Preparing for an audit
This page is a practical checklist for an inspection. It tells you, for the questions an auditor usually asks, exactly where the answer lives in Better Comply.
Quality and compliance owners and administrators hosting an inspection. You need an admin role (Quality Admin, HR Admin, or Corporate Admin) to reach most of these surfaces.
Before the auditor arrives
- Confirm you can log in with a Quality Admin or Corporate Admin account.
- Open the audit log and confirm recent activity is present.
- Confirm at least one completed training with a signature and a certificate, so you can demonstrate the full evidence chain.
- Have your validation package and your inherited DPIA to hand.
The questions, and where to answer them
The pull from each source below comes from the exporting evidence workflow in the Quality and audit area.
"Show me exactly what this person completed, and when"
Open the person's training history or the evidence record. The record references a specific, immutable training version. Because evidenced versions are frozen, the content you see is exactly what the learner completed. See Evidence and immutability.
"Did they actually sign? Prove it"
The evidence record carries the signature method, the manifestation text the person signed, the server-captured IP, the user agent, and the timestamp. The signer's IP was read on the server, not asserted by the client. See Electronic signatures.
"Show me the certificate"
The completion certificate is generated server-side and stored privately. Open it from the evidence or history view; the link is a time-limited signed URL into the private certificate store.
"Who approved this material, and could they have authored it?"
The approval is an audit entry (approve_content) with the approver and time, plus the activation entry (activate_version). The author could not have approved their own version: the system refuses a same-person approval. See Segregation of duties.
"Show me every change to this training in a date range"
Filter the audit log by the training entity and the date range. Each version creation, approval, and activation is an entry with its change reason.
"Prove this document was approved, and that people read it"
The controlled document's approval record carries the approver's signature, captured server-side and frozen after it was written. The read-and-understood acknowledgements are append-only rows, one per person per version. Both are pullable for the inspection.
"Show me a change that was logged but blocked, or a correction"
A correction never overwrites the original; it appends a new audit entry that references it. The audit log is append-only, so a deletion or edit of a regulated record is not something that can be hidden. See The audit trail.
A reference map
| Auditor question | Where to look |
|---|---|
| What exact content did they complete? | The evidence record's training version (immutable). |
| Did they sign, and from where? | The evidence record: signature method, manifestation, server-captured IP, user agent, time. |
| Where is the certificate? | The signed URL into the private certificate store, from the evidence or history view. |
| Who approved the material? | Audit log: approve_content and activate_version, with the approver and reason. |
| Could the approver have authored it? | No: the server refuses a same-person approval. |
| Every change to a training in Q1? | Audit log, filtered by entity and date. |
| Was the document approved and acknowledged? | The document approval record and the append-only acknowledgements. |
What you can state with confidence
- Every regulated change is in the audit log, written by one server function, and the most important ones are fail-loud, so there are no silent gaps.
- Signatures capture identity, meaning, and a server-side IP, and cannot be altered afterwards.
- Completed content is frozen and cannot be edited or deleted.
- The author of content cannot approve it.
What not to overstate
Better Comply provides the controls and evidence. Your validated state is yours: do not present the product as "validated" in the abstract. Point to your own validation package. See Validation and CSV.