## Minimum evidence set

| Domain | Evidence |
| --- | --- |
| Access | Member history, roles, and access changes |
| Operations | Executed runbooks and incident timelines |
| Fiscal | Reconciliation records, document states, and justifications |
| Changes | Changelog entries with impact and rollback context |

## Retention rules (guidance)

- Preserve relevant operational logs for the period required by your organization policy.
- Ensure supporting records are versioned and have explicit ownership.
- Keep proof of access reviews and critical approvals.

## Frequent audit questions

1. Who approved changes impacting billing?
2. How is idempotency enforced for critical events?
3. Which procedure was used for incidents with fiscal impact?
4. How is month-end reconciliation verified?

<Note title="Core principle">Audit readiness does not start on audit day. It starts in process design and weekly execution discipline.</Note>
