What are acceptable sources of evidence in IT security audits and how should they be triangulated?

Triangulation in IT security audits means gathering evidence from multiple independent sources and cross-checking them so conclusions are reliable and not driven by a single data point. In practice, acceptable evidence includes logs (system and security logs), configurations and change records, policy documents, access control lists, change tickets, interview notes, and results from tests or assessments. The strength comes from comparing what happened (logs) with what was supposed to happen (configurations and policies) and what people say or prove through testing. When you triangulate, you look for consistency across sources: do the events in the logs match the allowed or denied actions configured in the system? Do interview statements align with the documented policies and the actual system state? Do test results confirm the behavior described by stakeholders and the configured controls? If discrepancies arise, they prompt deeper investigation, additional evidence collection, or targeted testing to resolve them. This approach reduces the risk of basing conclusions on biased, incomplete, or tampered data and supports a defensible audit trail.