UnixTime

Research Note

A.5.34 Audit Evidence Pack

The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that privacy and PII requirements are identified, mapped, implemented, reviewed, and evidenced for all relevant PII holdings, roles, transfers, and systems.

Evidence to request

Evidence Purpose
PII inventory Shows the control can be verified
Privacy requirements matrix Shows the control can be verified
Privacy/PII policy and procedures Shows the control can be verified
Role-specific privacy training records Shows the control can be verified
PII access review records Shows the control can be verified
PII transfer/supplier records Shows the control can be verified
Breach notification procedure Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • PII inventory lists data categories, location, purpose, justification, retention, access roles, transfers, systems, suppliers, and jurisdictions.
  • Privacy requirements matrix maps laws, regulations, contracts, and client requirements to implemented controls and evidence.
  • Senior privacy accountability and operational responsibilities are assigned and understood.
  • Staff handling PII receive role-specific training and can explain responsibilities.
  • Access to PII is role-based, reviewed, and limited to job need.
  • Annual PII review verifies holdings, purpose, retention, access, transfers, and compliance with current requirements.
  • Breach notification obligations and procedures are documented and tested or exercised where appropriate.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • PII is discussed generally but no inventory exists.
  • The organization knows main customer databases but ignores spreadsheets, exports, logs, support tickets, backups, or supplier platforms.
  • Privacy policy exists but does not map to laws, contracts, systems, or controls.
  • Access to PII is broad or not reviewed.
  • Staff handling PII receive only generic security awareness.
  • New PII use cases are launched without approval or inventory updates.
  • Breach notification requirements are unclear.

Sample interview questions

  • Where is PII stored, processed, transmitted, and shared?
  • What laws, regulations, or contracts drive PII protection requirements?
  • Who is accountable for PII compliance?
  • Show a role with PII access and why access is needed.
  • How are new PII uses approved and added to the inventory?
  • What breach notification requirements apply?

Common nonconformities

  • PII inventory is incomplete
  • Purpose and retention are not justified
  • Access to PII is excessive
  • PII transfers are not tracked
  • Privacy requirement changes are not monitored
  • Breach notification obligations are unclear
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 34

Note Metadata

Aliases: A.5.34 Evidence

Source: 04 Audit Evidence Packs/A.5.34 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.