← All briefings
MethodsCompliance infrastructure

Evidence collection vs executable compliance workflows: what is the difference?

Why collecting proof that a control operates is different from running the underlying compliance process, and why mature programmes often need both.

What is compliance evidence collection?

Compliance evidence collection gathers proof that a requirement or control has been implemented and is operating.

The evidence might be:

  • an access-control configuration;
  • a list of users and roles;
  • an encryption setting;
  • a policy and its approval history;
  • a training-completion report;
  • a penetration-test report;
  • an incident ticket;
  • a completed access review; or
  • a record exported from another system.

Modern compliance platforms try to collect as much of this as possible automatically. Vanta describes automated evidence collection and continuous monitoring across connected systems. Secureframe describes tests mapped to framework controls and evidence collected through integrations. Drata similarly positions continuous monitoring and evidence collection as a way to keep audit readiness current.

The programme-level question is usually:

Can we show that this control exists and operated during the relevant period?

That question is central to assurance and audits. But it is not the only evidence question an organisation faces.

What is an executable compliance workflow?

An executable workflow is the process that produces a structured outcome for one event or case.

It does more than ask someone to attach a document or mark a task complete. It expresses what information is needed, what depends on what, which conditions block completion, and what result should be retained.

Examples include:

  • a data-breach triage;
  • a supplier due-diligence declaration;
  • a conflict-of-interest disclosure;
  • an employee eligibility assessment;
  • an approval with conditional evidence requirements;
  • a consumer withdrawal request; or
  • a regulated customer intake.

An executable workflow may include typed fields, calculations, conditional sections, errors, warnings, attestations, and human judgment. Its output is a record of how the process ran in this case.

The question becomes:

Can we show what facts were provided, which version of the process evaluated them, and what happened in this instance?

That is case-level evidence.

Why is a completed task not always enough?

Suppose a control says: “High-risk suppliers receive enhanced due diligence before approval.”

An assigned task can show that someone was asked to perform a review. A completed checkbox can show that the person says it happened. An uploaded PDF may show the result.

But a reviewer may still need to know:

  • Which facts made the supplier high risk?
  • Which enhanced questions were asked?
  • Were mandatory documents present?
  • Which exceptions applied?
  • Who made the judgment?
  • Was a warning acknowledged?
  • Which version of the due-diligence method was used?

If those answers live only in free text, email, or a changing template, the evidence may be difficult to compare or reconstruct.

This does not make tasks or documents weak. They are simply a different level of structure. A task tracks responsibility. A document preserves an artefact. An executable schema preserves the model and evaluated record.

“The review was completed” is evidence of activity. “Here are the inputs, decisions, version, and outcome” is evidence of execution.

Mature programmes often want both.

How do the two layers work together?

Think of a control as the promise and the workflow as one way the promise is kept.

The compliance platform can hold:

  • the requirement and control;
  • the policy and process owner;
  • the review frequency;
  • automated tests;
  • evidence requests;
  • exceptions and remediation; and
  • the audit relationship.

The executable workflow can hold:

  • the case-specific questions;
  • conditional logic;
  • calculations and validations;
  • required rationale and attestations;
  • the completion rules; and
  • the version-bound result.

The final completion can then return to the compliance platform as evidence.

That architecture avoids two common mistakes.

The first is asking a GRC platform to become every customer-facing or operational application. The second is building isolated custom forms that produce no consistent programme evidence.

A clean integration lets each layer do its job.

What should a case-level record contain?

A useful case record should be understandable without reopening the current version of the form and hoping it has not changed.

At minimum, consider retaining:

Identity and provenance

  • the publisher or accountable organisation;
  • the form or workflow identifier;
  • the schema identifier and version;
  • the respondent or session identity where appropriate; and
  • the source or authority behind the interpretation.

Inputs

  • submitted values in their proper types;
  • uploaded or referenced evidence;
  • relevant timestamps; and
  • supporting explanations for subjective decisions.

Evaluation

  • computed values;
  • decisions and conditions;
  • warnings, notices, and blocking errors;
  • acknowledgements or attestations; and
  • any human review state.

Outcome

  • completion time;
  • completion status;
  • delivery status;
  • an immutable record identifier; and
  • signature information when signing applies.

The audit-ready compliance forms briefing explores this record in more detail.

How do you know which layer is missing?

Look at where people improvise.

You probably need better evidence collection when…

  • audit preparation starts with chasing screenshots;
  • control owners repeatedly upload the same files;
  • nobody knows whether evidence is current;
  • system configurations are checked manually;
  • controls are duplicated across frameworks; or
  • auditors cannot review evidence efficiently.

You probably need an executable workflow when…

  • an important process still relies on a generic form and a written procedure beside it;
  • people choose which follow-up questions to ask from memory;
  • submissions cannot be validated consistently;
  • current templates overwrite the history of earlier cases;
  • downstream systems receive unstructured email or PDFs; or
  • you can prove a review occurred but cannot reconstruct how it reached its result.

You probably need both when…

  • the case process is itself evidence for a programme control;
  • external participants complete the process while internal teams own the control;
  • auditors need a sample of individual records as well as programme-level evidence; or
  • the organisation wants continuous monitoring and consistent case execution.

The modern compliance stack is therefore not a contest between evidence and workflow. Evidence explains whether the programme operates. Executable workflows make an important part of that programme operate consistently in the first place.

Important

This briefing is general information about workflow design, not legal advice. Check the current law, national implementation, regulator guidance, and your specific facts before acting.