UnixTime

Research Note

A.8.19 Audit Evidence Pack

- Installation records link to approved changes. - Security, compatibility, and regression tests are retained. - Deployment was performed by authorized personnel. - Production i...

On this page

What the auditor wants to verify

Audit objective

Verify that software installation on operational systems is authorized, tested, logged, licence-valid, supportable, and recoverable.

Evidence to request

Evidence Purpose
Software installation procedure Shows installation process is defined
Change or release records Shows business justification and approval
Test and regression records Shows verification before production
Deployment or installation logs Shows what was installed and by whom
Backup and rollback evidence Shows fallback is possible
Licence entitlement records Shows use is authorized
Vendor support records Shows support is available where needed
Privileged access records Shows installation rights are controlled

Strong evidence

  • Installation records link to approved changes.
  • Security, compatibility, and regression tests are retained.
  • Deployment was performed by authorized personnel.
  • Production installation logs identify package/version, target, installer, and date/time.
  • Backup and rollback plans were prepared before change.
  • Licence entitlement and vendor support are confirmed.
  • Emergency changes have post-implementation review.

Weak evidence

  • Developers or administrators install directly into production without approval.
  • Test evidence is missing or informal.
  • Rollback depends on memory.
  • Licence and support status are assumed.
  • Source code or build tools are present on production without justification.
  • Installation logs are incomplete.

Sample interview questions

  • Who may install software on operational systems?
  • What approval is needed before installation?
  • How is regression testing performed?
  • How do you confirm licence and vendor support status?
  • How can the previous version be restored?
  • What happens if an emergency installation is required?

Common nonconformities

  • No formal procedure for production installation.
  • Installation privileges are excessive.
  • Unauthorized libraries or tools are installed.
  • Testing or rollback evidence is missing.
  • Licence/support status is not checked.
  • Production source code is not controlled.