Skip to main content
DefenceFile
PricingRequest pilot review

Sample board pack — no email, no form

What you’ll be able to show in your next board or adviser review.

This is an illustrative example of the board pack the workspace exports at the end of a working session — evidence coverage against the six principles, the open blockers that stop a clean pack, named review sign-off, a dated source register, and a hash-sealed export. The data below is a fabricated sample for illustration only.

Sample data — “Northwind Group plc” is not a real customer

DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.

To forward this to a colleague or committee chair, use your browser’s Print → Save as PDF. The live pilot exports the equivalent pack with a full 64-character hash and a shareable, expiring adviser link.

Defence file — board pack (DRAFT)

Northwind Group plc — ECCTA failure-to-prevent-fraud

Prepared for:
Audit & Risk Committee, 2026-07-02
Owner:
Head of Compliance (S. Patel)
Generated:
2026-06-13
Export version:
1
Export gate: Blocked — 2 blockers

Decision requested

Approve the revised remediation dates for the two open principle gaps (Due diligence 2026-06-20; Monitoring & review 2026-06-27), or escalate the slippage to the next cycle. No assurance on legal adequacy is requested or implied — that remains with counsel and advisers.

For information

Five of the six principles are mapped and reviewed (evidence coverage 90/100, up from 74 (illustrative) at the 2026-06-06 review and 61 at the 2026-05-09 review) and two items remain in the named review queue. Coverage measures how complete the file is, not defence strength. The export below is a point-in-time snapshot, sealed by the hash in the integrity footer.

Evidence coverage

90/100

Weighted share of the six Home Office principles with mapped, reviewed evidence. A coverage measure of how complete the file is — not a judgement on whether procedures are reasonable, and not a measure of defence strength.

PrincipleStatus
Top-level commitment(weight 20)Mapped
Risk assessment(weight 20)Mapped
Proportionate procedures(weight 20)Mapped
Due diligence(weight 15)Gap
Communication & training(weight 15)Mapped
Monitoring & review(weight 10)Mapped

Evidence by principle

Per-principle breakdown of mapped evidence with source dates and named reviewer attribution. Items without a reviewer are still in draft; the gap entry shows what is still outstanding.

Top Level Commitment

  • Board minutes — fraud agenda item (2026-Q1) (board_minutes, 2026-05-12) — Approved by J. Marsh
  • Anti-fraud policy v4 (policy, 2026-05-14) — Approved by J. Marsh

Risk Assessment

  • Group fraud risk assessment (2026-03) (risk_register, 2026-05-14) — Approved by J. Marsh

Proportionate Procedures

  • Control matrix v2 (policy, 2026-05-20) — Approved by J. Marsh
  • Procurement procedure (contract, 2026-05-20) — awaiting review

Due Diligence

Gap: Supplier due-diligence refresh evidence not yet uploadedRecommended: Updated third-party attestation from each active supplier

  • Supplier due-diligence attestation (pending refresh) (third_party_attestation, 2026-05-18) — awaiting review

Communication

  • All-staff ECCTA anti-fraud briefing — June 2026 (policy, 2026-06-10) — Approved by J. Marsh
  • 2026 staff training export (92% complete) (training_record, 2026-05-28) — Approved by J. Marsh

Monitoring And Review

  • Quarterly ECCTA readiness board review — Q2 2026 (board_minutes, 2026-06-10) — Approved by J. Marsh

Open blockers

The pack is gated until these are cleared. A forced export still carries every blocker reason into the manifest — the board sees the state of work, not a polished summary.

  • Due diligence — supplier refresh evidence missingOwner: Procurement lead (A. Okafor) · Due 2026-06-20
  • 2 evidence items still awaiting named review sign-offOwner: Compliance reviewer (J. Marsh) · Due 2026-06-18

Named review sign-off

Each evidence item stays draft until a named reviewer records a decision. Every decision keeps reviewer, timestamp, the automated draft suggestion, and the human note in the audit trail.

Approved

J. Marsh — Compliance reviewer

Approved 7 of 9 items · 2026-06-13

Pending

2 items awaiting sign-off

Pack not yet eligible for a “ready” status.

Owner attestation

“I confirm this pack reflects the evidence state recorded in the workspace as at 2026-06-13, with the one open gap (due diligence supplier refresh) and two pending review items shown above.”

S. Patel — Head of Compliance (first-line owner). Internal Audit (R. Singh, third line) provides independent assurance over the process and does not co-sign the owner attestation.

Reporting line: first-line owner (Compliance) → Audit & Risk Committee, with Internal Audit (third line) as independent assurance reviewer. Unresolved blockers escalate to the committee with their owner and date attached.

Source register (9 items)

Every source is SHA-256 hashed at upload, over the original uploaded bytes. The hash travels into the register and is sealed by the export hash below — so an adviser can confirm a source is unchanged since upload (which file was relied on), not that the uploaded file is itself authentic.

SourceStatusSHA-256
Board minutes — fraud agenda item (2026-Q1)board_minutesapproved9f2c41ab7d6e08b3
Group fraud risk assessment (2026-03)risk_registerapproved1c70de93a4f5821b
Anti-fraud policy v4policyapprovedb85a1209ef34cc77
Supplier due-diligence attestation (pending refresh)third_party_attestationdraft — needs review44e9a7c150bd2f6a
Control matrix v2policyapprovedc3a9f102de78bb41
Procurement procedurecontractdraft — needs reviewf6017e84ab925c3d
2026 staff training export (92% complete)training_recordapproved7d4e51c0f2a38b96
Quarterly ECCTA readiness board review — Q2 2026board_minutesapproved3b8f420e9c17da52
All-staff ECCTA anti-fraud briefing — June 2026policyapprovede10c93d47f5ab081

Risk-to-control trace

Each fraud risk is traced to the control evidence relied on, with residual rating and whether it blocks the board pack. This is workflow evidence of how risks map to controls — not a judgement that the controls are adequate.

Fraud riskResidualBoard impact
Third-party introducer facilitates fraudulent invoicingProcurement / supplier onboarding · owner Procurement lead (A. Okafor)MediumBlocks pack
Sales agent misrepresents product to win businessChannel sales · owner Head of Sales (M. Cole)LowClear

Export integrity

SHA-256: 7b3e0d9142af65c8a0d4…e91f (full 64-character hash on the live export)

The export hash is computed over the generation timestamp, the full board-pack content, and the manifest — and the manifest includes this source register, the risk-to-control trace, the blocker reasons, and the approval state. “Manifest consistent” on the shared adviser view means the artifact re-hashes to exactly this value: the pack has not changed since it was generated. It proves this pack, in this state, on this date. It does not prove legal adequacy.

The hash is recorded by the workspace, and the timestamp is the workspace server clock — not an independent timestamping authority. It is integrity evidence against later change, not a countersignature; an external anchor can be added where an engagement requires one.

DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.

From sample to your evidence

A pack like this is the output of the first working session.

The 90-day pilot is structured so a named owner can produce this from your own evidence — scope screen, gap map, attestation chase, named review, and a sealed export. If the first session does not produce the agreed workflow artifacts, the setup fee is waived.

Board & adviser ready
Named review, not raw AI

Next step

Request a fit review before sharing any real evidence.

Request pilot reviewView pricing and FAQ