ELI5: What is Evidence Collection?
When a detective investigates, they collect clues — fingerprints, photos, witness statements. During an audit, the inspectors gather similar proof (logs, settings, interviews) to show whether the security rules are really being followed.
Definition
Evidence collection is the process of gathering artifacts during an audit to support findings about whether controls are operating effectively. Evidence types include logs and reports (automated evidence), configuration screenshots and exported settings (technical evidence), policy and procedure documents (documentary evidence), interviews with responsible staff (testimonial evidence), and direct observation of processes (observational evidence). The quality and sufficiency of evidence directly affects the strength of audit conclusions.
Key Details
- Auditors use a variety of evidence types because no single type is sufficient on its own
- Automated log evidence is more reliable than testimonial evidence because it is harder to falsify
- Evidence must be relevant (addresses the control being tested), sufficient (enough to support the finding), and reliable (from a trustworthy source)
- Chain of custody for evidence is important in forensic audits or investigations
- Exam tip: common evidence types tested on Security+ include logs, configuration files, policies, and interview/observation records
Connections
- Parent: audits-and-assessments — evidence collection is the core work product of the audit fieldwork phase
- See also: findings-and-remediation
- See also: internal-audit