Definition
Attestations fail when they are spreadsheets. Governed attestations succeed when exceptions are owned, approvals are recorded, and evidence artifacts are queryable by control, owner, and time.
Impact
Results teams are seeing
↑ 90%+
Evidence completeness
Ledger + gate requirements
↓ 30–60%
Audit prep time
Queries instead of archaeology
↓ 20–40%
Exception aging
Owned exceptions + SLAs
Capabilities
What you can do with Process Designer
Evidence ledger as system of record
Track attestation artifacts by control, owner, version, and time.
Exceptions are governed
Exceptions require approvals and mitigation evidence, not chat messages.
Recertification is a workflow
Renewal windows and drift triggers are built-in and measurable.
HEIDI prompts proof
Guidance ensures teams attach the right evidence at the right step.
Use cases
Where teams apply Process Designer
Real workflows that benefit from visual design, automation, and governance.
Control-to-evidence mapping
A reusable pattern with clear ownership, approvals, and evidence artifacts—designed to scale across teams.
Approval gates for exceptions
A reusable pattern with clear ownership, approvals, and evidence artifacts—designed to scale across teams.
Evidence ledger and completeness scorecards
A reusable pattern with clear ownership, approvals, and evidence artifacts—designed to scale across teams.
Recertification and drift loops
A reusable pattern with clear ownership, approvals, and evidence artifacts—designed to scale across teams.
How it works
From chaos to clarity in 4 steps
Map controls to evidence
Define what proof is required per control and where it is produced.
Run attestations as missions
Owners receive tasks; exceptions route approvals and mitigation evidence.
Close with ledger artifacts
Attestation records and evidence attachments are stored as queryable objects.
Recertify and detect drift
Renewals trigger re-checks; drift signals route remediation to owners.
Implementation
Your path to process excellence
A phased approach that delivers value at each step.
Week 1
Backbone workflow + evidence map
Pick one workflow, map decision points, and define the minimum evidence backbone.
- Select two focus areas as your pilot: Control-to-evidence mapping + Approval gates for exceptions
- Define decision points, owners, and approval gates
- Create evidence artifacts for: attestation_record (control, owner, timestamp) + approval_record for exceptions
Month 1
Operationalize and measure
Run the workflow with teams, capture evidence, and publish dashboards for outcomes + drift.
- Publish dashboards for: Completion rate by control family + Exception rate and aging
- Standardize exception codes and escalation rules
- Create remediation loop: red items → owner → SLA → closure evidence
Quarter 1
Scale patterns across departments
Reuse the patterns across adjacent workflows and reduce variance without adding bureaucracy.
- Expand to remaining focus areas: Evidence ledger and completeness scorecards, Recertification and drift loops
- Add automation where stable, but keep approvals and evidence as first-class steps
- Review monthly: drift signals, exceptions, and evidence completeness
Industries
Tailored for your industry
IT Ops / Security
Challenge
Fast change and frequent incidents create drift and evidence gaps.
How we help
Governed workflows with evidence trails keep reality and documentation aligned under change.
Example: Incident response + change approvals
Regulated services
Challenge
Evidence trails and approvals are non-negotiable, but teams need speed.
How we help
Evidence by design reduces audit burden while keeping teams fast with standard exception patterns.
Example: Access requests + approvals
Control → decision point → evidence artifact
| Control | Decision point | Evidence artifact |
|---|---|---|
| Access reviews | exception approved? | approval_record + exception_record |
| Change control | change validated? | validation_evidence + version_log |
| Incident response | postmortem complete? | postmortem_id + closure evidence |
Exception handling that auditors accept
Define exception codes, require mitigation, capture approvals, and assign SLAs. Exceptions without owners become permanent risk.
Scorecards that predict audit pain
Track evidence completeness and exception aging. These two metrics predict audit prep effort better than “percent complete” checklists.
Pilot
Pilot checklist (60 minutes to first value)
Start here
Define control-to-evidence mapping
Define exception codes and mitigation fields
Require approval_record for exceptions
Publish scorecards for completeness and aging
Add recertification triggers on version changes