Trust CentreAuditability & Traceability

Auditability & traceability

This page explains how SIFTR supports auditability, traceability and review of CAF evidence mapping outputs.

Auditability is a core requirement of CAF-aligned assurance. SIFTR is designed to ensure that outputs can be examined, challenged and revisited over time.

Auditability by design

SIFTR is built to ensure that every result can be traced back to:

  • The documents included in scope
  • The specific CAF outcomes assessed
  • The quoted evidence used to support coverage
  • The point in time the assessment was performed

This enables users to understand what was assessed, how it was assessed, and on what basis.

What SIFTR records

For each assessment, SIFTR records:

  • The CAF version used
  • The CAF outcomes included in scope
  • The documents selected for analysis
  • The date and time the assessment was run

This provides a clear record of the assessment context.

Evidence traceability

For each CAF outcome, SIFTR presents:

  • The evidence coverage classification (Strong, Partial or None)
  • The primary supporting quotation, where evidence exists
  • The source document reference
  • Where available, a page reference from the source document
  • A short rationale explaining why the classification was applied

All quotations are taken directly from the source documents. No paraphrasing or inferred evidence is used.

Handling multiple evidence sources

CAF outcomes may be supported by evidence across multiple documents.

SIFTR identifies evidence at document level and aggregates it at outcome level.

Where multiple documents contain relevant evidence:

  • The strongest defensible evidence determines the overall coverage classification
  • A primary quotation is presented to support review
  • Additional supporting evidence may be available for reference

This approach reflects how human assessors review evidence across document sets.

Treatment of gaps

Where no explicit evidence is found across the uploaded documents, the outcome is reported as None.

Surfacing gaps is a deliberate design choice.

Identifying missing or incomplete evidence supports:

  • Internal assurance planning
  • Targeted document improvement
  • Clear articulation of risk and uncertainty

Repeatability over time

SIFTR outputs represent a point-in-time view based on the documents provided.

Because governance documentation evolves, SIFTR supports reassessment by:

  • Recording assessment context and scope
  • Applying consistent mapping logic across runs
  • Allowing users to rerun assessments as documents are updated

This supports trend analysis and governance improvement over time.

Human review and challenge

SIFTR outputs are designed to be:

  • Reviewed by security and governance professionals
  • Challenged where interpretation or context requires clarification
  • Supplemented with additional evidence or judgement

SIFTR does not lock outcomes or prevent human override. Final accountability always remains with the organisation.

Use in assurance and reporting

SIFTR outputs may be used to support:

  • Internal CAF self-assessment
  • Governance reviews and committee reporting
  • Preparation for external assurance or audit
  • Evidence collation for regulatory engagement

SIFTR does not provide certification or formal assurance statements.

Transparency commitments

SIFTR is committed to transparency in how assessments are produced.

Changes to assessment behaviour, scope or methodology will be reflected in this Trust Centre to ensure users can understand and evaluate the impact.

Last updated: January 2026

Security & Data Protection
© 2026 SIFTR PBC. All rights reserved.