Track which audit fields each questionnaire asks about
Every completed vendor security questionnaire ([Answer vendor security questionnaires from your own evidence](/tutorials/answer-vendor-security-questionnaires-from-your-own-evidence)) is also a **signal about what buyers care about** — tag each one with which Auxot surfaces and audit-log fields it actually touched, roll the tags up over time, and let the resulting **frequency table** reorder your next audit narrative ([Build an audit narrative from your logs](/tutorials/build-an-audit-narrative-from-your-logs)) and trust packet ([Bundle a customer trust packet from your audit evidence](/tutorials/bundle-a-customer-trust-packet-from-your-audit-evidence)) so the hottest fields land first.
Plus: three Admin-Agent passes — tag a completed questionnaire with the Auxot surfaces it touched, roll a quarter of tagged questionnaires into a frequency table (must-cover vs. nice-to-have vs. one-off), and propose the **reordered section list** for the next narrative based on the frequency table.
| Audience | Admins · Executives |
|---|---|
| Time | ~10 min |
| Prerequisites | At least one completed vendor questionnaire on file ([Answer vendor security questionnaires from your own evidence](/tutorials/answer-vendor-security-questionnaires-from-your-own-evidence)). Comfortable with context files ([Add your first context file](/tutorials/add-your-first-context-file)) as the place the running log lives. Helpful: the narrative + packet downstream ([Build an audit narrative from your logs](/tutorials/build-an-audit-narrative-from-your-logs), [Bundle a customer trust packet from your audit evidence](/tutorials/bundle-a-customer-trust-packet-from-your-audit-evidence)) so you know which artifacts the frequency table reshapes. |
| You'll end up with | A **running questionnaire log** in a context file with: questionnaire ID, buyer industry, date, and a tagged list of Auxot surfaces touched (e.g. `audit-logs:jobs`, `subprocessors`, `retention-stance`, `soc2:cc6`). Plus a **dated frequency table** that ranks surfaces by frequency, ready to feed into the next narrative refresh. |
When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.
Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.
Why this matters
You spend hours answering security questionnaires. The polished answers go to the buyer. The structured insight — which parts of Auxot every buyer actually asks about — usually evaporates.
That’s the most expensive data loss in the whole compliance cycle. Without it, the next audit narrative (Build an audit narrative from your logs) leads with whatever you think matters. The next trust packet (Bundle a customer trust packet from your audit evidence) puts sections in the order you assumed. Both are guesses.
The fix is a five-minute tagging step at the end of every questionnaire: which Auxot surfaces did the buyer actually probe? Log it. Roll it up quarterly. Reorder your narrative + packet so the hottest sections land on page one instead of page five.
Over a quarter, patterns emerge: healthcare buyers always ask about retention. Fintech buyers always ask about subprocessors and SOC 2 CC6. Enterprise sales-org buyers always ask about Audit Logs visibility. None of this is a surprise once you see it — but most teams never collect the data because the questionnaire ships and the structured signal disappears with it.
This is not a sales asset. It’s an internal decision-support log: which sections of your evidence library are doing the most work, and which are gathering dust.
Nothing tags itself — you add the row at the end of each questionnaire, you roll up quarterly, you decide whether the frequency table reorders the next narrative or just informs it.
Quick start
- Set up the log — one context file:
questionnaire-tags.md(or whatever name fits). Columns: questionnaire ID, buyer name + industry, date sent, Auxot surfaces touched (tagged list), notable one-off asks. Empty rows are fine to start. - Tag the next completed questionnaire — Admin Agent power move 1: paste the questionnaire row excerpts + your answers; get a draft tag list (
audit-logs:jobs,subprocessors,soc2:cc6,retention, etc.); you approve before it lands in the log. - Standardize the tag vocabulary — first 3–5 questionnaires define the tag set. Don’t invent new tags every time. The vocabulary should be small (≤ 20 tags), aligned to your existing artifact sections (audit narrative section headers, SOC 2 controls, subprocessor categories).
- Quarterly roll-up — Admin Agent power move 2: roll the last quarter’s rows into a frequency table —
must-cover(appears in ≥80% of questionnaires),nice-to-have(30–79%),one-off(<30%). Date the frequency table. - Feed it back — Admin Agent power move 3: propose the reordered section list for the next narrative + cover-letter section for the next trust packet, leading with
must-covertags. You approve before the artifacts get refreshed.
Done? Three tagged questionnaires + one frequency table (even if early frequency tables are noisy). The pattern compounds — by quarter four, the frequency table tells you exactly which evidence to invest in maintaining vs. which to retire.
The agent can do that?
1. Tag a completed questionnaire
Chat → Admin Agent:
Questionnaire excerpts pasted: [paste the rows the buyer focused on, plus your answers — anonymize buyer name if needed]. Existing tag vocabulary in our context file: [paste current tag list]. Draft a tag list for this questionnaire — use existing tags where possible; propose new tags ONLY when no existing tag fits; flag any proposed-new tags explicitly with "NEW:" prefix so I can approve or merge them into an existing tag.
Why it’s non-obvious: Tag sprawl kills frequency tables. Forcing the agent to prefer existing tags + flag new ones for human approval keeps the vocabulary small and consistent across quarters. You still decide the vocabulary; the agent enforces discipline.
2. Quarterly roll-up
Tagged questionnaire rows pasted (last 90 days): [paste log slice]. Produce a frequency table — Tag | Count | % of questionnaires | Bucket (must-cover ≥80% / nice-to-have 30–79% / one-off <30%). Sort by % descending. Note any tags that moved buckets vs. the previous quarter — call those out explicitly.
Why it’s non-obvious: Bucket boundaries are arbitrary but useful. Quarter-over-quarter movement is the signal worth reading: a tag that moved from nice-to-have → must-cover means buyer patterns are shifting and your evidence library should follow.
3. Reorder downstream artifacts
Frequency table pasted: [paste latest frequency table]. Current audit narrative section order: [paste current section headers]. Current trust packet cover-letter section order: [paste current order]. Propose: (a) reordered section list for the next narrative refresh leading with must-cover tags, (b) reordered cover-letter outline for the next trust packet, (c) any narrative sections that have NOT been touched by any tagged questionnaire in 90 days — flag for review (retire, refresh, or accept as low-frequency-but-important).
Why it’s non-obvious: Narratives accrete sections over time. Without a frequency check, they get stale and bloated. The “no questionnaire touched this section in 90 days” flag is the prompt to either retire that section or remember why you still need it. You decide; the agent surfaces the question.
Go deeper
Buyer-name discipline
The log is internal — but don’t store buyer names in the tagged questionnaire entries unless your contract permits. Use industry + size + region instead (fintech / mid-market / EU) so the frequency table stays usable without violating any NDA. Pair with Plan for retention and deletion requests when in doubt.
Sales pattern hand-off
The frequency table is also useful to go-to-market teams — “every healthcare buyer asks about retention; lead with retention in healthcare-vertical pitches.” When that data leaves compliance, copy a redacted version into a sales context file (Add your first context file); don’t share the raw log.
Tag-vocabulary review
Once a year, review the tag vocabulary itself. Tags that never appear → retire. Tags that always appear → split into sub-tags so the frequency table stays informative (audit-logs → audit-logs:jobs, audit-logs:events, audit-logs:threads). Same discipline as quarterly review (Run a quarterly review of your agents) — calendar it.
Lost-deal frequency table
Bonus pattern: tag questionnaires from lost deals separately. If lost-deal questionnaires ask about a tag your won-deal questionnaires don’t, that’s an evidence gap the buyer’s procurement team flagged that you didn’t have a satisfying answer for. Quarterly look at lost-deal frequency table = product / compliance roadmap signal.
Spreadsheet variant
If your team prefers a spreadsheet over a markdown context file, the pattern that keeps the log safe is the DRAFT_ tab pattern: wire a Google Sheets MCP (Composio Google Sheets is the cleanest managed-OAuth path), then point the Admin Agent at a DRAFT_summary tab. The agent writes the proposed tag rows to the DRAFT_ tab. You review the rows, then copy them into the live Tags tab yourself. The live tab is the canonical log; the DRAFT_ tab is the review gate. See Use a DRAFT_ tab for agent spreadsheet writes for the full wiring (tool-policy shape, smoke test, operating note).
No spreadsheet MCP exposes a “draft cell” mode; once the agent calls a write tool, the cell is live. The DRAFT_ tab gives you the review step the cloud API doesn’t.
If the questionnaire data is sensitive (NDAs, buyer names), the offline-file model is the safer alternative: an Excel MCP that writes a local .xlsx your team merges into the canonical log manually. No cloud, no OneDrive, no Graph API in the loop.
Walkthrough
Step 1: Create the log context file
questionnaire-tags.md with a header row. Markdown table is fine; CSV is fine. Pick a format your team will actually maintain.
Step 2: Tag the next questionnaire
Power move 1. The first 3–5 entries define the tag vocabulary — go slow on these, write the tag list deliberately, then let the vocabulary stabilize.
Step 3: Quarterly roll-up
Power move 2. Calendar 30 minutes on the last Friday of each quarter. Same calendar slot as other quarterly reviews so it doesn’t slip.
Step 4: Reorder narrative + packet
Power move 3. The narrative + packet refreshes are the point of the frequency table — without this step, the table is just rows nobody reads.
Step 5: Tag-vocabulary review
Annual. Lighter touch — delete dead tags, split overloaded tags, document the vocabulary changes in the same context file.
What’s next
- → Answer vendor security questionnaires from your own evidence. Source — every completed questionnaire feeds one tagged row in your log.
- → Build an audit narrative from your logs. Consumer — section order re-orders based on quarterly frequency table.
- → Bundle a customer trust packet from your audit evidence. Consumer — cover letter outline re-orders based on quarterly frequency table.
- → Map your subprocessors for procurement. Frequency table tells you whether the subprocessor section needs refresh effort or stays as-is.
- → Build a SOC 2 control mapping for your Auxot deployment. Frequency table tells you which SOC 2 controls buyers actually ask about (often a small subset of the full control set).
- → Use a DRAFT_ tab for agent spreadsheet writes. The canonical wiring if your team prefers the log in a spreadsheet instead of a markdown context file.
- → Add your first context file. The log lives in a context file; refer here for context-file mechanics if you haven’t set one up before.
Reference
- Pages in Auxot: Chat, Settings → Context Files
- See also: Plan for retention and deletion requests, Run a quarterly review of your agents, Write the agent section of your customer-facing security page, Run an incident tabletop exercise