What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention, and disposed of securely.
Evidence to request
| Evidence | Purpose |
|---|---|
| Records inventory | Shows the control can be verified |
| Retention schedule | Shows the control can be verified |
| Annual records inventory check | Shows the control can be verified |
| Access control records | Shows the control can be verified |
| Backup/restore or archive test records | Shows the control can be verified |
| Secure disposal records | Shows the control can be verified |
| Media/key availability review | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule.
- Annual documented inventory checks confirm required records still exist and are accessible.
- Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release.
- Long-term records have format, software, reader, media, and cryptographic key availability considered.
- Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant.
- Secure disposal records show approved destruction after retention or documented legal hold.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Records are kept in shared folders without ownership or retention rules.
- Retention periods are guessed or copied from old practice without legal review.
- Electronic records are encrypted but key retention is not planned.
- Old media or file formats are retained but no one can read them.
- Inventory checks are informal or not documented.
- Disposal happens manually without approval or evidence.
Sample interview questions
- Which records must be retained and why?
- How are retention periods determined and reviewed?
- How do you protect records from alteration or unauthorized release?
- How do you know old records will remain readable until retention ends?
- Show the latest documented records inventory check.
Common nonconformities
- Records inventory omits key business or security records
- Long-term records become unreadable
- Encryption keys are not retained for encrypted archives
- Records are editable without integrity control
- Retention and disposal are unmanaged
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 33
Note Metadata
Aliases: A.5.33 Evidence
Source: 04 Audit Evidence Packs/A.5.33 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.