UnixTime

Research Note

A.5.11 Audit Evidence Pack

The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or rol...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or role changes end their need for those assets.

Evidence to request

Evidence Purpose
Offboarding procedure Shows asset return process is defined
Employment, contractor, or supplier agreement Shows return obligations are contractual
Asset assignment records Shows what should be returned
Asset return checklist Shows return process is consistently performed
Leaver and mover records Shows terminations and role changes trigger review
Secure erase confirmation Shows organizational information removed from non-organizational equipment
Knowledge transfer records Shows business information is retained
Missing asset escalation records Shows exceptions are tracked
HR/IT/facilities workflow records Shows coordinated return process
Inventory update records Shows returned or disposed assets are reflected

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Offboarding workflow checks all assigned assets.
  • Return records cover equipment, cards, keys, media, documents, software, and information.
  • Contractors and third-party users are included.
  • Role changes trigger asset review.
  • BYOD or third-party equipment data removal is covered by agreement and evidence.
  • Missing assets are escalated and tracked.
  • Inventory is updated after return, reassignment, or disposal.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Process only recovers laptops.
  • No records for documents, cards, keys, media, or information.
  • Contractors handled informally.
  • Role changes ignored.
  • No secure erase process for non-organizational devices.
  • Missing assets not escalated.
  • Inventory not updated.

Sample interview questions

Ask HR or people operations

  • How do you trigger asset return for leavers and movers?
  • Are contractors and third-party users covered?
  • How is the process tracked to completion?

Ask IT or facilities

  • How do you know which assets a person has?
  • How are missing assets escalated?
  • How is the inventory updated after return?
  • How do you handle access cards, keys, and tokens?

Ask managers

  • How do you ensure knowledge and documents are transferred before departure?
  • How do role changes trigger return of assets no longer needed?

Common nonconformities

  • No asset return procedure.
  • No link to asset inventory.
  • Contractors or third parties excluded.
  • Role changes do not trigger return.
  • Organizational information remains on personal or third-party devices.
  • Missing assets not tracked.
  • Inventory not updated after return or disposal.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 11

Note Metadata

Aliases: A.5.11 Evidence

Source: 04 Audit Evidence Packs/A.5.11 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.