diff --git a/lib/inspec/resources/auditd.rb b/lib/inspec/resources/auditd.rb
index fdcaae411..cbe01ec4d 100644
--- a/lib/inspec/resources/auditd.rb
+++ b/lib/inspec/resources/auditd.rb
@@ -187,8 +187,20 @@ module Inspec::Resources
       line.scan(/-S ([^ ]+)\s?/).flatten.first.split(",")
     end
 
+    # Processes the line and returns a pair of entries reflecting the 'action'
+    # and 'list' items.
+    #
+    # @return [Array[String,String]]
     def action_list_for(line)
-      line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
+      action_list = line.scan(/-a ([^,]+),([^ ]+)\s?/).flatten
+
+      # Actions and lists can be in either order
+      valid_actions = %w{never always}
+
+      [
+        (action_list & valid_actions).first,
+        (action_list - valid_actions).first,
+      ]
     end
 
     def key_for(line)
diff --git a/test/fixtures/cmd/auditctl b/test/fixtures/cmd/auditctl
index 24b0c80c9..d9e23fb9c 100644
--- a/test/fixtures/cmd/auditctl
+++ b/test/fixtures/cmd/auditctl
@@ -2,7 +2,7 @@
 -a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod
 -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
--a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
+-a exit,always -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
 -w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config
 -w /etc/sudoers -p wa
 -w /etc/private-keys -p x
diff --git a/test/unit/resources/auditd_test.rb b/test/unit/resources/auditd_test.rb
index 73ea9824f..32377512c 100644
--- a/test/unit/resources/auditd_test.rb
+++ b/test/unit/resources/auditd_test.rb
@@ -10,13 +10,29 @@ describe "Inspec::Resources::AuditDaemon" do
       "-a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access",
       "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod",
       "-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged",
-      "-a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged",
+      # Reversed for action_list validation
+      "-a exit,always -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged",
       "-w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config",
       "-w /etc/sudoers -p wa",
       "-w /etc/private-keys -p x",
     ]
   end
 
+  it "auditd action_list processing" do
+    resource = MockLoader.new(:centos7).load_resource("auditd")
+
+    list_items = []
+    action_items = []
+
+    resource.params.each do |param|
+      list_items << param["list"] if param["list"]
+      action_items << param["action"] if param["action"]
+    end
+
+    list_items.uniq.must_equal ["exit"]
+    action_items.uniq.must_equal ["always"]
+  end
+
   it "auditd syscall interface" do
     resource = MockLoader.new(:centos7).load_resource("auditd")
     _(resource.send("syscall", "open").send("params")).must_equal [