How should an auditor respond when SOC evidence is missing?
I joined an internal audit project midway through a controls review for a payment platform. The process owners say the reconciliations and access reviews happened every month, but several months in scope have no retained evidence. Leadership wants us to stay constructive and avoid sounding alarmist. What is the defensible way to answer when the evidence package is incomplete?
Start by separating three issues: intended control design, available historical evidence, and remediation now underway. If the support for prior months is missing, internal audit should not imply the control operated effectively just because the process owner says it usually does.
A clear response is:
- explain which months were tested successfully
- identify which periods could not be validated from retained support
- state whether the scope limitation changes the assurance conclusion
- document any immediate remediation plan as a forward-looking action, not proof of past performance
The wording should be calm, but the substance must remain precise. A sentence like "audit could not verify performance for three of the twelve months because review evidence was not retained" is both constructive and honest.
Practice more with evidence scenarios in our CIA question bank.
Master Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.