UnixTime

Research Note

A.5.21 Audit Evidence Pack

The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting pro...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that ICT supply-chain risks are identified and managed, including inherited risks from subcontractors, cloud providers, support parties, hosting providers, and other dependencies.

Evidence to request

Evidence Purpose
ICT supply-chain risk register Shows dependencies are identified
Supplier risk assessments Shows inherited risks are evaluated
Subcontractor disclosures Shows delegated service parties are known
Service architecture descriptions Shows delivery dependencies
Agreement clauses Shows flow-down and notification obligations
Assurance reports/certifications Supports supplier control claims
Change notifications Shows supply-chain changes are monitored
Incident reports Shows supply-chain issues are escalated

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Critical ICT suppliers have recorded dependency information.
  • Risk assessment includes hosting, support, subcontractors, and data location.
  • Agreements require notification of material supply-chain changes.
  • High-risk supplier assurance is reviewed.
  • Supplier changes trigger reassessment.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Supplier review only covers the direct vendor.
  • No subcontractor or hosting visibility.
  • Contracts do not require supply-chain notifications.
  • Supplier changes are discovered informally.
  • No risk-based depth of review.

Sample interview questions

  • Which ICT suppliers are most critical?
  • Which subcontractors or hosting providers support those services?
  • How are material supplier changes notified and approved?
  • How are flow-down security obligations handled?
  • What assurance evidence is reviewed for critical ICT suppliers?

Common nonconformities

  • ICT supply-chain dependencies not identified.
  • Indirect supplier risk not assessed.
  • No subcontractor or platform change notification clause.
  • No review of supplier assurance.
  • No risk reassessment after supplier dependency changes.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 21

Note Metadata

Aliases: A.5.21 Evidence

Source: 04 Audit Evidence Packs/A.5.21 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.