Security finding evidence pack handoff to internal audit
run as a structured periodic workflow on the engagement record so the second line ships a defensible pack and the third line preserves testing independence

The handoff cycle reference (Q1, Q2, Q3, Q4, semiannual, annual, or ad-hoc), the documented in-scope control set for the cycle, the framework citations the cycle reads against, the audit testing plan as agreed with the chief audit executive, the named second-line lead (commonly the CISO, the GRC lead, or the head of vulnerability management), the named third-line attendees (the chief audit executive or audit director, the assigned audit manager, the assigned auditor team members), the agreed sample window with the cycle close date, and the documented scope adjustments versus the prior cycle. The scope is captured on the handoff engagement so the pack the second line ships is the pack the third line samples against.

A finding sample ready for independent testing rather than a raw CSV the audit team has to re-classify. The open finding register as of the cycle close, a stratified sample across the severity bands, a sample of remediated findings from the cycle with full lifecycle history, a sample of findings carrying active exceptions, a sample of findings reopened within the cycle, and a sample of findings imported from third-party scanners. Each row carries the finding identifier, the title, the CVSS 3.1 vector, the severity at intake, the severity now, the named owner, the engagement reference, the asset binding, the source pipeline, the open date, the close date where applicable, and the activity log entry range. The sample selection method (random, judgmental, stratified) and the named selector are captured on the engagement so the audit working paper reads the documented sampling.

The active exceptions surface as a separate sample class because operating effectiveness against an active override is a distinct testing assertion. Each exception carries the eight-field decision chain (cited finding, override class, business rationale, compensating control with evidence pack, named approver, residual risk band, expiry, framework citation), the renewal record for any review during the cycle, the recovery queue entry for any exception that passed expiry without renewal, the cited compensating-control evidence packs with current version stamps, and the activity log entry that records the latest re-attestation. The audit team reads the exception register against the structured override decision chain rather than reconciling a parallel spreadsheet.

One row per in-scope control with the canonical control identifier, the documented control objective, the named control owner, the named backup owner, the framework citations satisfied (read against the compliance tracking crosswalk so one canonical control rolls up to multiple frameworks), the current evidence version on document management, the cadence the control operates on, the last operated date, the cycle exception count, and the named second-line lead signature with the activity log entry that records the signature. Where the control runs partially on systems outside the workspace, the attestation cites the external source-of-record reference rather than duplicating the data so the audit team can trace the evidence chain across systems.

For each sampled finding, the activity log slice that records the lifecycle (open, triage, owner assignment, severity change, override decision, remediation, retest, close), the linked engagement reference, the linked asset binding, the linked control reference where applicable, the linked compensating control where an exception applies, the linked retest evidence, and the linked document version of any policy or procedure cited. The bundle is pulled from the live record rather than authored as a summary so the audit team can trace evidence to source without a re-pull. Re-authoring summaries for the audit produces the parallel-evidence-trail anti-pattern that surfaces as a finding the next cycle.

A short orientation document that explains the workspace data model the audit team is reading against (engagements, findings, scans, activity log, document versions, RBAC roles, exception register, compliance crosswalk), the sample selection method used for this cycle, the cited framework versions, the named second-line responder for clarifications, and the agreed cadence for follow-up. The reading guide reduces the question volume the audit team has to ask before they can begin testing and preserves the independence of the third-line testing procedure by giving the auditor an orientation rather than an interpretation.

The CISO emails a CSV, the GRC lead emails an exceptions spreadsheet, the head of vulnerability management emails a quarterly slide deck, and the audit team spends the first two weeks reconciling overlapping sources before testing begins. The second line did the work but the third line cannot read it. The fix is a structured pack on a handoff engagement with documented sample criteria, named control coverage, and an activity-log trail the audit team reads against once rather than reconciling three sources.

The pack carries forty finding records selected by the second line, but no documented sampling method, no random seed, no stratification criteria, and no record of which sampling frame the records came from. The audit team cannot re-perform the sampling, cannot test whether the sample is representative, and writes the working paper against an unverifiable selection. The fix is a documented sample selection method (random, judgmental, stratified) with the named selector and the sampling frame captured on the handoff engagement.

The pack includes an exception register, but several exceptions have passed expiry without a renewal decision, several have an inactive named approver, several have aged compensating-control evidence, and several carry framework citations against a superseded standard version. The audit team has to re-attest each exception during testing rather than testing the operating effectiveness of the override discipline. The fix is running the renewal pipeline before the handoff cycle close so the register ships current.

The attestation rolls up to summary statistics ("96 percent of in-scope controls operating, 4 percent with known gaps") but does not name owners, does not cite current evidence versions, and does not bind the framework citations to the controls. The audit team cannot test the attestation; the audit committee reads it as marketing. The fix is one row per control with the named owner, the cited evidence version, the framework citations, and the signature of the named second-line lead with the activity-log entry.

The second line ships a frozen CSV export and asks the audit team to test against the export rather than the live workspace. The audit team cannot trace evidence to source, cannot retest findings independently, and cannot read the activity log of any state change the second line made after the export. The fix is a scoped, time-bound access grant on the workspace with viewer permissions so the audit team retests against the live record while the access grant remains explicit and visible on the activity log.

The audit team raises eight clarifications during testing, the team responds across three email threads with two different responders, the audit team raises three sample expansions, and the second line cannot reconstruct which clarification triggered which follow-up. The audit working paper records the questions; the next cycle re-litigates them. The fix is running the follow-up loop as state events on the handoff engagement so the chronology lives on one record per cycle.

The Q2 handoff opens with a fresh sample selection conversation, a fresh exception register pull, a fresh control coverage attestation authoring exercise, and no reference to the Q1 pack. The audit team reads the cycle as a fresh discovery exercise and the trajectory of any deficiency assertion is lost. The fix is opening the next handoff engagement against the prior so the sample selection criteria carry forward with a documented evolution, the exception register reads against the prior renewal trajectory, and the deficiency log reads as a continuous chain.

The second line claims the third line was given full read access and was free to test against the live record. The audit committee asks how the access was granted, when, to whom, with what scope, and how the second line can demonstrate it did not interfere with the testing. Nothing on the operating record answers the question. The fix is capturing the access grant, the grant scope, the named recipients, and the time-bound expiry on the activity log so the independence chain is reconstructable.

The Institute of Internal Auditors International Standards under Performance Standard 2050 (Coordination and Reliance) explicitly recognise that internal audit may rely on the work of other assurance providers including the second-line risk and control functions, provided independence is preserved and the reliance is documented. The handoff workflow makes the reliance defensible: the pack is structured, the sample selection is documented, the access grant preserves independent retesting, and the activity log captures the chain. The IIA Three Lines Model places the security and GRC functions on the second line and internal audit on the third line; this workflow runs the second-to-third handoff as a structured procedure rather than an ad-hoc data dump.

CC4.1 (selects, develops, and performs ongoing and separate evaluations) explicitly contemplates that the entity uses multiple monitoring activities including management monitoring, internal audit testing, and other independent assessments. The handoff pack is the second-line monitoring output the third-line evaluation reads against. The structured sample selection, the exception register, the control coverage attestation, and the access grant for independent retesting are the evidence chain CC4.1 reads.

Clause 9.1 (monitoring, measurement, analysis, and evaluation), Clause 9.2 (internal audit), and Annex A 5.35 (independent review of information security) explicitly require that the information security management system is reviewed independently at planned intervals. The handoff workflow is the structured input the independent review reads against: the documented sample selection, the active exceptions with current attestations, the control coverage with current evidence versions, and the activity-log chain that preserves the independence of the review while making reliance on second-line monitoring defensible.

Requirement 12.4 (executive management oversight of the information security programme) and the broader Requirement 12 (information security policy) anchor the programme posture the audit and oversight functions read against. The handoff pack is the structured input the QSA-led audit reads when testing the programme posture, including the active exceptions, the control coverage, and the documented sample of operating evidence. The second-line attestation signed by the named executive is the evidence Requirement 12.4 reads against.

CA-2 (control assessments), CA-5 (plan of action and milestones), and CA-7 (continuous monitoring) read the documented assessment plan, the sample of operating evidence, the plan of action and milestones for any control gap, and the continuous monitoring strategy. The handoff workflow ships the structured input each procedure reads against: the documented sample selection, the exception register that anchors the plan of action and milestones, the control coverage attestation that anchors the continuous monitoring strategy, and the activity-log chain that captures the monitoring trajectory.

The COSO Internal Control Integrated Framework monitoring component (Principles 16 and 17) reads against the entity selecting and developing ongoing and separate evaluations and communicating internal control deficiencies. The handoff pack is the structured ongoing-and-separate-evaluation input the audit committee reads against, the deficiency log is the structured deficiency communication, and the named second-line attestation signed by the executive is the management assertion the COSO monitoring component reads.

Sign the control coverage attestation, lead the second-line cycle close, and read the audit committee deck alongside the third-line opinion. The CISO persona page and the security operations leaders persona page cover the leadership read.

Assemble the sample, drive the exception register currency, and run the follow-up loop during testing. The GRC and compliance teams persona page covers the second-line workflow.

Own the operating record the sample reads against, the active exceptions, and the remediated findings the audit team retests. The vulnerability management persona page and the AppSec persona page cover the operating side.

Receive the pack, perform independent testing on the live record under scoped access, and report to the audit committee. The internal audit teams persona page covers the third-line read against the same workspace the second line operates on.