Audit evidence
Definition
Any information the auditor uses to draw conclusions about a control. To be acceptable, audit evidence must be sufficient (enough of it), appropriate (relevant and reliable), and obtained through a defined procedure. A scan report satisfies these conditions when it is authenticated, scoped, and current.
Related terms
- Approved Scanning Vendor (ASV)
- An organisation qualified by the PCI Security Standards Council to conduct external vulnerability scans of cardholder data environments. PCI-DSS requirement 11.3.2 mandates...
- CVSS (Common Vulnerability Scoring System)
- An open standard maintained by FIRST (Forum of Incident Response and Security Teams) that assigns a numeric score from 0 to 10...
- Remediation prioritisation
- The process of ordering vulnerability remediation by risk. Factors include CVSS base score, asset criticality, threat intelligence about active exploitation, and compensating...
- Risk acceptance
- A formal decision by an authorised senior manager to tolerate a finding without full remediation, typically because the cost of remediation exceeds...
- Vulnerability assessment
- A systematic process of identifying, classifying, and prioritising security weaknesses in systems, software, and infrastructure. Produces a list of findings with severity...
Explained in
- Vulnerability Assessment as Audit EvidenceAny information the auditor uses to draw conclusions about a control. To be acceptable, audit evidence must be sufficient (enough of it), appropriate (relevant...