Related control
| Audit test | Evidence to request | Pass criteria |
|---|---|---|
| Identify conflicting duties | SoD matrix, risk assessment, process documentation | Key conflicts documented |
| Confirm critical duties are segregated | Access workflows, change process, approval records | Sensitive tasks require separate approval/review |
| Confirm privileged activities are controlled | PAM records, admin logs, SIEM alerts | Admin activity is logged and reviewed |
| Confirm logs are protected | SIEM configuration, log retention settings, permissions | Users cannot alter their own logs |
| Confirm compensating controls | Exception records, monitoring evidence | Lack of segregation is risk-assessed and monitored |
| Confirm reviews are independent | Review records, reviewer role | Reviewer is not the person whose activity is reviewed |
| Confirm holiday/sickness coverage | Coverage plans, temporary access approvals | Temporary cover does not break independence |
| Confirm high-risk processes checked | Finance, access, change, supplier, backup processes | High-risk processes have checks and balances |
- ISO27001
- ISO27002
- Template
- Audit
- Sod
- A5 3
Note Metadata
Aliases: A.5.3 Audit Checklist
Source: 90 Templates/A.5.3 Audit Checklist.md