During an audit, what should an auditor prioritize when gathering evidence?

In the context of an audit, prioritizing completeness and accuracy is crucial for several reasons. The primary goal of an audit is to assess whether an organization’s information security management system is functioning effectively and in compliance with ISO/IEC 27001 requirements.

Completeness refers to the need for the auditor to gather all relevant evidence to fully understand the system being audited. This allows the auditor to provide a comprehensive view of the organization's practices and adherence to policies. If evidence is incomplete, the auditor may miss vital information that could impact the audit's findings and conclusions.

Accuracy pertains to the precision of the evidence collected. Accurate evidence is essential for the integrity of the audit process, as it ensures that the findings are based on reliable and truthful information. Inaccurate evidence can lead to flawed conclusions, which may result in misinformed decisions regarding the organization’s compliance and risk management strategies.

While other factors like speed, confidentiality, and cost-effectiveness are important to consider in the audit process, they should not overshadow the need for gathering complete and accurate evidence. Without this foundational aspect, the reliability and value of the audit results could be significantly diminished.