qa.codes — Manual Software Testing

Building a Test Evidence Pack

7 min read

A test evidence pack is the bundle of artefacts that proves the testing actually happened — what was tested, by whom, against which build, and with what result. For most internal projects, your team's word is enough. For regulated industries, enterprise customers, or any release that crosses a compliance boundary, "we tested it" is not sufficient. The pack is the difference between "trust us" and "here is the proof." This lesson covers what goes in one, how to organise it, and when to invest the effort versus when to skip it.

When you actually need one

Not every project warrants an evidence pack. Build one when the situation justifies it.

Worth the effort: regulated industries (healthcare HIPAA/FDA, finance PCI DSS/SOX/FCA, automotive, aviation, pharmaceuticals); enterprise customers whose procurement requires ISO 27001 / SOC 2 evidence; high-stakes launches with major financial or safety implications.

Often overkill: internal tools, throwaway prototypes, A/B test variants, design experiments — the pack adds friction without proportional safety.

The honest test: "if a third party demanded proof of testing, would the team be embarrassed by what we have?" If yes, build the pack.

The components of a complete pack

A complete evidence pack is a small bundle of related artefacts, each one serving a specific question an auditor would ask.

Test evidence pack
  • – Scope, in/out
  • – Approach & test types
  • – Entry / exit criteria
  • – Test case spec
  • – Execution log
  • – Pass / fail / blocked
  • – All bugs filed
  • – Status & fixes
  • – Verification notes
  • Annotated images –
  • Screen recordings –
  • Logs and console output –
  • Test summary report –
  • Traceability matrix –
  • Tester sign-off sheet –

Each branch maps directly to an auditor question:

  • Test plan — "what did the team intend to test?"
  • Test cases & results — "what was actually executed and what was the outcome?"
  • Bug records — "what defects were found and what happened to them?"
  • Screenshots & evidence — "show me proof of the result, not just the claim."
  • Summary & sign-off — "who approved this release, on what build, on what date?"

A pack that is missing any of the five branches is incomplete and will fail an audit on that gap alone.

Organising the pack

The pack lives somewhere — typically a folder structure with consistent naming, optionally exported as a PDF for archival. A workable structure for a healthcare appointment-booking application:

TestEvidence/
  ReleaseR-2026.05/
    01_TestPlan/
      test-plan_v1.2.pdf
    02_TestCases/
      test-cases_export_2026-05-04.csv
    03_ExecutionLog/
      execution-log_R-2026.05.xlsx
    04_BugReports/
      bugs_export_2026-05-04.csv
    05_Screenshots/
      TC-101_login-pass.png
      TC-204_booking-cancellation_FAIL.mp4
      ...
    06_SummaryReport/
      test-summary_R-2026.05.pdf
    07_TraceabilityMatrix/
      traceability_v1.0.xlsx
    08_SignOff/
      tester-signoff_signed.pdf
      release-approval_signed.pdf

The numbering makes the order obvious; the dates fix every artefact to a specific release. An auditor can navigate the structure without anyone walking them through it. Use the same structure for every release and the audit conversation goes from a half-day exercise to a 30-minute review.

Screenshots as audit-quality evidence

Screenshots are the most-undervalued evidence type. Three habits raise their value:

  • Annotate them. A red box around the relevant area, a one-sentence caption ("Cart total displays £19.99 — matches expected"). Annotated screenshots survive context drift; raw ones do not.
  • Tie each to a test case ID. File names like TC-101_step-3_login-success.png link the visual evidence back to the case it proves. An auditor can pick any test case and find the matching screenshot in seconds.
  • Capture the environment in the shot. The browser URL bar, the test account, a timestamp — all visible in the screenshot. Out-of-band metadata can be challenged; in-shot metadata cannot.

A 30-second annotation per screenshot saves hours of "what does this prove?" conversations later.

Storing and exporting

Where the pack lives matters as much as what it contains:

  • Test management tools (Jira + Xray, TestRail, Zephyr) keep cases, results, and bugs in a queryable, searchable system. Best for live work.
  • PDF exports at release time freeze the pack into an immutable artefact. Best for compliance handover.
  • Version control (a Git repository for the pack folder) maintains an audit trail of who changed what and when. Best for the regulated environments where the changes themselves need to be auditable.

Most teams use all three: live work in the test management tool, PDF export for the customer or auditor, and a Git-archived copy for long-term retention.

"We tested it" vs proving you tested it

The single biggest mental shift in evidence-pack work is realising that doing the testing and proving you did the testing are two different jobs. The first job has always been the tester's. The second is comparatively new for many teams, and the friction comes from skipping it for years and then needing it on short notice. Build the proof as you go — it costs roughly 10% extra effort during testing and avoids 100× that cost when an auditor or enterprise customer asks for it on a deadline.

⚠️ Common mistakes

  • Treating evidence as a separate, end-of-project task. Building the pack at the end is a week of pain. Building it incrementally during the work is a few minutes per artefact and produces a higher-quality result.
  • Storing evidence without metadata. A folder of unnamed PNGs is not evidence; it is a screenshot dump. Every artefact must be linked to a test case ID, a date, and a build version.
  • Skipping sign-off documents. A pack without "I, the tester, certify these results on this date" sheets is missing the human accountability layer that turns a pile of files into a real audit trail.

🎯 Practice task

Spend 30 minutes building the bones of a starter evidence pack.

  1. Pick a recent feature you tested. Create a folder structure on your local machine matching the eight numbered subfolders above.
  2. Populate each folder with the artefacts you already have — exports of test cases, bug tickets, screenshots, the test plan, the test summary.
  3. Identify gaps: which folders are empty? Which artefacts you wish you had captured? Note the changes you would make to your testing workflow to capture them next time.
  4. Generate a single PDF of the whole pack (most file managers can do this on macOS via "Quick Actions"; on Windows, print-to-PDF in sequence). Notice how much heavier the pack feels as a single bundled artefact than as scattered files.
  5. The first time you complete a real release with this discipline, the saving on the next audit conversation will more than repay the time invested in the workflow.
qa.codes/learn/manual-software-testing/test-evidence-pack

// tip to track lessons you complete and pick up where you left off across devices.