Blog Details

Introduction

Auditors, compliance officers and finance and IT teams all reach the same moment in an engagement: someone has to certify that the set of files handed over as audit evidence is exactly what it was when it was collected. A pile of ledger exports, system logs or extracted reports is only as trustworthy as your ability to show it has not been edited along the way. The audit evidence certificate is the document that does this. It records each file with its cryptographic hash, states a verification result, and seals the whole certificate with a SHA-256 value so the attestation itself cannot be quietly changed. This article explains what the certificate contains, where it is used, and how e-Dex (formerly Hash Calculator) produces one offline on your own machine.

What an Audit Evidence Certificate Is

An audit evidence certificate makes a narrow, verifiable claim: that a defined set of evidence files is intact and unaltered relative to a recorded state. It is not an audit opinion and it says nothing about whether the underlying numbers are right — that judgement belongs to the auditor. What it does is fix the integrity of the files in writing, so that months later anyone can re-check the hashes and confirm the evidence is the same data the auditor actually worked from. That makes it the quiet backbone of an evidence pack: before anyone debates what the records show, the certificate establishes that the records have not moved.

What Is Inside the Certificate

The certificate is built from real, structured fields rather than free text. At the top sits the scope or case — for example a financial audit evidence case with its own case reference, analyst and organisation. A summary line records how many files were processed, their total size, and the count of matches, mismatches and errors. The heart of the document is the annexure: each file is listed with its name, byte size, a per-file status such as Verified, and its SHA-256 hash. Below the annexure a verification result states the totals — for instance verified, failed and errors — so the outcome is visible at a glance. The certificate then carries an integrity SHA-256 seal computed over every sealed line of the document, and closes with a formal declaration that the records were processed with e-Dex, that their hash values were computed and recorded as set out in the annexure, and that the stated verification result reflects their integrity status.

Use Cases

The certificate fits anywhere a set of files has to be shown to be intact. In internal audit, a team attaches it to extracted ledgers or system data so a later reviewer can confirm the working set was untouched. In external audit, it travels with evidence handed between the client and the audit firm, giving both sides a re-checkable record. For framework work such as ISO 27001 and SOC 2, it helps demonstrate the integrity of the artefacts placed in an evidence pack, although it does not by itself establish compliance. And for regulatory evidence packs, it provides a defensible, file-level integrity record that a regulator or counterparty can independently verify. For a broader look at the same underlying idea, see our guide to the evidence integrity certificate.

How e-Dex Generates It

In e-Dex you open the Certificate Generator and choose the Audit & Compliance template — the audit evidence layout. You add the files that make up the evidence set; e-Dex computes their hashes and lays them into the annexure automatically. You then fill the case fields — scope or case name, reference, analyst and organisation — and e-Dex assembles the summary, the verification result and the declaration. With one action it computes the integrity SHA-256 seal over the sealed content and lets you sign and timestamp the document where you need the extra assurance, before you export to PDF. The same template-driven approach is used for related documents such as the backup integrity certificate for compliance.

Signing, Timestamping and Verifying Offline

e-Dex produces the certificate fully offline on your own Windows machine, so the evidence files never leave your computer. Where you need stronger assurance you can apply a PAdES digital signature with a Digital Signature Certificate on a USB token, binding the signer's identity to the document, and attach an RFC-3161 trusted timestamp that records the exact time of production against an independent Time-Stamping Authority — only that step needs the internet. Verifying the seal is equally local: a checker recomputes SHA-256 over each sealed line followed by a newline in UTF-8, and the result must equal the stated hash. If anything in the body or any recorded file hash were altered, the seal would no longer match. For more on the cryptographic signing layer, read how to sign and timestamp a forensic certificate with PAdES and RFC-3161.

A Note on Scope

e-Dex helps you produce a clear, integrity-backed certificate; it is a tool, not an auditor and not legal counsel. An audit evidence certificate attests that files are unaltered — it does not state that you are compliant with any framework, and it does not replace the professional judgement of the auditor or the conclusions of a certifying body. Treat it as one well-structured piece of supporting documentation in a wider engagement, and rely on your auditors and advisers for the conclusions that depend on it.

Frequently Asked Questions

What is an audit evidence certificate?
An audit evidence certificate is a short, readable document that certifies a defined set of audit evidence files is intact and unaltered. It records the scope or case, an annexure listing each file with its size, status and SHA-256 hash, an overall verification result, an integrity SHA-256 seal over the certificate text, and a declaration. It does not opine on the contents of the records; it attests only that the files have not changed since they were recorded.

Does an audit evidence certificate prove I am compliant with ISO 27001 or SOC 2?
No. An audit evidence certificate is supporting documentation that helps demonstrate the integrity of evidence files you hand to an auditor or place in an evidence pack. It does not by itself establish compliance with ISO 27001, SOC 2 or any other framework, and it does not replace the auditor's judgement. e-Dex helps you produce the integrity document; the compliance conclusion is for the auditor and the certifying body.

Does e-Dex need an internet connection to generate an audit evidence certificate?
No. e-Dex runs fully offline on your own Windows machine. Hashing the files, computing the integrity seal and generating the audit evidence certificate all happen locally, so your evidence never leaves your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

What is the integrity SHA-256 seal on the certificate?
The integrity seal is a single SHA-256 hash computed over every line of the certificate's sealed content. A verifier recomputes SHA-256 over each sealed line followed by a newline in UTF-8, and the result must equal the stated hash. If even one character of the certificate body or any recorded file hash were changed, the seal would no longer match, so the seal protects the certificate itself, not only the files it lists.

Can the audit evidence certificate be signed and timestamped?
Yes. After generating the certificate you can apply a PAdES digital signature using a Digital Signature Certificate on a USB token, which binds the signer's identity to the document so any later edit is detectable. You can also attach an RFC-3161 trusted timestamp that records the exact time the certificate was produced against an independent Time-Stamping Authority. Both steps are optional; the integrity seal is generated either way.

Conclusion

An audit evidence certificate turns a loose promise into a one-page, re-checkable fact: this set of audit files is intact and unaltered, proven by per-file SHA-256 hashes, a stated verification result and an integrity seal over the whole document. It is the simplest, most reusable building block in an evidence pack, and it travels cleanly between internal teams, external auditors and regulators. You can produce one in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start certifying that your audit evidence is exactly what it should be.