Why do auditors reject CSV exports as evidence?
Why CSVs Aren't Enough
A CSV file is just text. Anyone with a spreadsheet editor can add rows, remove rows, or change values. Auditors know this, which is why they classify CSV exports as IPE (Information Produced by Entity) — evidence that requires extra validation before it can be relied upon.
The Problem with CSV-Only Evidence
| Issue | Why It Matters |
|---|---|
| Easy to edit | Auditor can't confirm the data wasn't modified |
| No visual context | No way to see the source system's interface |
| No timestamp proof | File metadata can be changed |
| Missing completeness | No way to verify all records are included |
| Requires validation | Auditor must independently check a sample against the source |
What Auditors Actually Do with CSVs
When you provide a CSV (e.g., a user access list), the auditor will:
- Ask you to show them the source system
- Spot-check 3-5 entries from the CSV against the live system
- Check if the CSV includes all users (compare total count)
- Look for records that should be there but aren't
This validation step adds time to your audit. Screenshots reduce it.
The Better Approach
Provide screenshots of the source system alongside CSV exports. For example:
- User access review: Screenshot of the Google Workspace admin panel showing the full user list + a CSV export of users with roles
- Security settings: Screenshot of the settings page showing the configuration + a JSON export as supporting documentation
- Deployment history: Screenshot of the Vercel dashboard showing recent deployments + API export of deployment records
The screenshot gives the auditor visual confidence. The export gives them detailed data to analyze.
When CSVs Work
CSVs are fine as supporting evidence when accompanied by screenshots or system demonstrations. They're useful for large datasets (200+ users, hundreds of deployments) where a screenshot can't capture every entry. The key: never submit a CSV as the sole evidence for a control.