UnixTime

Research Note

A.5.16 Audit Evidence Pack

The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, d...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that identities are uniquely registered where possible and managed through the full lifecycle: creation, authorization, change, review, disabling, deletion, and exception handling.

Evidence to request

Evidence Purpose
Identity lifecycle procedure Shows joiner/mover/leaver process is defined
Joiner/mover/leaver records Shows personnel changes trigger identity updates
Account creation/deletion logs Shows provisioning and deprovisioning are logged
Authorization records Shows identities and access are approved
Live identity review records Shows orphaned identities are detected
HR-to-system reconciliation Shows accounts match active users
Shared identity register Shows shared identities are known
Shared identity risk assessments Shows exceptions are justified
Shared account usage logs Shows compensating accountability
Credential custody records Shows shared identity control is maintained

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Users have unique identities.
  • Joiner, mover, and leaver processes are documented and logged.
  • Leavers are disabled or removed promptly.
  • Live identities are reconciled against an authoritative source.
  • System privileges match documented authorizations.
  • Shared identities are rare, risk-assessed, authorized, logged, and reviewed.
  • Old identities are not reissued.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Shared accounts are common.
  • Accounts remain active after termination.
  • Identity creation is informal.
  • No reconciliation between HR and systems.
  • Privileges do not match authorization.
  • Mover process does not update identities or access.
  • Shared credentials are not changed when custody changes.
  • Old usernames are reused.

Sample interview questions

Ask identity administrators

  • What triggers identity creation and removal?
  • How are movers handled?
  • How do you reconcile live identities?
  • Are old identities ever reused?
  • Which shared identities exist and why?

Ask managers

  • How do you request identities for new staff?
  • How do you notify IT of role changes?
  • How do you confirm leaver access is removed?

Ask security or audit

  • How are orphaned accounts detected?
  • How are shared identities approved and reviewed?
  • How is accountability preserved for shared identities?

Common nonconformities

  • No documented identity lifecycle process.
  • Leavers not disabled promptly.
  • Mover changes not processed.
  • Shared accounts without risk assessment.
  • No periodic live identity review.
  • Accounts not matched to registered users.
  • Redundant identities reissued.
  • Admin and third-party identities excluded from review.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 16

Note Metadata

Aliases: A.5.16 Evidence

Source: 04 Audit Evidence Packs/A.5.16 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.