UnixTime

Research Note

A.5.18 Audit Evidence Pack

The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.

Evidence to request

Evidence Purpose
Access request and approval records Shows rights were authorized
Access rights register Shows current access is known
System access exports Allows comparison with authorization
Access review records Shows rights are periodically checked
Removal tickets Shows excess rights are corrected
Joiner/mover/leaver records Shows access follows personnel events
Privileged access reviews Shows elevated rights are controlled
Shared credential records Shows shared access is controlled
Physical access records Shows non-logical access is included
Group/subscription membership reviews Shows indirect access is reviewed

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Access rights are traceable from request to approval to implementation.
  • Actual access is compared to authorized access.
  • Reviews cover logical, physical, privileged, group, subscription, and third-party access where relevant.
  • Mover access is removed and added promptly.
  • Leaver access removal is evidenced.
  • Shared credentials are changed when users no longer need access.
  • Review findings result in completed corrections.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Access granted informally.
  • Reviews do not test business need.
  • Movers retain old access.
  • Leavers keep group memberships or physical access.
  • Shared passwords are unchanged after departure.
  • Delayed provisioning drives credential sharing.
  • No evidence that review findings were remediated.

Sample interview questions

  • How do you request access to a system?
  • Who approves access rights?
  • How are movers handled?
  • How are leaver rights removed?
  • How often are access rights reviewed?
  • What happens when review finds unnecessary access?
  • Are shared credentials used, and when were they last changed?

Common nonconformities

  • Access rights not formally approved.
  • Actual access does not match authorization.
  • Access reviews not performed.
  • Reviews do not include privileged or physical access.
  • Mover access not removed.
  • Leaver access remains active.
  • Shared credentials not changed after users leave.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 18

Note Metadata

Aliases: A.5.18 Evidence

Source: 04 Audit Evidence Packs/A.5.18 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.