An evidence gap exists when a company has a control expectation but cannot show enough proof that the control exists, is assigned, or is operating.
Examples include:
- A policy that exists but has no review date
- A backup process with no restore test evidence
- Access controls with no owner or review record
- Vendor reviews that happen informally but are not documented
Evidence gaps matter because they often block customer reviews, audits, and internal risk decisions.