Unit 2 of 4
6.2 — Evidence Collection
Evidence collection is the foundation of any audit finding. Without properly collected, documented, and preserved evidence, findings lack credibility and cannot withstand challenge.
Four Types of Audit Evidence
Evidence Type
What to Examine
Key Tips
Documentation Review
Model cards, system cards, risk assessments, design docs, training logs, approval records
Missing documentation is itself a finding — document what's absent
Technical Testing
Independent evaluation, fairness testing, adversarial/red-team testing, performance benchmarking
Request direct access to models, data, and infrastructure for independent testing
Interviews
Structured interviews with developers, data engineers, product owners, risk officers, end users
Interviews reveal process gaps that documentation cannot capture
Process Observation
Deployment procedures, monitoring dashboards, incident response drills, human oversight mechanisms
Verify that documented procedures match actual practice (say vs do gap)
⚠MISSING DOCUMENTATION IS A FINDING
If an organization cannot provide model cards, risk assessments, or impact assessments, this absence is itself an audit finding. Document what was requested, when, and what was not provided. Missing documentation often indicates deeper governance gaps.
★EXAM TIP
Evidence must be documented with: source, date collected, collection method, relevance to audit criteria, and chain of custody. Digital evidence should be timestamped and stored securely. This mirrors financial audit evidence standards.
Key Points
Four evidence types: documentation, testing, interviews, observation
Missing documentation is a finding
Independent technical testing is essential
Verify documented procedures match actual practice
Evidence chain of custody and secure storage