UnixTime

Research Note

A.5.37 Audit Evidence Pack

The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used...

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used in practice.

Evidence to request

Evidence Purpose
Operating procedure register Shows the control can be verified
Approved operating procedures Shows the control can be verified
Version/change control records Shows the control can be verified
Procedure access evidence Shows the control can be verified
Operator interview evidence Shows the control can be verified
Supplier procedure/service documentation Shows the control can be verified

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Operating procedure register lists procedures, owners, approvers, users, scope, version, review date, and storage location.
  • Procedures cover relevant day-to-day and infrequent operational activities.
  • Procedure documents have version control, approval, change history, and access protection.
  • Personnel can find the current approved procedure and explain when to use it.
  • Supplier or outsourced operating procedures are available and aligned with contracts/service requirements.
  • Compliance checks show procedures are followed and bypasses are identified.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Procedures exist but are scattered across chats, personal folders, or old wikis.
  • Operators rely on experienced staff rather than documented steps.
  • No version control or approval is applied to procedure changes.
  • Obsolete procedures remain accessible.
  • Supplier procedures are assumed but not available or reviewed.
  • Staff cannot identify the current procedure for critical tasks.

Sample interview questions

  • Which operational activities require documented procedures?
  • How are operating procedures approved and version controlled?
  • Can operators find the latest approved procedure?
  • How are supplier/outsourced procedures controlled or referenced?
  • How do you verify procedures are followed?

Common nonconformities

  • Procedures are undocumented or tribal
  • Procedure changes are uncontrolled
  • Latest versions are not accessible
  • Procedures are too complex or unclear
  • Outsourced operations lack documented procedures
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A5 37

Note Metadata

Aliases: A.5.37 Evidence

Source: 04 Audit Evidence Packs/A.5.37 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.