UnixTime

Research Note

A.5.32 Audit Evidence Pack

The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within a...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that procedures protect intellectual property rights and that software, content, source code, libraries, and AI-generated material are used within applicable rights and licence terms.

Evidence to request

Evidence Purpose
IP rights procedure Shows the control can be verified
Software/content licence inventory Shows the control can be verified
Licence reconciliation records Shows the control can be verified
Endpoint/server software sampling records Shows the control can be verified
Open-source/library licence review records Shows the control can be verified
AI-generated content review records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • IP handling procedures cover software, documents, source code, libraries, trademarks, designs, patents, subscription content, and AI-generated material.
  • Software and content inventories map licences to actual use, devices, users, restrictions, renewal dates, and evidence.
  • Periodic licence checks sample workstations, servers, cloud tools, and development environments.
  • Development contracts and support agreements define source-code and modification rights.
  • Open-source and third-party libraries are reviewed for licence obligations before use.
  • AI-generated content is reviewed for ownership, input rights, provider terms, confidentiality, and external-use approval.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Policy says respect copyright but has no operating procedure.
  • Software inventory exists but licence terms and actual installations are not reconciled.
  • Developers can add libraries without licence review.
  • AI-generated content is used externally without checking provider terms or source rights.
  • Subscription content is shared outside licence terms.
  • Staff are unaware that unauthorized copying can trigger legal action.

Sample interview questions

  • What rules tell staff how to handle copyrighted or licensed material?
  • Show how installed software is reconciled against licence rights.
  • How are development tools and libraries checked before use?
  • How are AI-generated outputs reviewed for ownership and source-rights risk?
  • Show a random endpoint/server sample and how licence compliance was verified.

Common nonconformities

  • Installed software exceeds purchased licence rights
  • Open-source licence obligations are ignored
  • AI-generated content ownership is assumed
  • Source-code rights are unclear in supplier contracts
  • Copyrighted training or subscription material is copied internally
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 32

Note Metadata

Aliases: A.5.32 Evidence

Source: 04 Audit Evidence Packs/A.5.32 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.