Documentation & Reporting Standard
All documents generated by Govula are formal, audit-grade artefacts designed for direct use in audits, regulatory reviews, and board reporting.
This section is intended for: Technical Team, Auditor, Management, End User. Unauthorised access is restricted.
Audit-Grade Document Standard
Every document generated by Govula follows a mandatory canonical structure with eight sections. This standard ensures that all outputs are suitable for formal audits, regulatory submissions, and board-level reporting without modification.
Canonical Document Structure
All generated documents include these eight mandatory sections. Generation is blocked if any section is incomplete, ensuring every output meets the standard before delivery.
Document Classification
Document type, intended audience, confidentiality level, and unique document identifier. Ensures the document is appropriately labelled and traceable.
Scope & Applicability
What systems, controls, and environments are included. Exclusions are explicitly stated. A scope statement summarises what the document covers.
Framework Reference
The compliance framework name, version, and clause identifiers that the document relates to. Allows auditors to cross-reference against the standard.
Assessment Basis
Evidence sources used, evaluation methods applied (attestation, inference, evidence linkage, automated scan, manual review), assessment period, and data point count.
Decision Statement
An unambiguous compliance status (compliant, partially compliant, non-compliant, or not assessed) with a clear statement summarising the determination.
Rationale & Narrative
A substantive narrative explaining the basis for the decision. Includes key findings and actionable recommendations.
Authority & Provenance
Generating platform and version, generation timestamp, workspace and framework binding, evidence lineage reference, cryptographic content hash, and point-in-time indicator.
Reuse & Citation Notice
Declares suitability for audit, regulatory review, and board reporting. Includes a formal citation statement and disclaimers. Sandbox-mode documents are marked as not suitable for external use.
Living SoA Principles
All documents adhere to living Statement of Applicability principles:
- Point-in-time assessments — every document is timestamped and reflects compliance state at the moment of generation
- No overwrites — previous assessments are never modified; new documents are generated alongside historical records
- Evidence lineage — every document includes a reference to its evidence sources and decision provenance, enabling report-to-decision-to-evidence tracing
- Content integrity — SHA-256 content hashes allow recipients to verify that a document has not been altered after generation
Report Types
Different stakeholders need different information. Govula provides targeted reports designed for specific audiences and decision-making contexts. All report types conform to the canonical document standard.
Executive Reports
Audience: EXECUTIVE, BOARD
Board members, C-suite executives, senior leadership
High-level compliance status with decision statements and rationale. Suitable for board reporting.
Technical Reports
Audience: TECHNICAL
Security teams, IT operations, compliance officers, risk managers
Control-level detail with gap analysis, remediation recommendations, evidence inventory, and drift detection.
Auditor-Ready Evidence Packs
Audience: AUDIT, REGULATORY
External auditors, certification bodies, regulators
Structured evidence packs with document classification, complete SoA, evidence organised by control, audit trail, cryptographic signatures, chain of custody tracking, and formal reuse and citation notices.
Output Formats
PDF Reports
Formatted documents with canonical header, decision statement, provenance footer, and reuse notice. Suitable for printing, sharing, and archiving.
Best for: Board presentations, formal submissions, record keeping
HTML Reports
Web-based views with full canonical structure including scope, framework reference, assessment basis, and authority sections rendered inline.
Best for: Day-to-day monitoring, team collaboration, status meetings
CSV / Excel Export
Raw data export with document standard metadata header (type, audience, hash, scope, decision) and reuse citation footer.
Best for: Data analysis, GRC tool integration, custom reports
JSON Evidence Packs
Structured JSON with document classification, control evidence, decision history, signatures, and reuse notices. Machine-readable for integration.
Best for: Automation, integration, programmatic verification
Report Scheduling
Reports can be generated on demand or scheduled for automatic delivery. All scheduled reports conform to the canonical document standard.
- DailyOperational status for technical teams
- WeeklyProgress summaries for management
- MonthlyTrend reports for executives
- On-demandAudit packs when needed
Document Integrity
All generated documents include a cryptographic content hash (SHA-256) that allows recipients to verify the document has not been modified after generation. The hash covers the document content, generation timestamp, and provenance metadata.
Documents generated in sandbox or demo mode are explicitly marked as not suitable for audit, regulatory, or board use. Production documents carry formal suitability declarations.