audit-evidence-collect

Audit Evidence Collection

Overview

Audit evidence collection is the systematic process of gathering sufficient, reliable, relevant, and useful information to support audit findings and conclusions. In privacy audits, evidence must demonstrate the degree of compliance with data protection regulations (GDPR, CCPA, HIPAA), internal policies, and industry standards. The quality of evidence directly determines the credibility and defensibility of audit conclusions.

ISO 19011:2018 defines audit evidence as "records, statements of fact, or other information which are relevant to the audit criteria and verifiable." The IIA Standards require that internal auditors "identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives" (Standard 2310).

Evidence Categories

Documentary Evidence

• Policies and procedures: Data protection policies, privacy notices, retention schedules, breach response plans
• Records: Processing activity records (Art. 30 ROPA), consent records, DSAR logs, DPIA reports, breach registers
• Contracts: Data processing agreements (Art. 28), joint controller arrangements (Art. 26), standard contractual clauses
• Training records: Attendance logs, completion certificates, training materials, competency assessments
• Correspondence: DPA correspondence, data subject complaints, vendor communications

Testimonial Evidence

• Interviews: Structured interviews with DPO, process owners, data stewards, IT administrators
• Declarations: Written statements from management regarding compliance posture
• Walkthroughs: Verbal explanations of processes during system demonstrations

Observational Evidence

• System walkthroughs: Live demonstrations of privacy controls in IT systems
• Physical inspection: Physical security controls, clean desk compliance, document handling
• Process observation: Real-time observation of DSAR handling, consent collection, breach triage

Analytical Evidence

• Data analysis: Consent rate analysis, DSAR response time metrics, breach statistics
• Trend analysis: Compliance metrics over time, training completion trends
• Benchmarking: Comparison against regulatory expectations or industry standards

Evidence Quality Criteria

Criterion	Definition	Application
Sufficiency	Enough evidence to support findings	Multiple evidence items per finding; corroboration
Reliability	Evidence is trustworthy and verifiable	Source independence, system-generated over self-reported
Relevance	Evidence relates to audit objectives	Direct link to audit criteria and control being tested
Usefulness	Evidence helps reach conclusions	Actionable, clear, and understandable by stakeholders

Sampling Approaches

Statistical Sampling

• Random sampling: Each item has equal probability of selection; suitable for large homogeneous populations
• Stratified sampling: Population divided into strata (e.g., by data category, department); samples drawn from each stratum
• Systematic sampling: Every nth item selected; useful for time-ordered records

Non-Statistical (Judgmental) Sampling

• Risk-based selection: Focus on high-risk processing activities, special category data, cross-border transfers
• Key item sampling: Select all items above a materiality threshold (e.g., all DPIAs for high-risk processing)
• Discovery sampling: Sample specifically to detect at least one instance of non-compliance

Evidence Documentation Standards

All evidence must be:

1. Labeled: Unique reference number, date collected, source, collector name
2. Stored securely: Encrypted storage with access controls appropriate to data sensitivity
3. Cross-referenced: Linked to specific audit objectives and findings
4. Time-stamped: Collection date and date of the evidence item
5. Authenticated: Screenshots include system timestamps; documents include version information

Chain of Custody

For evidence that may support regulatory enforcement or legal proceedings:

1. Document who collected the evidence, when, and from whom
2. Record all transfers of evidence between team members
3. Maintain integrity (hash values for digital evidence)
4. Restrict access to authorized audit team members only
5. Retain evidence per the audit evidence retention policy (typically 7 years for privacy audits)

Interview Best Practices

1. Prepare: Review available documentation before the interview; prepare targeted questions
2. Open-ended questions: Start with broad questions, then narrow to specifics
3. Corroborate: Verify interview statements against documentary or observational evidence
4. Document contemporaneously: Take notes during the interview; produce a summary within 24 hours
5. Validate: Share interview notes with the interviewee for confirmation of accuracy

Integration Points

• audit-remediation-program: Evidence supports finding documentation and remediation verification
• audit-follow-up-verify: Follow-up audits require new evidence collection to verify remediation
• ai-dpia: DPIA audits require specific evidence types (algorithmic impact assessments, fairness metrics)
• records-of-processing: ROPA serves as key documentary evidence in any privacy audit