Audit evidence: what it is, what's strong, and when you have enough
Every finding stands on evidence, and every weak audit is weak because its evidence is. This guide covers what counts as audit evidence, what makes it strong or weak, how to judge when you have enough to conclude, and how to record it so a finding survives challenge. The regulation-specific guides then show what this evidence looks like for each regulation.
What counts as audit evidence
Audit evidence is anything that supports — or undercuts — a conclusion about whether a control operates as required. It comes in four forms:
Low–high (a policy is weak; a system log is strong)
Testimonial
What people tell you in interview
Lowest alone — a lead, not a conclusion
Observational
What you see operating: live tasks, screen-shares, configuration
Medium–high
Re-performance
Results you reproduce yourself
Highest
The reliability hierarchy — what evidence can bear weight
Evidence varies in how much weight it can carry. Reliability generally rises along this line, and a serious finding should rest near the strong end:
What someone says happens (testimonial) — weakest alone.
A document that says it should happen (a policy or procedure) — establishes intent, not practice.
A record showing it did happen on a real case (a log, a completed ticket) — evidence of operation.
The auditor observing it happen — first-hand, current.
The auditor re-performing it — strongest, depends on no one's word.
Two cross-cutting rules sharpen the hierarchy:
Auditor-obtained beats auditee-provided. Evidence you pull directly (a live directory export you ran) is more reliable than the same thing handed to you (a screenshot the auditee chose to send).
System-generated beats manually-maintained. An automatic log is harder to dress up than a spreadsheet someone keeps by hand.
Sufficiency vs. reliability — two different questions
These are distinct, and you need both:
Reliability is about quality — how much weight a single piece of evidence can bear (the hierarchy above).
Sufficiency is about quantity and corroboration — do you have enough, from enough angles, to conclude.
The practical test for sufficiency: would a reasonable, independent person, looking at the same evidence, reach the same conclusion? If yes, you have enough. If a colleague could look at your evidence and reasonably say "that doesn't prove it," you don't.In practice, sufficient usually means more than one independent source pointing the same way (corroboration — see audit techniques) and a sample sized to the risk (see risk-based auditing). A single clean document is rarely sufficient for anything that matters.
Insufficient
Conclusion: "Leaver access is revoked promptly — confirmed." Basis: the IT manager said so and showed a written procedure. Two pieces of evidence, both at the weak end (testimonial + policy), both asserting intent, neither showing a single real revocation. Insufficient and unreliable.
Sufficient
Conclusion: "Leaver access is NOT revoked within policy for a material share of leavers." Basis: a risk-weighted sample of 25 leavers, cross-checked between the HR list and a live directory export the auditor ran, showing 4 still active past their exit date. Corroborated (two independent sources), reliable (auditor-obtained, system-generated), sized to risk. Sufficient and reliable.
Record evidence so the finding survives challenge
Good evidence badly recorded is no evidence at all when the auditee pushes back six weeks later. For every piece, capture four things:
What the evidence was — the specific artefact.
Where it came from — the system, the person, the document and version.
When you obtained it — the date, because evidence is a snapshot in time.
What it showed — the specific result, with enough detail that someone else could locate the same thing and reach the same point.
Unrecorded
"Reviewed access logs — OK." Six weeks later, nobody can say which logs, from when, showing what. The finding (or the clean verdict) cannot be defended.
Well-recorded
"Active Directory user export, run by auditor 12 March 14:20, cross-checked against HR leaver list (rows 1–240, period Jan–Mar). Accounts for [4 IDs] enabled with last exit date 30+ days prior. Export and HR list retained in working papers ref AW-03." Locatable, dated, specific — bulletproof.
These evidence records feed straight into the findings in the audit report — the "evidence" line of a good finding is exactly this record, lightly edited. Capture it well during fieldwork and the report writes itself.
From fundamentals to a specific regulation
The principles here — types, reliability, sufficiency, recording — are universal. What changes regulation to regulation is which artefacts are the evidence: a record of processing for GDPR, an incident-report timeline for NIS2, a register of information for DORA. The per-regulation guides take this method and show exactly what to ask for and test for each one.
This guide explains the method. To apply it across a whole regulation —
every obligation scored and traceable — see the
audit checklists, each with a free Regulatory
Compliance Matrix you can review before buying.
