UnixTime

Research Note

A.5.4 Audit Evidence Pack

The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.

On this page

What the auditor wants to verify

Audit objective

This is the core audit assertion. Evidence should prove design, implementation, and operation.

The auditor wants to confirm that managers actively require personnel to apply information security according to policies and procedures.

Evidence to request

Evidence Purpose
Management responsibility statements Shows formal management duties
Meeting agendas/minutes Shows security discussed in routine management
Management communications Shows security expectations communicated
Training completion reports Shows managers ensure personnel complete training
Escalation records for non-completion Shows management follow-up
Phishing simulation results and follow-up Shows awareness remediation
Access review sign-offs Shows managers verify controls
Corrective action records Shows non-compliance addressed
HR/remedial training records Shows proportionate response
Performance objectives Shows security included in management expectations
Incident reporting records Shows managers support escalation
Staff interview evidence Shows management messages are understood
Exception approval records Shows managers do not allow informal bypasses

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control operated for real cases.

  • Managers can explain their security duties.
  • Security appears in recurring team or management meetings.
  • Managers track and follow up on training.
  • Non-compliance leads to coaching, training, or corrective action.
  • Senior staff follow the same rules as everyone else.
  • Employees say management treats security seriously.
  • Security reporting is encouraged and not punished.
  • Managers verify access and policy compliance.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation or effectiveness.

  • Managers say security is the security team’s job.
  • No security discussion in management routines.
  • Training non-completion not followed up.
  • Executives bypass security controls.
  • Violations are ignored.
  • Employees fear reporting incidents.
  • Management pressures staff to bypass controls.
  • No evidence managers enforce policies.

Sample interview questions

Ask managers

  • What are your information security responsibilities?
  • How do you ensure your team follows policies?
  • How do you know your team completed training?
  • What do you do if someone violates a procedure?
  • How do you communicate security expectations?
  • How do you handle reported incidents or weaknesses?
  • Are security objectives included in performance expectations?

Ask employees

  • Does your manager discuss security expectations?
  • What happens if someone violates a security procedure?
  • Are you encouraged to report incidents?
  • Do senior people follow the same security rules?
  • Do you feel security is treated as part of your job?

Ask security leadership

  • How do you ensure managers understand their responsibilities?
  • How do you track manager follow-up?
  • How are repeated non-compliances escalated?
  • How do managers contribute to security culture?

Common nonconformities

  • Managers unaware of security responsibilities.
  • Security not reinforced in daily work.
  • No follow-up on training or non-compliance.
  • Senior leaders have informal exceptions.
  • Managers encourage control bypassing for speed.
  • Security treated as IT-only.
  • No evidence managers support security culture.