In which phase of the audit process is evidence typically gathered?

The fieldwork phase is where evidence is typically gathered during an audit process, making it a crucial step in verifying compliance and assessing the effectiveness of the controls in place. During this phase, auditors perform various activities such as interviews, observations, and document reviews to collect data and information relevant to the audit objectives. This is the time where the auditors actually engage with the processes and systems being audited, working to confirm that all claims about the effectiveness of the information security management system (ISMS) can be substantiated with factual evidence.

This phase stands out as distinct from planning, reporting, and review phases. In the planning phase, auditors set objectives and determine the scope of the audit, but no evidence is gathered at this stage. The reporting phase comes after fieldwork is completed, where findings are documented and communicated, also not involving evidence collection. Similarly, the review phase is generally associated with evaluating and discussing the conclusions drawn from the evidence collected, which also does not involve gathering new evidence.