Audit Evidence Collection

Overview

Audit evidence collection is the systematic process of gathering sufficient, reliable, relevant, and useful information to support audit findings and conclusions. In privacy audits, evidence must demonstrate the degree of compliance with data protection regulations (GDPR, CCPA, HIPAA), internal policies, and industry standards. The quality of evidence directly determines the credibility and defensibility of audit conclusions.

ISO 19011:2018 defines audit evidence as "records, statements of fact, or other information which are relevant to the audit criteria and verifiable." The IIA Standards require that internal auditors "identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives" (Standard 2310).

Evidence Categories

Documentary Evidence

• Policies and procedures: Data protection policies, privacy notices, retention schedules, breach response plans
• Records: Processing activity records (Art. 30 ROPA), consent records, DSAR logs, DPIA reports, breach registers
• Contracts: Data processing agreements (Art. 28), joint controller arrangements (Art. 26), standard contractual clauses
• Training records: Attendance logs, completion certificates, training materials, competency assessments
• Correspondence: DPA correspondence, data subject complaints, vendor communications

Testimonial Evidence

• Interviews: Structured interviews with DPO, process owners, data stewards, IT administrators