Evidence Preparation Guide

Audit Evidence Examples

Approval form signed by authorised personnel and/or system logs showing access granted.

Documentation of termination notice, system logs showing access revoked, and confirmation emails.


Review reports, sign-off by reviewer, and evidence of action taken on anomalies (if required).


Screen captures of system settings and documentation of approval process by stakeholders.



List of privileged users, comparison to approval records, and evidence of removed or modified access.

User access request forms, system logs showing the assignment of access to individual users, and evidence of periodic reviews of user access privileges.

Copies of signed service agreements, records of customer onboarding sessions, and documentation of service terms communicated via email or other formal channels.

Copies of the change management policy, change request forms with approvals, and logs of changes tracked through a change management system.

Network architecture diagrams, access control lists for development, test, and production environments, and system configuration logs showing enforced separation.

Code review logs, pull request histories from a version control system (e.g., Git), and documentation of peer review sign-offs.

Change request forms with documented approvals, deployment logs showing approval timestamps, and system logs enforcing the change management workflow.

Test plans and results, approval of testing outcomes, and records showing different levels of testing (e.g., unit, integration, user acceptance) based on the nature of the change.

Copies of the code of conduct, training attendance records, acknowledgment forms signed by employees, and disciplinary action logs for violations.

Data classification policy documents, records of employee training on data handling policies, and logs or reports showing adherence to retention and disposal schedules.

Confidential data register, data flow diagrams indicating data sources and storage locations, and audit logs tracking data collection and storage.


Data retention policy, retention schedule for various data types, and system configurations enforcing retention periods.

System access logs showing restricted access to confidential data, security policy documents, and role-based access control (RBAC) configuration files.

Quarterly vulnerability scan reports, records of scan scheduling and execution, and logs showing remediation of identified vulnerabilities.

Penetration test reports, engagement contracts with third-party security firms, and documentation of remediation actions based on penetration test findings.

Vulnerability management logs, classification of vulnerabilities based on risk, and records of vulnerability resolution with time stamps.



Network architecture diagrams showing firewall placements, firewall configuration logs, and reports of firewall rule changes and updates.

Anti-virus software installation logs, update logs showing that the software is current, and reports of any detected malware or security threats.

Security policies defining restrictions, system configurations enforcing security policies, and logs of security events related to malware or data leakage.

Database encryption policy, encryption configuration settings, and audit logs showing the encryption status of production databases.

Network configuration settings showing encryption protocols (e.g., TLS, VPN), encryption certificates, and logs confirming data in transit is encrypted.

Logs of automated alerts, incident response reports triggered by suspicious activities, and configuration settings of the alerting system (e.g., SIEM logs).

HR records showing background check results, confirmation of background checks completed before the employment start date, and vendor agreements for background check services.

Incident management policies, incident classification matrix, and documented procedures for incident reporting and escalation.


Incident response logs, post-incident reports, communication logs with stakeholders, and a classification report of incidents.



Incident response plan documentation, examples of past incident response actions, and approvals of the incident response plan.

Emergency response team rosters, communication logs from emergency response situations, and training records of emergency response personnel.

Documented annual review records of the incident response plan, change logs of updates made to the plans, and approval records of the updated plans.

Root cause analysis reports, action items and lessons learned documents, and change requests raised as a result of root cause analysis.



Board meeting minutes, agendas showing discussion points related to governance, and attendance records of Board members.

Copy of the Board Charter, records of Board members signing acknowledgment of their responsibilities, and Board meeting materials referencing the Charter.

Board meeting minutes showing discussions and decisions regarding system and data security, risk assessment reports presented to the Board, and annual review records of security policies.

Management responsibility matrices, monitoring logs showing ongoing review of controls, and periodic compliance reports submitted by management.

Policy review schedules, updated policy documents, sign-offs from policy owners, and records of changes made during the annual review process.

Incident tracking logs, root cause analysis reports, records of corrective actions, and audit trails showing the resolution of policy breaches and complaints.


Control framework documentation, annual control review reports, control owner sign-offs, and records of testing control effectiveness.



Acceptable use policy documents, employee acknowledgment records of the policy, and monitoring reports on policy adherence.


Security policy documents, risk assessments related to information security, and logs showing enforcement of security measures.

Vulnerability scan reports, vulnerability management policies, logs of vulnerability remediation, and prioritisation matrices for handling vulnerabilities.


Asset management policy, inventory of information assets, asset classification logs, and records of asset audits.



Access control policy documents, system access logs, records of periodic access reviews, and user access request forms.

Password policy documents, system configurations enforcing password complexity, and logs of password resets or updates.

Cryptography policy documents, encryption key management logs, system settings showing encryption enabled, and audit logs showing the use of encryption.

Inventory records of system assets, asset classification and tagging reports, and logs of inventory audits or updates.

Patch management policy, update logs showing OS versions and patch levels, and change management records documenting OS updates.

Data disposal policy documents, certificates of data destruction, system logs showing data wipe activity, and third-party service provider contracts for secure disposal.

Performance review forms, employee acknowledgment of the review, schedules of annual performance reviews, and signed documentation of review discussions.

Training materials, attendance records or certificates of completion for security awareness programs, and follow-up assessments or quizzes demonstrating understanding.

Risk assessment policy and procedure documents, records of completed risk assessments, and documented review of risk assessment outcomes.

Annual risk assessment reports, risk registers, meeting minutes discussing identified risks, and documentation of mitigation strategies implemented.

Fraud risk assessment documents, internal audit reports on fraud prevention controls, fraud incident reports, fraud risk considered as part of the organisation or department risk assessment.

Risk assessment documents, change management logs, risk impact analysis reports, and documentation of control testing after significant changes.

Risk mitigation plans, action items from risk assessment meetings, records of implemented controls or countermeasures, and progress tracking reports on mitigation efforts.

System architecture diagrams showing redundancy and availability zones, system failover tests, uptime monitoring reports, and service level agreements (SLAs) with cloud providers.

Backup logs showing successful daily backups, reports from backup software, and restoration tests confirming data recovery from backups.

Backup test logs, restoration test reports, and documentation showing recovery times and effectiveness of the restoration process.

Business continuity plan documents, scenario testing reports, records of stakeholder engagement meetings, and communication logs during BCP tests.


Disaster recovery plan documents, annual review logs, test results from disaster recovery drills, and updated versions of the DR plan showing changes.

Insurance policy documents, coverage summaries, and communication with insurance providers confirming coverage for adverse events.

Backup policy documents, logs showing adherence to backup frequency requirements, and audit trails of data restoration testing in compliance with the policy.

Load balancer configuration settings, system architecture diagrams showing the use of load balancers, traffic distribution logs, and uptime monitoring reports confirming balanced traffic.

Test results of business continuity plan drills, meeting minutes discussing test outcomes, improvement plans based on test findings, and documentation of the annual review.

Updated organisation chart, records of changes made to roles and reporting lines, approval records of the updated chart, and employee onboarding or offboarding records.


Job description documents, acknowledgment forms signed by employees, role definition approvals by HR or management, and performance review records linked to role requirements.

Policy and procedure documents, role and responsibility matrices, acknowledgment forms from employees, and documentation of policy training sessions.

Information security and privacy policy documents, employee training records, signed acknowledgment forms, and security-related communications (e.g., email updates, posters).

Signed employment contracts, offer letters, records of employee onboarding, and legal reviews of employment contracts for compliance.

Monitoring tool configuration settings, performance logs, capacity usage reports, security alert logs, and incident response records based on monitoring data.

System configuration showing auto-scaling settings, logs of processing capacity adjustments during peak demand, and reports on the effectiveness of auto-scaling.

Version control logs (e.g., Git), change request forms, rollback event logs, and code review documentation within the version control system.

Vendor risk assessment reports, vendor risk rating logs, meeting minutes discussing vendor risks, and action plans or mitigation strategies for high-risk vendors.

Third-party vendor risk management policy, vendor risk assessment criteria, vendor contracts reviewed for compliance, and audit reports on third-party risk evaluations.

Signed third-party agreements, service level agreements (SLAs), compliance requirement clauses within contracts, and records of vendor performance reviews.