Internal audits are a necessary part of becoming, and staying, certified to an ISO standard. Although perhaps less scary than a visit from the certification auditor, internal audits can often be seen as a nuisance, something that stops you doing the busy day job and delivering ‘real work’. But there are a number of benefits to internal audits for the auditee that shouldn’t be ignored, such as:
So instead of being seen as a pest, we believe the internal auditor should be greeted with a healthy degree of appreciation and maybe even a cup of coffee.
But as the person being audited, what can you do to make this process as smooth as possible? Let’s look at the essential steps to preparing for the internal audit.
You should have an audit programme that sets out the audits that will be performed, and the areas of the standard that they will cover. Have a look at this and get it straight in your own mind what you will be talking about when the internal auditor arrives (physically or virtually). Hopefully the auditor will have created an audit plan that states clearly what they are coming to discuss. Review the standard to refresh your memory about what the clauses and controls cover and what the requirements are so you can hit the ground running.
Apart from the date, time and duration of the audit, the main question to be asked initially is whether the auditor is physically coming to see you or are they conducting the audit via Teams or similar collaboration software (and if so, do you have the chosen software installed?). If it’s an in person visit you may need to think about a room, parking, letting reception know, refreshments, how to show documents (for example on a big screen or via a projector) and other practical considerations. If it’s virtual, will it be via the “show and tell” method where the auditor stays on the line, or via the “provide and leave” method where you send the auditor relevant documentation, and they ponder it offline until they’re ready to talk to you again? A few emails exchanged for clarity can save a lot of confusion on the day.
Depending on the scope of the audit you may need to involve other people within your organization. Identify who they are and then check their availability on the day, ideally with a nominated deputy in case something unexpected happens in their department. Be as accurate as you can about timing, but allow for some flexibility if the audit runs over or another person isn’t available and the order has to be changed. Brief them about the areas to be covered and the audit process, especially if they haven’t been involved before.
There are few things more irritating for an auditor than having their work ignored, so make sure you check on the progress of actions raised from the last audit that was carried out. If they have been completed, then make sure the relevant records have been updated. If they are still in progress then be aware of why they aren’t closed yet and how long they are likely to take.
After the initial hellos and discussion about the weather the first question an auditor is likely to ask you is “what’s changed?”. They are interested in the way in which your ISMS adapts and copes with change so before the audit have a think about those areas in which something significant has happened; it could be a new project, a location move, some redundancies, a data breach, a change of suppliers or anything else that has an information security implication. For each of these things, put some thought into whether the right processes have been followed, and whether the evidence backs this up.
Sometimes it’s a long time between audits, and your familiarity with where information is located may fade a little. This is your chance to reacquaint yourself with the location and contents of policies, processes, technical controls and other items that will be the subject of the upcoming audit. This will save time on the day and make you look like you know what you’re doing. It’s also your chance to correct anything you find that hasn’t been updated or doesn’t follow due process, such as an unapproved policy or an incident record not closed.
Depending on the auditor and the method of audit, it may be appropriate to provide at least some of the relevant documentation shortly before the audit. Perhaps the auditor will give you a list of desired documents or you could simply provide what you think they will want to see. Be careful to do this securely so that a nonconformity doesn’t result from your good intentions. The best way is via secure file sharing or a portal; less so via email.
Conducting a smooth internal audit is very much a two-way street and it’s important that you as the auditee play your part in making it happen like a well-oiled machine. Your auditor will certainly appreciate your help and will be more prepared to give you the benefit of the doubt when issues arise. But above all, treat internal audits as a valuable improvement tool that makes your ISMS, and therefore your organization, better.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance. If you’re looking to outsource your internal audit, we can conduct your internal audit and help prepare your team.