UnixTime

Research Note

A.8.34 Audit Evidence Pack

- Operational testing is planned before execution. - Scope, tools, timing, contacts, and stop criteria are documented. - Appropriate management authorizes the activity. - Tool u...

On this page

What the auditor wants to verify

Audit objective

Verify that audit tests and assurance activities on operational systems are planned, agreed, authorized, logged, and protected.

Evidence to request

Evidence Purpose
Audit testing plan Shows scope and safeguards
Management authorization Shows operational agreement
Rules of engagement Shows tester limits
Tool approval/validation record Shows tools are controlled
Access and activity logs Shows traceability
Stop/escalation criteria Shows disruption control
Audit result access controls Shows findings are protected
Independence record Shows assurance objectivity considered

Strong evidence

  • Operational testing is planned before execution.
  • Scope, tools, timing, contacts, and stop criteria are documented.
  • Appropriate management authorizes the activity.
  • Tool use and access are logged.
  • Audit results are stored with restricted access.
  • Independence is documented where relevant.

Weak evidence

  • Production scans occur without written approval.
  • Tool use is not logged.
  • No stop criteria or escalation contacts exist.
  • Results are stored in open folders.
  • Audit testing changes data without explicit approval.

Sample interview questions

  • How are operational system audit tests approved?
  • Who agrees the scope and timing?
  • What tools are allowed?
  • How is disruption minimized?
  • How are audit results protected?
  • How is independence considered?

Common nonconformities

  • Testing scope is not agreed.
  • Operational management has not authorized testing.
  • Audit tools are uncontrolled.
  • Access and tool use are not logged.
  • Audit outputs are not protected.