UnixTime

Research Note

A.5.22 Audit Evidence Pack

The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that supplier security practices and service delivery are monitored, reviewed, evaluated, and changed through a controlled process.

Evidence to request

Evidence Purpose
Supplier monitoring procedure Shows review process is defined
Supplier review calendar Shows reviews are planned
Service and security reports Shows supplier performance is monitored
Review records/minutes Shows reports are evaluated
Action and nonconformity logs Shows issues are followed up
Supplier change records Shows changes are assessed
Updated risk assessments Shows changes trigger reassessment
Contract variation records Shows agreements are updated
Supplier incident records Shows incidents are escalated
Supplier audit reports Shows audit rights are used where relevant

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • High-risk suppliers have named owners and scheduled reviews.
  • Reports are reviewed and actions are tracked.
  • Material changes trigger risk reassessment and approval.
  • Supplier incidents link to the organization’s incident process.
  • Nonconformities have corrective actions and follow-up.
  • Contract changes include security, legal, procurement, and business review where relevant.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Supplier reports are stored but not reviewed.
  • No supplier owner for monitoring.
  • Changes are accepted without risk review.
  • Incidents remain inside the supplier process.
  • SLA review ignores security practices.
  • No evidence that audit findings are resolved.

Sample interview questions

  • Who reviews supplier security and service reports?
  • How are supplier changes assessed before approval?
  • What happens when a supplier fails a security requirement?
  • How are supplier incidents escalated internally?
  • How are supplier audit findings followed up?

Common nonconformities

  • No ongoing supplier monitoring process.
  • Supplier reviews not performed.
  • Supplier changes not risk-assessed.
  • Supplier incidents not escalated.
  • Corrective actions not tracked.
  • Reviewers lack time or competence.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 22

Note Metadata

Aliases: A.5.22 Evidence

Source: 04 Audit Evidence Packs/A.5.22 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.