The week before an audit is when you find out whether your controls actually ran — or just lived in a policy document. Most teams find out the hard way. Work was completed. Boxes were checked. But when auditors ask for evidence, the answer is: 'let me go dig through email.'
Stop treating evidence as a separate phase. When collection is pushed to quarter-end, your team spends days on inbox searches, spreadsheet reconstruction, and version arguments that didn't need to happen.
Design controls directly in the workflow: approvals by role, due dates tied to SLA risk, mandatory evidence fields for anything high-stakes. Not as an extra step — as the step.
One audit trail per run. Who executed, what was approved, when exceptions were logged, what was attached. All of it in one timeline. That's the difference between reconstruction and retrieval.
The fastest wins are almost always three things: approval gates for critical tasks, required attachments for policy evidence, and overdue alerts tied to a named owner. Start there.