Evidence & findings
Evidence and findings are where governance stops being a claim and becomes something you can prove. Gamut treats both as first-class objects, captured as work happens rather than gathered in a rush at audit time.
Evidence
Section titled “Evidence”Evidence is any artefact that supports a governance claim, a document, export, log, screenshot or record. In Gamut, evidence is managed as a request-based workflow rather than a folder of files. An evidence request carries:
- A request title and description, tied to a specific control.
- The expected evidence type, so the owner knows what will satisfy it.
- A named owner and due date.
- A status as it moves from
requestedto fulfilled. - A quality rating and review notes, so weak or missing evidence is visible rather than assumed.
Linking evidence to controls is what creates traceability: a reviewer can move from a control to the evidence behind it without hunting through shared drives. And because requests are tied to controls and owners, the evidence base builds continuously as governance work happens, instead of being chased at the end of a cycle.
Findings
Section titled “Findings”A finding records a gap, deficiency or exception identified during assessment, control testing or audit. Each finding is a structured record:
- A title, description and finding category.
- A severity:
low,medium,highorcritical. - A root cause and a recommendation.
- A management response, a named owner and a target date.
- A status as it moves toward closure, with closure notes, a validated by and a validated date so closure is verified, not just asserted.
- Links to the control test and evidence request it arose from.
Recording findings honestly is more valuable than an unsupported pass: it gives leadership a true picture and gives reviewers confidence that governance is real.
Remediation
Section titled “Remediation”Remediation is the closure path for a finding. Keeping remediation visible, with an owner, a target date and a validated closure, turns findings from a list of problems into a managed improvement programme, and gives the Improve stage of the lifecycle something concrete to track over time.
Traceability
Section titled “Traceability”Evidence and findings complete the chain that makes Gamut defensible:
control → control test → evidence request → finding → remediation → validated closureAny conclusion in a report can be followed back through this chain to the underlying records, and every change along it is captured in the audit log.
- Reporting & exports: surface evidence quality and open findings.
- Assessments & control testing: where findings are raised.
- Audit log: the accountable record of changes.