UnixTime

Research Note

A.5.33 Audit Evidence Pack

The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention,...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that required records are identified, retained, protected from loss/alteration/unauthorized access/release, reviewed, accessible through retention, and disposed of securely.

Evidence to request

Evidence Purpose
Records inventory Shows the control can be verified
Retention schedule Shows the control can be verified
Annual records inventory check Shows the control can be verified
Access control records Shows the control can be verified
Backup/restore or archive test records Shows the control can be verified
Secure disposal records Shows the control can be verified
Media/key availability review Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Records inventory lists record type, owner, location, retention period, legal/contractual source, protection requirement, and disposal rule.
  • Annual documented inventory checks confirm required records still exist and are accessible.
  • Access controls, backups, integrity protections, and logging protect records from loss, falsification, unauthorized access, and unauthorized release.
  • Long-term records have format, software, reader, media, and cryptographic key availability considered.
  • Scanned or electronic records have legal admissibility and integrity requirements reviewed where relevant.
  • Secure disposal records show approved destruction after retention or documented legal hold.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Records are kept in shared folders without ownership or retention rules.
  • Retention periods are guessed or copied from old practice without legal review.
  • Electronic records are encrypted but key retention is not planned.
  • Old media or file formats are retained but no one can read them.
  • Inventory checks are informal or not documented.
  • Disposal happens manually without approval or evidence.

Sample interview questions

  • Which records must be retained and why?
  • How are retention periods determined and reviewed?
  • How do you protect records from alteration or unauthorized release?
  • How do you know old records will remain readable until retention ends?
  • Show the latest documented records inventory check.

Common nonconformities

  • Records inventory omits key business or security records
  • Long-term records become unreadable
  • Encryption keys are not retained for encrypted archives
  • Records are editable without integrity control
  • Retention and disposal are unmanaged
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 33

Note Metadata

Aliases: A.5.33 Evidence

Source: 04 Audit Evidence Packs/A.5.33 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.