What makes evidence reliable in a cybersecurity audit?

Ranked from highest to lowest reliability:

1. Auditor reperformance. The auditor independently runs a scan, observes a configuration, or recomputes a metric. Highest because there is no intermediary.
2. System-generated reports from independent systems. SIEM logs that the auditor pulled directly from the system, cloud configuration reports from a tool the auditor accesses, learning management system completion records exported by the auditor. Strong because the source is automated.
3. Third-party assurance reports. SOC 2 Type II for cloud providers, penetration test reports from independent firms, regulator findings. Useful but check the scope: SOC 2 reports list user control considerations that the customer must implement. Without those, the SOC 2 alone is not enough.
4. Internal management reports with traceability. A vendor risk dashboard exported from a GRC tool, where the auditor can trace from summary to detail and from detail to source data.
5. Inquiry of management alone. Lowest reliability. Useful to gather context but not to conclude on operating effectiveness.

Two practical tests:

• Could a determined manager have inflated this evidence? If yes, find a better source.
• Did the auditor see the source data or only a summary prepared for them? If only a summary, request the source.

The most common cybersecurity evidence failure is accepting "we do user access reviews quarterly" without obtaining the review evidence. Request the actual review file, sample it, and confirm that revocations were timely.