UnixTime

Research Note

A.8.3 Audit Evidence Pack

- Access rules are approved by the information or application owner. - Role permissions are mapped to create/read/modify/delete/export/admin rights. - Application and database p...

On this page

What the auditor wants to verify

Audit objective

Verify that access to information, assets, application functions, databases, reports, exports, and dynamic support sessions is restricted according to the access control policy and business need.

Evidence to request

Evidence Purpose
Access control policy Shows the governing rules
Information/application access rule matrix Shows owner-approved role permissions
Application role configuration Shows technical enforcement
Database permission review Shows shared data paths are controlled
Classification and handling matrix Shows restriction matches sensitivity
Export/print/download settings Shows extracted information remains controlled
Maintenance utility access list Shows sensitive functions are restricted
Dynamic privilege/session records Shows temporary access is authorized and logged
Access review records Shows excessive access is found and removed

Strong evidence

  • Access rules are approved by the information or application owner.
  • Role permissions are mapped to create/read/modify/delete/export/admin rights.
  • Application and database permissions are consistent.
  • Restricted functions are hidden or unavailable to unauthorized users.
  • Export, print, and download controls match classification rules.
  • Dynamic privilege sessions have authorization, start/end time, logs, and review.

Weak evidence

  • Policy exists but role permissions are undocumented.
  • Default application roles are used without review.
  • Database permissions are broader than application roles.
  • Users can see restricted reports or functions.
  • Extracted information is not controlled after download or print.
  • Temporary support access has no approval, logging, or end time.

Sample interview questions

  • Who owns the access rules for this application or information set?
  • How do you decide who can read, modify, delete, export, or approve information?
  • Can another application or reporting tool access the same database?
  • What happens when users export or print sensitive information?
  • How are support sessions authorized and logged?
  • How do you confirm temporary access ended?

Common nonconformities

  • Access rules are not owner-approved.
  • Roles provide broader access than business need.
  • Shared databases bypass application controls.
  • Maintenance utilities are not restricted.
  • Sensitive exports are uncontrolled.
  • Dynamic privilege is not authorized, logged, or reviewed.
  • Audit
  • Evidence
  • A8 3
  • Iso27001

Note Metadata

Aliases: A.8.3 Evidence

Source: 04 Audit Evidence Packs/A.8.3 Audit Evidence Pack.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.