How to Build an ECCTA Evidence Register That Stands Up to Review

The ECCTA reasonable-procedures defence is an evidence question. An organisation that has genuine, proportionate fraud prevention procedures in place but cannot demonstrate they were operational is in a weak position. The SFO's compliance programme evaluation guidance emphasises the distinction between paper compliance — policies and procedures that exist in documentation — and operational compliance, which requires contemporaneous evidence that the procedures were followed.

An evidence register provides the structured basis for that demonstration. It records, for each element of the compliance framework, what evidence exists, where it came from, who has reviewed it, and what gaps remain. Without a register, the compliance function relies on ad hoc searches for evidence when it is needed — a process that is slow, inconsistent, and unable to distinguish between evidence that was available at the time of the relevant conduct and evidence assembled later.

Building the register from the outset of the compliance programme — rather than assembling evidence reactively when an issue arises — is the single most important structural decision an organisation can make for its ECCTA compliance position. A register that shows continuous, dated activity throughout the relevant period is qualitatively more valuable than one that shows a burst of activity in the weeks before an investigation begins.

The evidence register should be structured around the six Home Office fraud prevention principles, so that each principle has a dedicated evidence section and gaps are visible by principle. This structure makes it straightforward to see, at a glance, which principles are well-evidenced and which have gaps that need attention.

Principle 1 (top-level commitment) evidence includes board minutes recording approval of the risk assessment and procedures, the anti-fraud policy and code of conduct, and periodic board reporting records. Principle 2 (risk assessment) evidence includes the dated fraud risk assessment document, version history, and any refresh records. Principle 3 (proportionate procedures) evidence includes procedure documentation, controls documentation, and evidence that controls are operating.

Principle 4 (due diligence) evidence includes associated-person risk-tier assignments and the due-diligence records for each tier. Principle 5 (communication and training) evidence includes training materials, completion records, and attestation records. Principle 6 (monitoring and review) evidence includes monitoring reports, any audit findings, and records of changes made in response to monitoring. Each section should also carry a gap note — recording what is missing, why, and who is responsible for obtaining it.

Every item in the evidence register should carry source lineage: who created or obtained it, on what date, and from what original source. Source lineage matters because it establishes when the evidence existed, not just that it exists now. A training completion record without a date and author is less valuable than one that is tied to a specific training session, a specific date, and the learning management system that recorded completion.

Human review is a second layer of source lineage. For evidence that requires interpretation — a risk assessment, a due-diligence report, a monitoring finding — the register should record who reviewed the evidence, what their conclusion was, and whether they identified any gaps or concerns. Human review creates a documented chain from raw evidence to compliance conclusion: it is the record of the judgment applied, not just the input data.

Organisations sometimes find that evidence exists in scattered systems — a training record in one platform, a board minute in a document management system, an attestation in email — with no single record of what has been reviewed and what the reviewers concluded. Consolidating source lineage into a single register is the practical step that turns scattered records into a defensible evidence file.

Gap mapping is the process of identifying, for each evidence dimension, what is missing. A gap map records each gap by principle, names who is responsible for obtaining the missing evidence, sets a target completion date, and tracks the gap to resolution. This transforms the evidence register from a record of what exists into an active compliance tool.

Common gaps at the early stages of an ECCTA compliance programme include: a risk assessment that has not yet been reviewed by an external adviser, training that has been delivered but not recorded systematically, associated-person due diligence that covers employees but not supply-chain contractors, and monitoring that has been planned but not yet conducted. Each of these is a gap that, if left unaddressed, weakens the reasonable-procedures position.

The gap map is also the document that supports communication to the board about the state of the compliance programme. A board that receives a gap map — rather than a general assurance that the programme is progressing — is better placed to discharge its Principle 1 governance obligations and to evidence that it was engaged in the compliance process.

The evidence register should be maintained with an immutable audit trail: every change to an evidence item, every gap update, every review record should be logged with the identity of the person who made the change and the timestamp. Immutability is important because it prevents retrospective alteration of records and creates a verifiable history of what the compliance programme looked like at any point in time.

Version control applies both to the register itself and to the underlying documents. A fraud risk assessment that has been revised three times since 2025 should carry all three versions, each dated and attributable to the person who made the revision. Version control allows the organisation to answer the question: what did your risk assessment say in September 2025, when the offence came into force? — a question that may be material in any enforcement scenario.

Organisations that maintain evidence in shared document stores without version control and audit trails face a specific risk: the documents they produce in response to a regulator request may not be verifiably the same as the documents that existed at the relevant time. An evidence register with immutable audit logging eliminates that ambiguity.

The board pack is the periodic export that brings together the organisation's ECCTA compliance position in a format that is readable by people who have not been involved in the day-to-day compliance work — board members, external legal advisers, and, in an enforcement scenario, prosecutors or regulators. A well-structured board pack shows the scope determination, the risk assessment summary, the evidence gap map by principle, the principle coverage summary, unresolved blockers, and adviser review status.

Adviser handoff is the process by which external legal advisers receive the evidence they need to conduct their own review. A structured export — not a dump of raw documents — allows advisers to focus on the gaps and judgment calls rather than on reconstructing what the compliance function already knows. The adviser's review comments, and the organisation's response to them, should themselves be recorded in the evidence register.

Organisations approaching ECCTA compliance as a one-time exercise — produce a set of documents, get external sign-off, file and forget — are building a static compliance position that will deteriorate over time. The evidence register approach treats compliance as an ongoing process: evidence is added as the programme develops, gaps are tracked and resolved, and the board pack is refreshed on a regular cycle. This continuous approach is what the SFO's compliance programme evaluation guidance recognises as genuine compliance.