Request a cyber security review
0330 043 0826 | [email protected]
InfoSec Governance Logo

Internal audits: What are they?

Internal audits: What are they?

If you’ve never heard of internal audits before, or you are going to start the process of achieving an ISO standard, internal audits are a necessary part which you must understand.They are generally based around an information security management system (ISMS) or quality management system (QMS).

Today we’re going to talk about what an internal audit is, who carry out these internal audits. How external and internal audits differ as well as what the process it and what type of audits can be achieved.

What is an internal audit?

When it comes to performing an internal audit, the audit can be thought of as a review of the business in specific areas, usually against various ISO controls, but this can change depending on the requirement of the business.

The internal audit is defined as an independent and objective review, that can be performed by the business itself, if the person has the necessary skills, or by an outsourced business.

The internal audit is designed to review the business and look to ensure that the business is meeting the necessary requirements and if required look for areas of improvement to add further value to the business.

If the internal audits found that the business is not meeting the requirements in certain areas, then these areas must be logged and an action plan put in place to remediate these non-compliances.

Internal auditors, who are they?

So, we know what internal audits are now and we know that the business or someone external can perform them. But who are the internal auditors? What are their goals during this work?

The internal auditor’s role is to perform independent auditing of the company’s compliance, as an auditor you need to provide independent assurance that the business is managing their risk, governance and internal processes effectively.

By implementing internal audits, you as an internal auditor can provide the management and/or board of directors with reassurance that the business is complying with standards. Or areas of concern have been identified that a plan of action is undertaken to improve and remediate any areas of concern.

You don’t have to review the full company every time, but ensure you cover the whole company over the course of a year.

As we’ve mentioned, internal auditors can be anyone within the business, however, they do need to be trained up enough. This could be through providing auditor training. Or by hiring an external company to perform the duties.

When you are performing internal auditor duties, as part of the audit process you need to think about the following actions:

  • Are you as a business working towards your core defined objectives?
  • Have you identified and managed your risks appropriately to the needs of the business?
  • Are your policies and procedures being reviewed, kept up to date and being applied correctly within the business?
  • Is there any area within the business that can be improved upon?
  • If working with ISO standards, have you met the controls that are being looked at?

What responsibilities do internal auditors have?

Internal auditors have a responsibility to ensure that the business meets the requirement of the standard that they are being audited against. That they ensure that the business is doing everything in their power to ensure that improvements are being made, that the business is reviewing changes and the business environment is streamlined.

This is generally performed by looking at the business operations and looking to ensure that the following is in place:

  • Sufficient monitoring and identification of risks are logged and reviewed by the business
  • Reviewing the businesses compliance towards laws and regulations
  • Making recommendations for improvements

For an auditor to perform internal audits, as we’ve mentioned earlier, auditors must have the education and qualifications to carry out audits. They must be suitability skilled and experienced. If you don’t have anyone in the business that meets this, you can either train them up via courses or look at an external third-party company who can carry out your audits for you.

Differences between external and internal audits

When it comes to audits, there are two main types of audits, internal audits that we are discussing today and external audits.

Internal audits are generally defined by the business and are controlled by the business, the business are using these audits to improve business operations and ensure that the business is adhering to standards, such as ISO 27001 or ISO 9001.

These types of audits help to ensure communication within the business, and catch any possible issues that may affect the running of the business or the compliance of standards before its too late.

However external audits are conducted via an external certification body which is regulated and there is less flexibility. The external auditor will usually want to see evidence of your internal reports, as well as your compliance against certain controls.

Internal audits are carried out throughout the year, whereas external audits are generally carried out once a year.

Internal audit process

When conducting an internal audit, paperwork and impartiality is key. The internal audit process is usually made up of the following sections.

  • Planning
  • Implementation
  • Reporting
  • Acting

This can be based around the Plan-Do-Check-Act (PDCA) process.

We hope this is useful for you and if you would like any further information about the internal audit process, please let us know.