Every compliance programme eventually faces the same question. Not from the auditor — auditors ask it in technical language, about evidence quality and population coverage and the independence of the observation. The version that stings comes from an enterprise prospect's security team, or from a board member who has sat through one too many reassuring presentations and then read about a breach at a company whose compliance scores were excellent. The question is simple: how do we know this is real?
It is a question about independence. Not about the quality of the controls. Not about the sophistication of the tooling. About whether the evidence that the controls are working was produced by a process that had nothing to gain from a flattering answer. When that question gets asked and the answer is "our team gathered and reviewed the evidence," the conversation does not go where the compliance lead hoped it would. The evidence may be accurate. But it cannot be verified to be accurate by the same people who produced it.
Independence is not a procedural nicety. It is the structural requirement that makes proof different from assertion. Understanding why — and what independence means in operational terms for a mid-market company — is the difference between a compliance programme that holds up under scrutiny and one that holds up until someone actually looks.
01 / Why auditors discount self-collected evidence
When an auditor reviews a SOC 2 report or an ISO 27001 surveillance audit, their job is not to look at the evidence and decide whether they believe it. Their job is to verify it. The distinction matters because verification requires independence from the process that produced the evidence in the first place.
An auditor who reviews evidence gathered by the company's own compliance team is not verifying the controls. They are verifying the compliance team's evidence-gathering process. Those are different things. The compliance team may have gathered the evidence accurately, completely, and in good faith. But the auditor cannot rely on evidence that could have been — even inadvertently — curated, filtered, or framed by the same team that operates the controls being assessed. This is why the standards require independent assessment, not just documentation.
In practice, auditors address this by testing. They pull their own samples. They request evidence they have not been given. They ask for the full population, not a representative subset. They look for the records that would be embarrassing if they existed — the failed checks, the temporary exceptions, the remediation that happened right before the audit window. A compliance programme that was built by the internal team, on timelines set by the internal team, with populations selected by the internal team, will produce cleaner results for the audit window than for the months the auditor does not see. Experienced auditors know this. Their testing strategy accounts for it.
The implication is not that internal compliance teams are dishonest. Most are meticulous, professional, and genuinely committed to the programmes they run. The implication is that the structural incentive to produce evidence that reflects well on the team producing it is built into the architecture of self-collected evidence, regardless of the team's intentions. That incentive does not go away because the team is careful. It goes away when the evidence is produced by a party that has no stake in how it reads.
02 / The conflict of interest in "compliance automation" you operate yourself
The wave of compliance automation that reached the mid-market over the last decade made a persuasive offer: use our platform, and evidence collection becomes faster, more comprehensive, and easier to organise for the auditor. The offer was genuine. The platforms do what they say. Evidence that used to take three people three weeks to assemble now takes three people three days.
But the structural problem with self-collected evidence did not go away. It accelerated. The same team that operates the controls now operates the compliance tool that monitors those controls. The same team that decides what the tool connects to, what it checks, and how it reports findings is the team whose controls are being checked. The platform is more capable. The conflict of interest is identical.
This is worth stating plainly, because the marketing language around compliance automation often obscures it. "Automated evidence collection" does not mean independent evidence collection. It means the same team collecting the same evidence more efficiently, using a platform they administer, against populations they define, on schedules they set. The output is better organised than a folder of screenshots. It is not more independent than a folder of screenshots. The question "can you prove it?" gets a faster answer. It does not get a better one.
Independence requires separating two things that compliance automation, however sophisticated, keeps joined: the operation of the controls and the observation of the controls. When both are in the hands of the same party, the observation is only as credible as that party's own diligence. When they are separated — when an independent party does the observing — the observation has a different quality, one that the party operating the controls cannot achieve for themselves, regardless of the tooling they use.
Automated evidence collection is not the same as independent evidence collection. The platform changes the speed of the work. It does not change who is doing it or what they have at stake in the result.
03 / What independence means operationally
Independence is a word that gets used loosely in compliance discussions. It is worth being precise about what it means in operational terms, because the precision matters when a regulator or an enterprise buyer pushes on it.
Independence means that the party producing the evidence has no material interest in how the evidence reads. Not that they are uninvested in the client's success — a governance firm whose evidence record consistently catches problems that are then remediated is doing its job well, and doing it well is good for the relationship. But the firm's interest is in the accuracy of the record, not in the record reflecting well on the client. Those two interests sometimes align. When they diverge, independence means the accuracy of the record wins.
Operationally, this shows up in how the programme is structured. The governance party sets the check schedule, not the client's compliance team. The populations checked are the full populations in scope, not a sample that the client team selected. The findings are what the checks produce, not a filtered version that excludes anything awkward. The record is held by the governance party, not maintained in a system the client administers. When a finding is a finding, it is recorded as one — not managed into a different category before it reaches the report.
This is not a description of an adversarial relationship. A governance engagement works because the client wants accurate evidence as much as the governance party does. The client's compliance lead wants to know when something is wrong so they can fix it before an auditor or a regulator finds it. The value of independence is not that it finds problems the client is hiding. It is that it finds problems the client might have missed, rationalised, or not had the structural distance to see clearly.
04 / The financial audit parallel
The principle at stake here is not new. It is the same principle that underlies financial audit. Companies do not audit their own financial statements. External auditors do. The reason is not that finance teams are untrustworthy. It is that an audit performed by the team whose work is being audited cannot produce results that anyone outside the company can rely on. The value of the audit depends entirely on the independence of the auditor from the subject of the audit.
This is so well understood in financial governance that it is codified in law in most jurisdictions. The rules governing auditor independence are detailed, specific, and strictly enforced. The auditor cannot hold equity in the company they audit. They cannot have been employed by the company within a certain period. They cannot provide certain categories of consulting services to the company while also auditing it. These restrictions exist because the conflict of interest, if not carefully managed, undermines the entire purpose of the audit.
The parallel for information security and compliance governance is not yet codified at the same level. But the logic is identical. Evidence about whether a company's controls are working, gathered and maintained by the team whose controls they are, cannot be independently verified by definition. The team can be diligent, thorough, and accurate, and the evidence still cannot serve the purpose that independent evidence serves. The gap is structural, not a function of the team's quality.
The question is not whether companies should have internal compliance functions. They should, and those functions do essential work. The question is whether the evidence that those functions produce is the right foundation for the claims that matter most — the claims made to auditors, regulators, enterprise customers, and boards. For those purposes, the evidence needs to be independent. Internal compliance work and independent evidence are not alternatives. They are complements, with distinct roles in a complete governance programme.
05 / Independence and data possession: why they must both be present
Independence and data possession interact in a way that is not always obvious. An independent governance programme that holds copies of the data it observes has moved a risk without eliminating it. If the programme is genuinely independent but holds your customer records, your HR data, or your financial information, you now have a third party in possession of your most sensitive data. The independence of the record does not make that a better outcome. It makes it a different problem.
The complete posture requires both independence and evidence-only observation. The governance party observes controls at their source — verifying configurations, access states, and policy compliance in the systems where they live — and records findings. Not records data. The finding is that a control was met or was not met, at a specific time, against a specific population. The sensitive data stays in the system where it lives. The governance party holds the evidence of what was checked, not the records that were checked.
This is what distinguishes governance from monitoring. Monitoring often involves data ingestion — collecting logs, pulling records, aggregating information in a central platform. Governance, as Bylaw Evidence practices it, means reading the system's own state and recording whether the control is met. The read does not create a copy. The record does not contain the underlying data. The evidence is a finding, not a file.
For a mid-market company, the combination — independent observation, evidence-only posture — removes two risks at once. The data possession risk, which shows up in vendor due diligence, data processing agreements, and breach notification obligations, is eliminated because no sensitive data is held outside the source system. The self-grading risk, which shows up when auditors probe evidence quality and regulators ask who produced the record, is eliminated because the observation and the record are maintained by a party with no stake in the outcome. Both risks matter. Both need to be addressed. The architecture that addresses both is the same one.
06 / What independence buys with regulators, buyers, and boards
The case for independent governance is not abstract. It shows up in concrete terms across three audiences that mid-market companies interact with regularly and that determine real outcomes — regulatory inquiries, enterprise sales processes, and board oversight.
With regulators, independent evidence changes the nature of the conversation. A regulator investigating a potential compliance failure under GDPR, HIPAA, or the EU AI Act is asking whether the controls were in place and whether they were working. A company that can produce a continuous record of control checks, produced by an independent party, held in a form that cannot be altered after the fact, is in a materially different position than a company that can produce a set of screenshots assembled by its internal team in the weeks before the inquiry. The record does not guarantee a clean outcome. But it demonstrates that the governance programme was real — that it ran continuously, that it caught and addressed failures, and that it was not assembled for the purpose of the inquiry.
With enterprise buyers, independent evidence addresses the procurement question that stalls deals. A customer with a rigorous security review process wants to know that the vendor's controls are working, not that the vendor believes they are working. A governance record produced by Bylaw Evidence, covering the controls in scope for the customer's review, produced continuously rather than assembled for the evaluation, held by a party independent of the vendor — that record answers the customer's actual question. It does not require the customer to take the vendor's word for anything.
With boards, independent governance provides what internal reporting cannot: an unfiltered view of the control state. A board that relies entirely on the compliance team's own reports about the compliance programme's effectiveness is relying on a self-assessment. That is appropriate for operational reporting. It is not sufficient for fiduciary oversight. An independent record, summarised in plain language, gives the board a basis for oversight that does not depend entirely on the judgement of the team being overseen.
The common thread across all three audiences is that they are asking a version of the same question. Not "do you have a compliance programme?" Every company that has made it to a serious audit, a rigorous security review, or a board discussion about risk has a compliance programme. The question is whether the evidence that programme produces is the kind that holds up when someone who has no particular reason to take it on faith examines it carefully. Independence is what makes the answer yes.
See it on your company.
This is the desk work of the office we embed. A structured governance review shows you, on your own documents and systems, exactly where your proof is strong, fragile, and missing — in plain language, no data required.