What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that access rights are formally provisioned, reviewed, modified, and removed according to access control rules.
Evidence to request
| Evidence | Purpose |
|---|---|
| Access request and approval records | Shows rights were authorized |
| Access rights register | Shows current access is known |
| System access exports | Allows comparison with authorization |
| Access review records | Shows rights are periodically checked |
| Removal tickets | Shows excess rights are corrected |
| Joiner/mover/leaver records | Shows access follows personnel events |
| Privileged access reviews | Shows elevated rights are controlled |
| Shared credential records | Shows shared access is controlled |
| Physical access records | Shows non-logical access is included |
| Group/subscription membership reviews | Shows indirect access is reviewed |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Access rights are traceable from request to approval to implementation.
- Actual access is compared to authorized access.
- Reviews cover logical, physical, privileged, group, subscription, and third-party access where relevant.
- Mover access is removed and added promptly.
- Leaver access removal is evidenced.
- Shared credentials are changed when users no longer need access.
- Review findings result in completed corrections.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Access granted informally.
- Reviews do not test business need.
- Movers retain old access.
- Leavers keep group memberships or physical access.
- Shared passwords are unchanged after departure.
- Delayed provisioning drives credential sharing.
- No evidence that review findings were remediated.
Sample interview questions
- How do you request access to a system?
- Who approves access rights?
- How are movers handled?
- How are leaver rights removed?
- How often are access rights reviewed?
- What happens when review finds unnecessary access?
- Are shared credentials used, and when were they last changed?
Common nonconformities
- Access rights not formally approved.
- Actual access does not match authorization.
- Access reviews not performed.
- Reviews do not include privileged or physical access.
- Mover access not removed.
- Leaver access remains active.
- Shared credentials not changed after users leave.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 18
Note Metadata
Aliases: A.5.18 Evidence
Source: 04 Audit Evidence Packs/A.5.18 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.