What type of evidence is an external audit report?

An external audit report is considered confirmative evidence because it provides an independent assessment and verification of the effectiveness of a company's management system, typically regarding compliance with standards such as ISO/IEC 27001. This type of evidence is derived from an objective examination performed by qualified auditors who evaluate various components of the management system, including its policies, processes, and controls.

The confirmative nature of an external audit report stems from its role in affirming that the organization's information security management system meets the specified requirements and is functioning effectively. It adds credibility to the findings since it is conducted by an external party with no vested interest in the outcome, thereby confirming adherence to established protocols and standards.

In contrast, physical evidence relates to tangible items or artifacts that support the existence or operation of processes and controls. Analytical evidence involves the analysis of data or information to draw conclusions about performance, risks, or compliance. While both types of evidence can be useful in assessing an organization's information security posture, the unique attributes of external audit reports fit best within the category of confirmative evidence, as they serve primarily to validate and provide assurance regarding compliance and effectiveness.