An external auditor asks for proof that quarterly privileged access reviews were completed and that any exceptions were tracked to closure during the last year. Which evidence is MOST appropriate to provide?
This is the best evidence because it directly shows the process was performed and that findings were handled. Signed review records demonstrate that quarterly reviews occurred, and remediation or exception tickets show that identified issues were tracked and resolved. Auditors look for traceable, repeatable evidence rather than isolated screenshots or verbal confirmation, so process records are the strongest support.
Why this answer
Option B is correct because signed access review records provide verifiable proof that quarterly reviews were conducted, and remediation tickets demonstrate that any exceptions (e.g., excessive privileges) were tracked and resolved. This aligns with the principle of audit evidence: it must be objective, verifiable, and show a complete chain of actions from review to closure. A screenshot or policy alone lacks the audit trail of actual completion and exception handling.
Exam trap
The trap here is that candidates confuse policy documentation (Option C) or informal communication (Option D) with actual audit evidence, failing to recognize that only signed records and remediation tickets provide the verifiable, objective proof required by an external auditor.
How to eliminate wrong answers
Option A is wrong because a screenshot of one administrator's current privileges only shows a point-in-time snapshot, not evidence that quarterly reviews were completed or that exceptions were tracked to closure over the last year. Option C is wrong because a security policy stating that reviews must happen every quarter is a directive, not proof that the reviews actually occurred or that exceptions were resolved. Option D is wrong because an email from the system administrator is hearsay evidence; it is not an objective, auditable record and does not provide the signed review records or remediation tickets required for compliance.