What the auditor wants to verify
Audit objective
This is the core audit assertion. Evidence should prove design, implementation, and operation.
The auditor wants to confirm that operating procedures for information processing facilities are documented, controlled, current, available to personnel who need them, and used in practice.
Evidence to request
| Evidence | Purpose |
|---|---|
| Operating procedure register | Shows the control can be verified |
| Approved operating procedures | Shows the control can be verified |
| Version/change control records | Shows the control can be verified |
| Procedure access evidence | Shows the control can be verified |
| Operator interview evidence | Shows the control can be verified |
| Supplier procedure/service documentation | Shows the control can be verified |
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control operated for real cases.
- Operating procedure register lists procedures, owners, approvers, users, scope, version, review date, and storage location.
- Procedures cover relevant day-to-day and infrequent operational activities.
- Procedure documents have version control, approval, change history, and access protection.
- Personnel can find the current approved procedure and explain when to use it.
- Supplier or outsourced operating procedures are available and aligned with contracts/service requirements.
- Compliance checks show procedures are followed and bypasses are identified.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation or effectiveness.
- Procedures exist but are scattered across chats, personal folders, or old wikis.
- Operators rely on experienced staff rather than documented steps.
- No version control or approval is applied to procedure changes.
- Obsolete procedures remain accessible.
- Supplier procedures are assumed but not available or reviewed.
- Staff cannot identify the current procedure for critical tasks.
Sample interview questions
- Which operational activities require documented procedures?
- How are operating procedures approved and version controlled?
- Can operators find the latest approved procedure?
- How are supplier/outsourced procedures controlled or referenced?
- How do you verify procedures are followed?
Common nonconformities
- Procedures are undocumented or tribal
- Procedure changes are uncontrolled
- Latest versions are not accessible
- Procedures are too complex or unclear
- Outsourced operations lack documented procedures
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A5 37
Note Metadata
Aliases: A.5.37 Evidence
Source: 04 Audit Evidence Packs/A.5.37 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.