To audit control 10.1.2 Key management you need to identify the defined requirements for generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. Once these are identified you can start verifying if the implemented processes are being performed according to the requirements.
Examples of evidence are:
requests for key generation
records of key delivery to users
records of key revocation
This article will provide you further explanation about key management: