IT KORR Knowledge Center
Audit Evidence Collection Workbook
A workbook for mapping controls to evidence types, building a continuous collection cadence, and tracking evidence quality.
Mapping Controls to Evidence Types
Every control needs a defined evidence type before an audit period even begins. Waiting until the audit is scheduled to figure out what evidence proves a control is operating leaves gaps that cannot be retroactively filled.
- Policy controls — the current, approved policy document plus its version and approval history.
- Technical controls — system configuration exports or screenshots (e.g., MFA enforcement settings, encryption configuration, firewall rules).
- Process controls — records showing the process actually occurred (e.g., completed access review logs, ticket records for offboarding).
- Training controls — completion reports tied to individual employees and dates.
- Monitoring controls — log samples, alert records, or monitoring dashboard exports demonstrating ongoing detection activity.
Building a Continuous Collection Cadence
- Assign each evidence type an owner and a collection frequency (e.g., monthly access reviews, quarterly vendor reviews, continuous log retention).
- Automate evidence collection where possible (scheduled exports, ticketing system reports) rather than relying on manual screenshots taken once a year.
- Set calendar reminders or workflow triggers tied to the collection cadence, not to the audit date.
- Review the evidence log quarterly to catch gaps early, well before an audit is scheduled.
Evidence Quality Criteria
- Current — evidence reflects the present state of the control, not a snapshot from a prior audit cycle.
- Complete — evidence covers the entire in-scope population (all users, all systems), not a partial sample chosen after the fact.
- Tied to the specific audit period — dated evidence that falls within the period being audited, not before or after it.
- Traceable — evidence can be tied back to the specific control and control owner it supports.
Sample Evidence Log Structure
- Control ID / Name — the specific control or requirement the evidence supports.
- Evidence Type — policy, configuration export, log, training record, etc.
- Owner — the individual responsible for collecting and maintaining this evidence.
- Collection Frequency — how often this evidence is refreshed.
- Last Collected Date — the most recent date evidence was gathered and reviewed.
- Storage Location — where the evidence is stored and how it can be retrieved for an audit.
Related Resources
- Audit Evidence Collection — /knowledge-center/compliance/compliance-governance/audit-evidence-collection
- Compliance Documentation Best Practices — /knowledge-center/compliance/compliance-governance/compliance-documentation-best-practices