidence.pdf
Evidence Types by Control
| Control | Configuration Evidence | Operational Evidence | Testing Evidence |
|---|---|---|---|
| 3.1 Audit Logging | UAL enabled screenshot; retention policy config | Sample CopilotInteraction events; event volume report | Audit completeness test results |
| 3.2 Retention | Retention policy list; label configurations | Retention status report; deletion test results | Retention coverage audit results |
| 3.3 eDiscovery | eDiscovery role assignments; case templates | Search results samples; hold status reports | Mock examination drill results |
| 3.4 Communication Compliance | Policy configurations; keyword dictionaries | Review queue metrics; disposition records | Policy effectiveness testing |
| 3.5 FINRA 2210 | Communication review workflow config | Review sampling results; violation records | 2210 compliance testing results |
| 3.6 Supervision | WSP documentation; supervisor designations | Supervisory review logs; sampling records | FINRA 3120 testing results |
| 3.7 Regulatory Reporting | Incident classification framework; report templates | Incident log; report submissions | Tabletop exercise results |
| 3.8 Model Risk | Model inventory entry; MRM documentation | Output quality metrics; bias testing results | Annual MRM assessment |
| 3.9 AI Disclosure | Disclosure policy; approved terminology guide | Marketing review records; disclosure audit | Marketing compliance review |
| 3.10 Reg S-P | Privacy notice; DLP policy configs | NPI access monitoring; incident records | Safeguard effectiveness testing |
| 3.11 Record Keeping | Record classification matrix; WORM config | Retention audit results; retrieval tests | 17a-4 compliance assessment |
| 3.12 Evidence Collection | This control's framework documentation | Evidence pack assembly records | Evidence completeness review |
| 3.13 FFIEC Alignment | FFIEC mapping documentation | Control mapping review records | FFIEC CAT assessment results |
Attestation Workflow
Evidence Collection Complete
|
v
Quality Review (Compliance Analyst)
|
v
Completeness Check (Compliance Manager)
|
v
Accuracy Verification (Control Owner)
|
v
Management Attestation (CCO / CISO)
|
v
Evidence Pack Finalized
|
v
Secure Storage (Read-Only)
Copilot Surface Coverage
Evidence collection addresses Copilot governance controls across all surfaces:
| Copilot Surface | Key Evidence | Collection Method |
|---|---|---|
| All surfaces | CopilotInteraction audit events | Purview Audit Log export |
| Exchange/Outlook | Communication compliance results, retention status | Purview reports, policy exports |
| Teams | Meeting compliance, channel monitoring results | Teams Admin reports, Purview exports |
| SharePoint/OneDrive | DLP policy results, sensitivity label application | Purview reports, SharePoint Admin exports |
| Microsoft 365 Copilot Chat | Copilot Chat interaction logs, DLP enforcement | Purview Audit Log, DLP reports |
| Admin portals | Configuration screenshots, policy settings | Manual screenshots, PowerShell exports |
Governance Levels
Baseline
- Define the evidence types required for each Copilot governance control
- Establish a quarterly evidence collection schedule
- Assign evidence collection responsibilities to specific compliance team members
- Create a basic evidence pack template with folder structure
- Collect configuration evidence (screenshots, policy exports) for all active Copilot governance controls
- Store evidence packs in a secure, access-controlled location
Recommended
- Automate evidence collection where possible using PowerShell scripts and Purview API exports
- Implement evidence quality review procedures with documented sign-off
- Create standardized evidence collection checklists for each control
- Establish a centralized evidence repository with version control
- Conduct quarterly evidence completeness reviews
- Integrate evidence collection with the firm's GRC (governance, risk, and compliance) platform
- Implement evidence integrity controls (hash verification, timestamping)
- Generate quarterly evidence summary reports for compliance management
Regulated
- Implement fully automated evidence collection pipelines for operational evidence
- Deploy continuous control monitoring with automated evidence capture
- Establish SOX 404-aligned evidence collection for Copilot-related internal controls
- Implement PCAOB-ready evidence packages for external audit review
- Conduct annual management attestation of Copilot governance control effectiveness
- Maintain evidence chain-of-custody documentation for all evidence packs
- Implement independent verification of evidence completeness and accuracy
- Create real-time evidence dashboards for continuous compliance monitoring
- Prepare standing examination-ready evidence packs organized by regulator (FINRA, SEC, OCC, FDIC)
Setup & Configuration
Step 1: Define Evidence Requirements
- For each Copilot governance control, document:
- What evidence is required (configuration, operational, testing)
- Where the evidence is sourced (which admin portal, system, or process)
- How frequently the evidence must be collected
- Who is responsible for collection
- What format the evidence should be in (screenshot, export, report)
- Create an evidence requirements matrix and distribute to all responsible parties
Step 2: Create Evidence Collection Procedures
Example: Control 3.1 (Audit Logging) Evidence Collection
-
Configuration evidence (quarterly):
- Screenshot of Purview Audit page showing "Recording" status
- Export of audit retention policy configuration via PowerShell:
- Screenshot of Sentinel data connector status (if applicable)
-
Operational evidence (monthly):
- Export sample of CopilotInteraction events:
- Audit event volume report (total CopilotInteraction events in the period)
- Any audit log gaps or anomalies identified
-
Testing evidence (annually):
- Audit completeness test: Compare Copilot-licensed users against users with audit events
- Retention test: Verify events from 6+ months ago are still accessible
- Export test: Verify large-scale audit data export completes successfully
Step 3: Implement Automated Evidence Collection
Create PowerShell scripts for automated evidence collection:
# Automated Evidence Collection Script - Copilot Governance
# Run monthly via scheduled task or Azure Automation
$evidencePath = "\\ComplianceServer\EvidencePacks\$(Get-Date -Format 'yyyy-Q')\"
# 3.1 - Audit Logging Evidence
$auditEvents = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations CopilotInteraction -ResultSize 100
$auditEvents | Export-Csv -Path "$evidencePath\3.1-AuditEvents-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
# 3.2 - Retention Policy Evidence
$retentionPolicies = Get-RetentionCompliancePolicy
$retentionPolicies | Export-Csv -Path "$evidencePath\3.2-RetentionPolicies-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
# 3.4 - Communication Compliance Evidence
$ccPolicies = Get-SupervisoryReviewPolicyV2
$ccPolicies | Export-Csv -Path "$evidencePath\3.4-CommCompliancePolicies-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
# Add additional evidence collection steps for each control...
Step 4: Establish Attestation Process
- Define attestation scope and frequency:
- Quarterly attestation: Control operation status (CCO or delegate)
- Annual attestation: Control design and operating effectiveness (CCO and CISO)
- SOX attestation: CEO/CFO certification of internal controls (for public companies)
- Create attestation templates:
Quarterly Control Attestation:
I, [Name], [Title], hereby attest that as of [Date]:
1. The Copilot governance controls documented in the FSI Copilot
Governance Framework have been reviewed for operational effectiveness.
2. Evidence has been collected and reviewed for all controls in scope.
3. The following exceptions have been identified: [list or "None"].
4. Remediation plans are in place for all identified exceptions.
Signature: _______________
Date: _______________
- Route attestations through the approval chain
- Store signed attestations in the evidence pack
Step 5: Configure Secure Storage
- Create a secure file share or document library for evidence packs:
- Access restricted to compliance team, auditors, and designated management
- Version control enabled
- Audit logging on all access
- Backup and disaster recovery configured
- Apply retention policies to evidence packs:
- SOX evidence: 7 years minimum
- Regulatory evidence: Align with underlying record retention requirements
- Audit workpapers: Per firm policy and professional standards
- Implement read-only access for finalized evidence packs
Financial Sector Considerations
SOX 404 Alignment for Public Institutions
For publicly traded financial institutions, Copilot governance controls that affect financial reporting processes must be included in the SOX 404 assessment:
- Identify Copilot-related controls in the ICFR scope (e.g., Copilot-assisted financial analysis, Copilot-generated disclosures)
- Include these controls in the management assessment testing program
- Prepare evidence packages in a format acceptable to external auditors
- Coordinate with PCAOB auditors on Copilot-related control testing approach
FINRA 3120 Annual Testing Integration
Evidence collection for FINRA 3120 annual testing should include:
- Documentation that Copilot supervisory procedures were tested
- Results of communication compliance effectiveness testing
- Evidence of supervisor qualifications and training completion
- Documentation of testing methodology and sample selection
- Remediation documentation for any findings
Examination Readiness
Firms should maintain "always ready" evidence packs that can be produced within 2 business days of a regulatory examination request. This requires:
- Evidence packs organized by regulator (FINRA, SEC, OCC, FDIC, state regulators)
- Pre-assembled evidence for the most commonly requested control areas
- Index documents that map evidence to specific control objectives and regulatory requirements
- Designated team members trained in evidence pack assembly and production
Evidence Quality Standards
Evidence should meet the following quality standards:
| Standard | Description |
|---|---|
| Completeness | Evidence covers the entire period and all in-scope activities |
| Accuracy | Evidence reflects the actual state of controls |
| Relevance | Evidence directly demonstrates control effectiveness |
| Timeliness | Evidence is collected within the prescribed timeframe |
| Integrity | Evidence has not been altered since collection |
| Traceability | Evidence can be traced back to its source system |
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Verify evidence requirements are defined for each control | Evidence matrix exists with complete fields for all Copilot governance controls | Baseline |
| 2 | Verify quarterly evidence collection schedule | Schedule is documented with assigned responsibilities | Baseline |
| 3 | Review most recent evidence pack for completeness | Evidence pack contains all required evidence types for all in-scope controls | Baseline |
| 4 | Test automated evidence collection scripts | Scripts execute successfully and produce valid evidence files | Recommended |
| 5 | Verify evidence quality review procedures | Quality review checklist is completed and signed for most recent evidence pack | Recommended |
| 6 | Test evidence integrity controls | Hash verification confirms evidence has not been modified since collection | Recommended |
| 7 | Verify SOX 404 evidence for Copilot controls | Evidence meets PCAOB auditing standard requirements | Regulated |
| 8 | Verify management attestation is current | Most recent attestation is signed and stored in the evidence pack | Regulated |
| 9 | Test examination-ready evidence production | Evidence pack for specified regulator is assembled within 2 business days | Regulated |
| 10 | Verify independent evidence completeness review | Independent review is documented with findings and remediation | Regulated |
Additional Resources
- SOX Section 404 (Internal Controls)
- PCAOB Auditing Standard 2201 (Integrated Audit)
- FINRA Rule 3120 (Supervisory Control System)
- COSO Internal Control Framework
- Microsoft Purview Compliance Manager
- Control 3.1 -- Copilot Interaction Audit Logging
- Control 3.6 -- Supervision and Oversight
-
Related Controls: 3.1 Copilot Audit Logging, 3.11 Record Keeping, 3.13 FFIEC Alignment
FSI Copilot Governance Framework v1.2.1 - March 2026