During the certification audit, the auditor might look for the following evidence regarding control A.5.18 Access rights: if access of users is granted and revoked according to the defined access control policy.

Examples:
A company has defined in its Access Control Policy the rules to grant and revoke accesses rights — The auditor may ask to see the latest hired personnel, personnel that has changed jobs, and latest dismissed personnel, to see if granted and revoked access were implemented as required.