UnixTime

Research Note

A.6.6 Audit Evidence Pack

The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.

On this page

What the auditor wants to verify

Audit objective

Verify that confidentiality/NDA needs are identified, documented, reviewed, and signed before access to confidential information.

The auditor wants evidence that agreements reflect actual confidentiality requirements and are legally usable where needed.

Evidence to request

Evidence Purpose
Confidentiality requirement analysis Shows when agreements are needed
Confidentiality agreement register Shows who signed what
NDA or confidentiality templates Shows documented agreement content
Signed and dated agreements Shows parties accepted obligations
Access approval records Shows signing happened before access
Legal review records Shows enforceability was considered
Review schedule Shows agreements are periodically reviewed
Supplier/customer confidentiality clauses Shows external exchange is covered
Exception records Shows gaps are known and treated

Strong evidence

Strong evidence test

Strong evidence connects agreement need, signed party, date, access timing, information type, legal review, and review status.

  • Agreement needs are based on legal, contractual, risk, asset, classification, and information-exchange requirements.
  • Agreements are signed and dated before access or exchange.
  • Different agreement types cover employees, contractors, suppliers, partners, visitors, or other parties as needed.
  • Legal review confirms enforceability where appropriate.
  • Agreements are reviewed when requirements or relationships change.
  • Register tracks parties, agreement type, covered information, date, evidence location, and review date.

Weak evidence

Weak evidence warning

Weak evidence shows a template exists but not that it is used correctly.

  • One generic NDA with no requirements analysis.
  • Agreement signed after information was shared.
  • No register of signed agreements.
  • No legal review.
  • Suppliers or partners exchange information without confidentiality terms.
  • Agreement content is stale or mismatched to current information flows.

Sample interview questions

  • How are confidentiality agreement requirements identified?
  • How is enforceability reviewed?
  • How often are templates and clauses reviewed?

Ask HR, procurement, or business owners

  • How do you confirm an NDA is signed before access?
  • Which parties require confidentiality agreements?
  • How are supplier or partner agreements tracked?

Ask information owners

  • Which information types require confidentiality terms before sharing?
  • How do classification or asset valuation results affect NDA requirements?

Common nonconformities

  • No documented process to identify NDA requirements.
  • Agreements signed after access.
  • No register of signed agreements.
  • No regular review.
  • No legal enforceability review where needed.
  • External parties receive confidential information without appropriate terms.
  • NDAs not aligned to classification, legal, contractual, or risk requirements.