M17Mission17
Run applicability check
Docs/Operational guide

How to structure audit-ready evidence

"Audit-ready" doesn't mean polished. It means an outside reviewer can reconstruct, in under an hour, where every number came from, who calculated it, and which version of the methodology was used.

Why this matters

Most SMEs already have the evidence — it's just scattered across inboxes, drives and spreadsheets. The work isn't gathering more data; it's making the existing data findable, traceable and versioned.

Who is concerned?

  • Compliance, finance and operations teams owning declarations and reports.
  • Quality and ESG leads facing customer or auditor reviews.
  • Founders and CFOs preparing for due diligence.

Key operational implications

  • Every number in a declaration must trace back to a source file.
  • Methodologies must be versioned and timestamped.
  • Supplier letters and certificates must be stored, not summarized.
  • Calculations must be reproducible — the formula matters as much as the result.
  • Access and modification history must be available.

Common mistakes

Numbers without sources

A figure in a report with no underlying file is the single most common audit failure.

Overwriting spreadsheets

Without versioning, you lose the audit trail the moment someone updates a tab.

Email-as-storage

Supplier evidence sitting in a personal inbox disappears when that person leaves.

Only the final PDF

Auditors want the working files behind the PDF, not just the PDF.

Recommended folder structure

/compliance
  /cbam
    /2025-Q3
      /declaration
        declaration_v3_final.pdf
      /calculations
        embedded_emissions_v3.xlsx
      /supplier-evidence
        supplier-A_letter_2025-08-12.pdf
        supplier-B_iso14064_2025.pdf
      /methodology
        methodology_v2_2025-06.md
  /ppwr
  /espr

Naming conventions

  • Use ISO dates (YYYY-MM-DD), never local formats.
  • Include version numbers in filenames (v1, v2, v3_final).
  • Prefix with the supplier or product code where relevant.
  • Avoid spaces — use dashes or underscores.

Typical evidence gaps

  • Missing methodology version for older declarations.
  • Supplier emails referenced but not attached.
  • Calculations only available as PDF, not as working file.
  • No clear owner per evidence folder.

What companies should do next

  • Define a single evidence vault location (one drive, one tool — not three).
  • Adopt a consistent folder structure per regulation and per period.
  • Lock methodologies as versioned documents.
  • Tie every declaration line to a source file.
  • Run a 1-hour mock audit each quarter.

Mission17 can help with

Operational support

  • Structured evidence vault with regulation-specific schemas.
  • Automatic linking between declarations, calculations and source files.
  • Methodology versioning with full change history.
  • Mock audit reports highlighting evidence gaps.

Related guides

Audit preparation checklist
Evidence checklists
How to request supplier emissions

Get operational

Find out exactly which EU sustainability rules apply to your company — in 6 minutes.

No legal jargon. No long report. A clear, prioritized list of what to do next.

Run applicability checkBack to all docs