Internal audits: What are they?

When your business is working to achieve an industry standard, such as ISO 27001 or ISO 9001, or even the UK based IASME Cyber Assurance standard, you will likely have already heard of internal audits in some fashion. Whether you have worked directly on the internal audits or have been part of one in the past, everyone within the business should understand what they are and how they play a part within the business.

This article is not going to be a technical article regarding internal audits but will be more orientated towards people or businesses which are looking for information about what they are, why you need them, how to conduct them and so forth.

Internal audits can impact your business in several ways and although they are based and used across several ISO standards and frameworks, today we’re going to be concentrating around internal audits for the ISO 27001 standard.

What are internal audits?

So now that we know that internal audits can be carried out across several standards, what we now need to know is what an actual audit is.

An internal audit is implemented within the business to define a systematic process of auditing, collecting, and evaluating information to ensure that the business is in full compliance against the standard they are being audited against, generally ISO 27001 or ISO 9001.

The standard, under ISO 27001, states that the business will conduct planned audits at intervals to provide information on the information security management system. The important point here is the word “planned”.

A lot of people think that when they need to conduct audits, they need to perform an audit against everything in a short period of time, however this is not the case. As long as the business has a process in place to audit all areas of the standard within the business, this could be within 6 months, 12 months, 24 months or longer. A three-year audit cycle is common as it falls inline with the ISO audit renewal by an external assessment company.

What you don’t want to happen is get into a situation where you are in audit overload, especially if you need to conduct audits for several standards and they all overlap. So, planning accordingly is key.

Internal audits are usually conducted alongside an internal audit schedule, this schedule will allow the business to plan out internal audits over a defined period. The audit schedule will define what area of the standard is being tested and when.

When conducting internal audits, the business will look for areas of weaknesses within processes, non-conformities against the standard as well as areas of improvement. Additionally, when the audit is completed for a second time (or re-passed), the audit will check the previous results and ensure that the outcome and any recommendations have been completed. What you don’t want to see is recommendations or findings be left unresolved for several audit cycles.

By carrying out regular internal audits, usually by dedicated internal staff members or a dedicated department, the business can understand the state of the business, including some of the following:

  • Ensure compliance with the standard
  • Review and evaluate the processes and procedures of the internal information security management system (ISMS)
  • To ensure that improvements are carried out within the business where necessary
  • To ensure that members of the business understand the framework and processes within the business
  • To provide feedback and advice upon any findings

All findings of the audit should be recorded accordingly, they should be documented and then reported to management upon completion and then retained for evidence at a future date, usually when the audit re-cycle is carried out, so that the auditor can verify the results of the current findings compared to the previous findings.

The auditor

Before conducting an audit, you need to have an auditor within the business. The audits should be carried out by someone within the business who has enough experience within the business and to ensure that they have the backing of senior management throughout the process and can be objective and have access to all areas of the business.

If this is a new process for the business and there are no experienced auditors available, it will be beneficial for the business to first train the nominated person(s) in the process of internal audits. There are several training courses around which cater for this.

The auditor may gain access to sensitive information within the business, so you need to ensure that confidentially is key, and that the auditor and the business have defined appropriate conditions. Auditing is not just about technical processes. As part of the audit process, it will require the auditor to have listening and communicative skills, it will require the auditor to ask questions to members of staff, and where needed to maybe change the questioning style or terminology used.

If your business is new to performing internal audits, you should ensure that you nominate someone or several people (depending upon the size) with the business for this process. If you have no one experienced, you should look at getting the people trained up before performing these audits. As mentioned, the auditor requires to have access to all areas of the business, this will include access to staff, departments, and locations. Everyone within the business should be made aware that audits will be carried out and when required help the auditor out.

Carrying out internal audits

Before an audit is carried out the internal audit process should be planned well beforehand, this will be performed alongside the development of the audit schedule process. By performing the planning beforehand you can ensure that the process will be clearly defined, and the priorities are established.

Depending upon the area that is going to be audited, you should ensure that the necessary people have been notified and are available to aid in your audit process. This will help to ensure that there are no delays in the audit process and that access to any documents, policies or evidence are available at the time of the audit.

During the audit you should ensure that you have defined the audit process, as in what is going to be checked, what deadlines there are, are there any previous non-conformities which need to be reviewed, were there any recommendations/improvements etc.

Depending upon the size of the business when performing an audit, you should have an audit team leader in place which will supervise the audits to ensure that everything is audited as designed by the plan/schedule.  For smaller businesses, this won’t be feasible, and it may end up being one person who is doing everything, if this is the case, ensure that the planning of audits has been planned sufficiently to allow enough time.

When the internal auditor is performing the actual audit, they should be recording all the results, how they do this doesn’t really matter, as long as you ensure that all evidence and results are recorded. It could be within a Word document, Excel spreadsheet for some other electronic form. As long as the information is there and can be stored for evidence that is the main area to think about.

When the audit has been completed, you need to ensure that the audit findings have been written up in a way that management can understand them, that the report/findings have been written up in a way that allows the business to decide a course of action and be understandable for someone who has not seen the report before, especially if reviewed again in a year or two.

Where you have audited an area of the business and you find that the area of the business does not specifically adhere to the standard, the auditor should record this and highlight a non-compliance, this then allows the business to work on this non-compliance and improve upon it to ensure compliance before the next audit.  Where necessary evidence should be captured, whether this is in a form of screen shots, paper-based evidence, or testimonial.

When performed correctly, the performing of internal audits, regardless of whether you are going down a standardisation route can be hugely beneficial to a business, it allows the business to see where they are weak, where improvements need to be made and so forth.