What type of information is considered 'evidence' in an IS audit?

In the context of an Information Systems (IS) audit, 'evidence' refers to information that substantiates the auditor's objectives and conclusions. This type of evidence is essential because it provides a basis for the auditor's assessments, ensuring that findings are not just opinions but are supported by factual data or documentation. Examples might include logs, reports, policies, or statistical data that align with what the audit is assessing regarding the effectiveness of controls, risks, or compliance with regulations.

Evidence must be relevant and reliable to be useful in making informed audit decisions. When evaluating the overall integrity and effectiveness of an IT system or controls, auditors rely on evidence to draw conclusions about whether the system's operations, security measures, and compliance are functioning as intended. This approach guarantees that the audit provides valid information to stakeholders.

Other types of information, such as data that cannot be verified or random documents, do not meet the criteria for being considered credible evidence in an audit. Unrelated findings from various sources may not be pertinent to the audit objectives, hence they would not help support the auditor’s conclusions effectively. Therefore, the only type of information recognized as evidence in an IS audit is the one that clearly supports the audit’s goals and findings.