Request a cyber security review
0330 043 0826 | [email protected]
InfoSec Governance Logo

Audit program: What is it and why do you need one?

Audit program: What is it and why do you need one?

If you’re working with ISO standards, such as 27001 or 9001 or some other framework, you will likely be working with some sort of internal and external audit and with this you will need to implement an audit program.  But what is an audit program?

What is an audit program?

As the name suggests, it’s a program where you the business are performing audits within the business, which means that you have a defined number of tasks scheduled over the course of a period to check your internal systems and processes to make sure that they are doing what they should be doing. Here you will be looking for any risks and non-compliances within your business which have been defined against whichever standard you are working against.

How long does an audit program take?

Now, you’ll be asking yourself, how long is a period of time? Well, this can depend upon the size and complexity of your business, some businesses will do with an annual program, if they are based around the micro company size, but larger businesses will develop a program that scans three years, which aligns with ISO certification cycles.

But the length of the program can come down to the number of resources you have to hand, how much risk is within your business as well as the complexity of your business. Additional factors which can plan an impact in the length of your program is, how many management systems do you have in place, do you have ISO 27001 (information security), ISO 9001 (quality) and so forth.

How many audits are included?

The number of audits that you must carry out can, like the length of the audit program, depend upon multiple factors. You must conduct enough audits to ensure that you cover all your controls over the period of time, but ensuring that you aren’t over stretching your audits and your business during this process.

If the business has several locations around the country, or are even international, you may want to split your audits down even further so you are looking at these locations in more detail as you progress through your audit program. You also have to take in to account the risk of your business, maybe the prioritisation of certain areas, depending upon your business and so forth.

When it comes to the number of audits, every business is different and there is no one size that’s fits all, you do what is right for your business.

Audit scheduling

When it comes to planning in your audits, you as a business, or whoever is managing your audit program, must ensure that risk areas are scheduled in priority. Which means that high risk areas are checked first and are audited more frequently compared to other areas. This can include changes that have introduced potential risk into the business.

What defines a high risk area? High risk areas could be made up of one of the following areas:

  • New production environment or release of software
  • New integration of systems such as payroll
  • Backups not being performed or restorations checked
  • Not performing regular internal audits
  • Any identified non-conformances have been identified by external auditor
  • Any changes to the business that could impact operations

Then you move onto medium level risks and lastly auditing lower level risks, which can be audited less frequently, but must be checked at some stage.

The risk level should be defined and logged within your risk register and checked when implementing your internal audit schedules for your audit program.

But remember, risk can change, its not a fixed rating, what is a low risk one year may not be a low risk the next year. Or a high risk one year may drop in severity and go down to a medium or low risk.

If you don’t perform audits and you don’t check the risk of your business, how do you know what could impact you and the business?