What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that conflicting duties and responsibilities have been identified and segregated, or that compensating controls exist where segregation is not practical.
Evidence to request
| Evidence | Purpose |
|---|---|
| Segregation of duties matrix | Shows identified conflicts |
| Risk assessment | Shows risks of unsegregated activities |
| Access role matrix | Shows incompatible access combinations |
| Workflow approval records | Shows request/approval/execution separation |
| Change management records | Shows independent review/approval |
| Privileged access records | Shows controlled admin access |
| Immutable log configuration | Shows activity records cannot be altered |
| Log review records | Shows independent review |
| Exception records | Shows risk-based compensating controls |
| Management review records | Shows oversight of exceptions |
| Holiday/coverage procedures | Shows independence is maintained during absence |
| Internal audit testing records | Shows verification of SoD and logs |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Documented SoD conflict matrix.
- Critical duties separated by workflow and role.
- Access governance prevents incompatible roles.
- Privileged activity is logged and independently reviewed.
- Logs cannot be altered by the people being monitored.
- Exceptions are approved, time-bound, risk-assessed, and monitored.
- Small organization compensating controls are documented and operating.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- No SoD analysis.
- One person can request, approve, implement, and review their own access.
- Admins can delete their own logs.
- Developers can push directly to production without review.
- Logs exist but nobody reviews them.
- Reviews performed by same person whose activity is reviewed.
- “Small team” used as excuse for no compensating controls.
- Exceptions have no expiry or review.
Sample interview questions
Ask process owners
- What duties are considered conflicting in this process?
- Who requests, approves, performs, and reviews the activity?
- What happens if one person is unavailable?
- How are exceptions approved and reviewed?
Ask IT administrators
- Can you modify or delete logs of your own activity?
- Who approves privileged access?
- Who reviews privileged activity?
- Can developers deploy directly to production?
Ask internal audit/security
- How do you test segregation of duties?
- What high-risk sequences of activity are monitored?
- How are missing or altered logs detected?
- How do you verify compensating controls?
Common nonconformities
- Conflicting duties not identified.
- Incompatible access not prevented or reviewed.
- No independent review of privileged activity.
- Logs not protected from tampering.
- Compensating controls absent or informal.
- Exceptions not risk-assessed.
- Temporary coverage arrangements break segregation.
- Audit lacks independence.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 3
Note Metadata
Aliases: A.5.3 Evidence
Source: 04 Audit Evidence Packs/A.5.3 Audit Evidence Pack.md