Internal and External Audits and Evidence
Key Takeaways
- Internal audits are performed by or for the organization to find control gaps before external scrutiny; external audits are independent and support regulatory, customer, or contractual assurance.
- Audit evidence must be relevant, reliable, complete, sufficient, and tied to a specific control objective and audit period.
- Auditors sample artifacts — tickets, logs, configurations, approvals, exception records — and expand the sample or issue a finding when samples fail.
- A complete finding states condition, criteria, cause, effect/risk, and recommendation, followed by a management response with owner and target date.
- Attestation reports such as SOC 2 (AICPA) and ISO/IEC 27001 certification are common external assurance outputs that Security+ expects you to recognize.
What an Audit Actually Tests
An audit is a structured, evidence-based evaluation of whether a control exists, is designed correctly, and operates as intended over a defined period. The requirement being tested comes from a law, regulation, contract, framework, internal policy, or management directive. On SY0-701 the most-tested distinction is audit versus penetration test: an audit asks "can you prove the required control operates?" while a pen test asks "can this control be exploited?" Do not conflate them.
Auditors distinguish design effectiveness (the control, if it ran, would meet the objective) from operating effectiveness (the control actually ran every time during the period). A firewall-review policy that nobody followed passes design but fails operating effectiveness. This is why auditors collect evidence spanning the whole period rather than a single snapshot: a control that worked only in the week before the audit demonstrates neither consistency nor reliability, and a skilled auditor will detect the gap by sampling across the full window.
Attestation outputs you should recognize on the exam include the SOC 1 report (financial-reporting controls), the SOC 2 report (security, availability, processing integrity, confidentiality, and privacy trust criteria from the AICPA), and ISO/IEC 27001 certification. A SOC 2 Type I evaluates control design at a point in time, while Type II evaluates operating effectiveness over a period (often six to twelve months) — Type II carries far more weight with customers because it proves the control ran repeatedly.
Regulatory examinations such as PCI DSS assessments or HIPAA audits follow the same evidence logic but map to a named obligation.
Internal vs External Audits
| Audit type | Performed by | Primary purpose | Example |
|---|---|---|---|
| Internal audit (first-party) | Internal audit team or contractor reporting to management/board | Find gaps before external review; drive improvement | Review privileged-access recertification before renewal |
| External audit (second-party) | A customer or partner auditing you | Validate contractual security obligations | Enterprise customer audits your access reviews |
| External audit (third-party) | Independent licensed firm | Provide assurance to regulators/customers | SOC 2 Type II or ISO/IEC 27001 certification audit |
| Compliance audit | Internal or external | Test against named obligations | Confirm PCI DSS or HIPAA control requirements |
| Operational audit | Internal or external | Improve process and control efficiency | Investigate late deprovisioning tickets |
Independence is the dividing line. An administrator may supply evidence, but cannot be the sole judge of whether their own control is effective in an independent engagement — that is a self-assessment, not third-party assurance. Internal audit functions preserve independence by reporting administratively to management but functionally to the board or audit committee, so they can raise findings without retaliation.
When a customer audits you directly it is a second-party engagement; when a licensed independent firm issues an opinion for many stakeholders it is a third-party engagement, which is what regulators and large customers normally demand.
Evidence Quality and Sampling
Good evidence is relevant (maps to the objective), reliable (system-generated beats verbal claims), complete (covers the population), sufficient (enough samples to conclude), and timely (within the audit period).
| Control objective | Strong evidence | Weak evidence |
|---|---|---|
| New access is approved before granting | Request ticket with approver, role, timestamp, fulfillment log | Screenshot of the login page |
| Firewalls reviewed quarterly | Review minutes, rule export, decisions, change tickets | "The firewall is important" |
| Backups are tested | Restore test results, date, scope, failures, signoff | A backup-product brochure |
| Logs retained per policy | SIEM retention config + sample event search | A policy with no system proof |
| Exceptions managed | Exception register with owner, expiry, approval | An informal chat message |
Auditors rarely test 100% of a population. For a Jan–Mar period they may sample 25 of the users created and request matching approvals. If a sample fails, they may expand the sample or issue a finding. A self-assessment is also called a first-party attestation; a third-party report (SOC 2) carries far more weight with customers. Sample sizes are not arbitrary — they scale with population size and the auditor's required confidence level, and a control that runs daily is sampled differently from one that runs quarterly.
Reliability also ranks evidence: a tamper-resistant, system-generated log outranks a manually maintained spreadsheet, which outranks a verbal assertion. When an auditor cannot obtain sufficient appropriate evidence, the result is a scope limitation, which can itself become a finding even when the underlying control may be fine.
Audit Finding Scenario
An external auditor tests 25 terminated employees. Four accounts were disabled late and two retained active VPN tokens after the directory account was disabled. Policy requires removal within 24 hours. A complete finding reads:
- Condition: Six sampled leavers had incomplete or late deprovisioning.
- Criteria: Policy requires access removal within 24 hours.
- Cause: VPN token revocation was outside the automated leaver workflow.
- Effect/Risk: Former personnel could retain remote access.
- Recommendation: Add VPN revocation, daily reconciliation, and exception alerting.
Management then issues a response naming an owner and a target remediation date — auditors track this to closure.
Evidence Handling and Common Traps
Evidence often contains secrets, credentials, or personal data. Share it through approved channels, minimize it to the audit need, and redact passwords or unrelated customer data without destroying reliability.
- Providing policy when the auditor asked for operating evidence.
- Producing evidence outside the audit period.
- Editing screenshots so they lose reliability.
- Forgetting exceptions and failed samples.
- Treating an internal self-assessment as independent external assurance.
An auditor asks for proof that new privileged users were approved before access was granted. Which evidence is best?
A customer requires independent assurance that your security controls operated effectively over the past year. Which output best satisfies this?
Which items are characteristics of useful audit evidence? Select three.
Select all that apply