UnixTime

Research Note

A.5.36 Audit Evidence Pack

The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with finding...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that compliance with information security policies, rules, and standards is regularly reviewed through management and technical checks, with findings tracked to effective remediation.

Evidence to request

Evidence Purpose
Compliance review plan Shows the control can be verified
Management review/spot-check records Shows the control can be verified
Technical compliance check records Shows the control can be verified
Testing authorization records Shows the control can be verified
Tool control records Shows the control can be verified
Finding/action/retest records Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Compliance review plan covers policies, rules, standards, management areas, technical systems, frequency, method, and owner.
  • Management reviews or spot checks show policy compliance in each area of responsibility.
  • Technical compliance checks cover relevant systems and are performed by competent authorized personnel.
  • Testing tools are controlled, approved, and scoped to prevent misuse or accidental testing of wrong systems.
  • Findings trace to root cause, corrective action, implementation evidence, and effectiveness verification.
  • Patterns are reviewed to find similar issues elsewhere.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Compliance review is only an annual attestation.
  • Technical checks are informal and not risk-based.
  • Scanning or testing tools are available to unauthorized users.
  • Findings are tracked in spreadsheets without closure evidence.
  • Root cause is not analyzed and similar issues are not checked elsewhere.
  • Managers cannot show how they review compliance in their own areas.

Sample interview questions

  • How do managers review compliance in their areas?
  • Which technical compliance checks are scheduled and why?
  • Who is authorized to run technical tests or tools?
  • Show a finding from review through corrective action and retest.
  • How do you look for similar issues elsewhere?

Common nonconformities

  • Managers do not review compliance in their areas
  • Technical checks are not performed by competent authorized personnel
  • Security testing tools are uncontrolled
  • Findings are not traceable to action and retest
  • Patterns are not analyzed