What types of evidence should you be collecting when conducting audits?
A crucial element in performing an audit is the collection and evaluation of evidence.
Evidence is used to determine if the process or control being audited is performing as expected. In this blog, we will be exploring how you can define what evidence is required
and what are the most effective ways of gathering evidence.
Evidence is used to determine if the process or control being audited is performing as expected. In this blog, we will be exploring how you can define what evidence is required and what are the most effective ways of gathering evidence.
When planning and executing the audit, you must first consider the audit criteria for the area being audited.
In other words, what does ‘acceptable’ look like? This is determined by understanding what the requirement
is in the first place.
In general, we find there are three basic sources for defining audit criteria. The first is where the organisation
is required to demonstrate that it is conforming with third party regulations or standards. In the world of
information security, the clauses and control requirements within ISO 27001 provide the criteria against
which an organisation can be audited.
The second source of audit criteria is where audits are typically used to assess conformance with an
organisation’s policies. Essentially, policy documents tell everyone what rules need to be followed and the
audit aims to assess whether they are.
The third source, again internally focused, relates to conformance with processes and procedures. As an auditor
you need to know what the steps of the process or procedure are, so that it can be determined if they are being
So, once you have determined the requirements, how do you make objective assessments on whether the audit
criteria have been met or, in other words, are the controls or processes operating as required?
There are three basic ways of achieving this:
Through interview: During the audit, you will be interviewing personnel who follow policy requirements, operate
the required controls or perform the processes that are within scope of the audit.
During the interview, you need to ask questions to determine if the auditee understands the requirements
that are documented within the aforementioned policies and procedures. The interviewee should be able to
describe how the process is conducted or the control operated, and this should be in line with the documented
Records: You should look for evidence to verify that what has been said during the interview is actually what has
taken place / been implemented. This could be in the form of a record to show that an event has taken place,
e.g. within a paper-based record or within computer logs.
Observation: Evidence of conformance could also be observed within computer system configurations or a
particular physical state within a non-computer-based system. It could also be an observation of human
behaviour, e.g. monitoring whether users lock screens when moving away from their desks.
So, in conclusion, you can use a form of triangulation to assess whether the audit criteria have been met, i.e.:
► What you are told happens (interview)
► What actually happened (records)
► What is happening or is implemented (observation).
WANT TO LEARN MORE?
If you would like to explore how URM’s consultancy and training services can
benefit your organisation, we offer a ‘no obligation’ discussion with a senior
member of our consultancy team. Please let us know the specific challenge
you are facing within our areas of expertise e.g. information security
(ISO 27001, PCI DSS), data protection (GDPR, DPA 2018), business continuity
(ISO 22301) and risk management so that we can arrange a discussion.