What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that employees, contractors, third-party users, and other relevant parties return organizational assets when employment, contract, agreement, or role changes end their need for those assets.
Evidence to request
| Evidence | Purpose |
|---|---|
| Offboarding procedure | Shows asset return process is defined |
| Employment, contractor, or supplier agreement | Shows return obligations are contractual |
| Asset assignment records | Shows what should be returned |
| Asset return checklist | Shows return process is consistently performed |
| Leaver and mover records | Shows terminations and role changes trigger review |
| Secure erase confirmation | Shows organizational information removed from non-organizational equipment |
| Knowledge transfer records | Shows business information is retained |
| Missing asset escalation records | Shows exceptions are tracked |
| HR/IT/facilities workflow records | Shows coordinated return process |
| Inventory update records | Shows returned or disposed assets are reflected |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Offboarding workflow checks all assigned assets.
- Return records cover equipment, cards, keys, media, documents, software, and information.
- Contractors and third-party users are included.
- Role changes trigger asset review.
- BYOD or third-party equipment data removal is covered by agreement and evidence.
- Missing assets are escalated and tracked.
- Inventory is updated after return, reassignment, or disposal.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Process only recovers laptops.
- No records for documents, cards, keys, media, or information.
- Contractors handled informally.
- Role changes ignored.
- No secure erase process for non-organizational devices.
- Missing assets not escalated.
- Inventory not updated.
Sample interview questions
Ask HR or people operations
- How do you trigger asset return for leavers and movers?
- Are contractors and third-party users covered?
- How is the process tracked to completion?
Ask IT or facilities
- How do you know which assets a person has?
- How are missing assets escalated?
- How is the inventory updated after return?
- How do you handle access cards, keys, and tokens?
Ask managers
- How do you ensure knowledge and documents are transferred before departure?
- How do role changes trigger return of assets no longer needed?
Common nonconformities
- No asset return procedure.
- No link to asset inventory.
- Contractors or third parties excluded.
- Role changes do not trigger return.
- Organizational information remains on personal or third-party devices.
- Missing assets not tracked.
- Inventory not updated after return or disposal.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 11
Note Metadata
Aliases: A.5.11 Evidence
Source: 04 Audit Evidence Packs/A.5.11 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.