Could someone please provide some insight. The Auditor wants to see how the management of change process is controlled. What would an Auditor expect to see, is it a procedure detailing the areas considered or is it a risk assessment format? I have not found 18002 to be particularly clear on this point but it may just be me!
First of all, welcome to the Cove
Along with what Randy indicated, the standard does give a pretty good idea of what they want. When a change occurs, there could be an impact on risks. They may become greater, or lesser. So, before the change is made, they expect you to analyze how the proposed change effects risks.
Evidence of this analysis may be in meeting minutes, management review records, maybe even a formal risk analysis of the proposed change. I don't think any one thing would be standard. You could have seven proposed changes within a given time period, and have seven different forms of evidence. It would all depend on the size/scope of the change and risks involved in the activity.