Sample by risk, not by folder
Start with risk-based sampling: disputed contracts, high-value invoices, policy exceptions, and incident records. Folder-based random sampling misses the files most likely to fail legal scrutiny.
Check four technical controls
For each sampled file, verify four controls: hash match, token signature validity, trusted certificate chain, and timestamp date coherence with business events. If one control fails, classify the item as non-reliable evidence.
Reconstruct the evidence timeline
Auditors should rebuild the timeline from source actions: create, approve, sign, archive. A valid timestamp that appears only at the end of the process may be insufficient when legal questions concern intermediate decisions.
Produce an audit-ready finding pack
Document each finding with reproducible proof: file identifier, computed hash, token details, validation output, and conclusion severity. This transforms timestamp checks from ad hoc technical tests into defensible audit evidence.