UnixTime

Research Note

A.7.9 Audit Evidence Pack

- Asset removal is authorized and logged. - Off-site assets are recorded with custodian, location, and review date. - Mobile devices are encrypted and managed. - Long-term loans...

On this page

What the auditor wants to verify

Audit objective

Verify that off-site assets are authorized, protected, tracked, periodically confirmed, returned, erased where needed, and risk-accepted where off-site protection is weaker.

Evidence to request

Evidence Purpose
Off-premises asset policy Shows removal rules are defined
Off-premises risk assessment Shows the risk profile was assessed
Asset removal authorization records Shows removal is approved
Off-site asset register Shows location, custodian, and accountability
Long-term loan attestations Shows ongoing possession is confirmed
MDM/encryption evidence Shows portable assets are protected
BYOD policy/enrollment records Shows personal-device access is controlled
Leaver asset return records Shows assets are recovered
Secure erase records Shows organizational data is removed before transfer/retention
Risk acceptance records Shows residual off-site risk is approved

Strong evidence

Strong evidence test

Strong evidence proves custody, authorization, protection, periodic confirmation, return, and accepted residual risk.

  • Asset removal is authorized and logged.
  • Off-site assets are recorded with custodian, location, and review date.
  • Mobile devices are encrypted and managed.
  • Long-term loans are periodically attested.
  • BYOD use is governed.
  • Leavers return equipment or data is securely erased.
  • Risk acceptance exists where off-site protection is weaker than on-site protection.

Weak evidence

Weak evidence warning

Weak evidence relies on trust instead of traceable asset custody.

  • Staff take assets home without records.
  • Asset inventory does not identify off-site assets.
  • No evidence confirms long-term loan assets still exist.
  • BYOD is informal.
  • Leaver records are incomplete.
  • Insurance exists but security conditions are unknown.

Sample interview questions

  • What assets may leave the premises?
  • Who authorizes off-site asset use?
  • How do you know where off-site assets are?
  • What controls protect laptops, phones, paper files, and removable media?
  • How is BYOD controlled?
  • What happens when a leaver has company assets at home?
  • Who accepts residual off-site risk?

Common nonconformities

  • Off-site asset risks not assessed.
  • Asset removal not authorized or logged.
  • Off-site register missing or incomplete.
  • Mobile/BYOD controls weak.
  • Long-term loans not periodically confirmed.
  • Leaver return process lacks evidence.
  • Residual risk not approved.
  • Iso27001
  • ISO27002
  • Audit
  • Evidence
  • A7 9

Note Metadata

Aliases: A.7.9 Evidence

Source: 04 Audit Evidence Packs/A.7.9 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.