How to build an ECCTA evidence register that survives adviser review.

An ECCTA evidence register should not be a loose document folder. It should show the source, owner, date, review status, principle mapping, hash or provenance marker, and whether the item is approved, rejected, stale, superseded, or still awaiting review.

The point is not to prove a defence automatically. The point is to let counsel, advisers, auditors, and the board inspect the work that was actually performed, including the version of the Home Office guidance used at the time of review.

Useful fields include source title, source type, upload or capture date, business owner, reviewer, review decision, review notes, mapped prevention-procedure principle, linked risk, replacement lineage, and export status.

For board packs, the register should make blockers explicit: missing risk assessment, stale due diligence, unreviewed training record, unresolved associated-person response, or an evidence item that was rejected by a named reviewer.

Evidence often looks complete until someone asks who approved it, whether it is current, which fraud scenario it addresses, whether the relevant associated-person population was covered, and whether the source can be traced back later.

The SFO's November 2025 compliance-programme guidance says it may ask whether sufficient information about the operation of the organisation has been supplied and may look at evidence from interviews, disclosures, and direct questions. A professional workflow should make gaps visible before the board meeting, not during adviser review.

The Joint CPS-SFO Corporate Prosecutions guidance was updated in November 2025 and the SFO's June 2026 speech described a more active enforcement posture for economic crime, including failure-to-prevent-fraud.

For evidence teams, that means the register should record dates, owners, review decisions, source versions, and unresolved blockers without implying that the software itself provides legal assurance.

DefenceFile stores source-register metadata separately from review decisions, keeps AI-assisted classifications draft until human review, records audit events for material workflow actions, and blocks board-pack sign-off when required evidence remains unresolved.

That structure is deliberately narrower than an all-purpose GRC platform. It focuses on the ECCTA defence-file workflow and the evidence trail underneath it.