How do you prove identity controls, not just map them?
so auditor flagged us last cycle for having controls mapped to the framework but no continuous evidence they were actually operating day to day. thats fair hit honestly, our whole process was point in time. like we'd map every control back to the framework once a year, take screenshots..., do a round of interviews, call it done.
the problem though is the second that audit closes, the evidence is already stale. control could break the next week and we wouldn't know until next year's cycle caught it, if it even did. ,,
anyone found a way to keep evidence current instead of rebuilding this whole snapshot every cycle?