Collect Regulatory Evidence

Regulatory evidence for data governance purposes falls into four categories: policy evidence (documents showing that a policy exists and has been approved), control evidence (records showing that a control was executed), attestation evidence (records showing that a person affirmed the accuracy or completeness of data), and finding evidence (records showing that a deficiency was identified and remediated). CoComply generates and stores evidence in all four categories automatically as part of its normal governance workflows — but only if the workflows are actually used. Evidence collection starts with workflow adoption.

• Review CoComply's evidence vault at the beginning of each quarter to confirm evidence is being generated for all active governance workflows.
• For legacy controls that predate CoComply adoption, import historical evidence (PDFs, Excel files, emails) into CoComply's evidence vault as baseline documentation.
• Evidence that lives in email inboxes or shared drives is not audit-ready. Migrate it into CoComply.

CoComply's evidence vault uses a tag-based taxonomy to organize evidence by regulatory citation, data asset, finding, and policy reference. Before collecting evidence at scale, configure your taxonomy: define your regulatory citation categories (BCBS 239, FFIEC, OCC guidance, SR 11-7, etc.), your control categories, and your organizational hierarchy (by Line of Business, Division, or legal entity). A well-configured taxonomy means a regulatory examiner can retrieve all evidence related to a single control in seconds.

• Align your taxonomy to the OCC's Examination Handbook categories — this makes examiner document production faster.
• Use CoComply's bulk tagging feature to apply taxonomy tags to existing evidence records rather than re-uploading documents.
• Assign a Taxonomy Steward role in CoComply — one person responsible for maintaining consistency across evidence tags.

The highest-value regulatory evidence CoComply produces is attestation evidence — timestamped, IP-logged records showing that a named data owner confirmed the accuracy of a Critical Data Element or regulatory report. Attestation evidence is generated automatically every time a certification cycle is run. Your job is to ensure certification cycles are run on schedule. In CoComply, set up recurring certification schedules in the Certify module aligned to your filing calendar — quarterly for Call Reports, annually for FFIEC assessment cycles, and on-demand for any ad hoc regulatory requests.

• Attestation records include the attester's name, title, timestamp, IP address, and the specific CDE or report they attested to — all immutable.
• For institutions under heightened supervisory scrutiny, run monthly mini-certification cycles on Tier 1 CDEs to build a dense evidence trail.
• Examiners respond strongly to attestation records — they show that governance is operationalized at the individual accountability level, not just at the policy level.

Raw evidence in a vault is only useful if it is connected to the right context. In CoComply, every piece of evidence should be linked to: the specific data asset or CDE it pertains to, the policy or regulatory citation it satisfies, and — where relevant — the finding it was collected to remediate. Use CoComply's link function when uploading or generating evidence to create this traceability. When an examiner asks 'show me evidence that finding X was remediated,' CoComply gives you a one-click package.

• Retroactively link evidence to findings whenever possible — even if the evidence was collected before the finding was logged in CoComply.
• For ongoing regulatory commitments (MRA responses, consent order requirements), create a dedicated Finding record in CoComply and link all related evidence to it continuously.
• Use CoComply's evidence export feature to generate a structured evidence package for any finding, CDE, or policy in a single step.

Stale evidence is a liability. If your most recent attestation for a Tier 1 CDE is 18 months old, an examiner will question whether your program is operational. In CoComply's Operate module, the governance metrics dashboard shows evidence age by CDE and by control. Set alerts for any Tier 1 or Tier 2 CDE whose most recent attestation is more than 90 days old. Evidence completeness — what percentage of in-scope CDEs have current evidence on file — is the single metric that best predicts examiner satisfaction with a data governance program.

• Target 95%+ evidence completeness for Tier 1 CDEs before any examination window.
• Use CoComply's Operate dashboard as a weekly governance health check — evidence gaps are cheaper to close before an exam than during one.
• If your institution is in a growth phase (acquisitions, new products), run a coverage gap analysis in CoComply quarterly to ensure new data assets are captured in the governance inventory.

When an examiner or auditor requests documentation, CoComply enables you to produce a structured evidence package in minutes. Navigate to the relevant CDE, report, finding, or policy in CoComply and use the Export Evidence Package function. The package includes all linked evidence files, attestation records, DQ check results, policy documents, and finding management records — organized by the CoComply taxonomy and time-stamped. Deliver as a structured ZIP or PDF to the examiner's designated document portal.

• Prepare standing evidence packages for your five most commonly examined areas (Call Report certification, model risk, BCBS 239 compliance, AML data controls, AI governance) so they are ready before the request arrives.
• Include a one-page cover memo for each package that summarizes the evidence scope, the governance framework it supports, and the CoComply module it was generated from.
• After each examination, update the evidence package templates based on examiner feedback — the next examination will ask for the same things.