Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What makes a good internal audit?

CertiKit’s Lead ISO27001 Auditor Jerry Lawrence gives guidance for a successful internal audit to ensure your organization gets the best out of your time with the auditor whatever standard you’re complying to. 

There are several factors that ensure audits are effective for the auditor, the auditee, and to make best use of the time spent.

In detail below we look at the importance of:

  • Auditor skills
  • Audit planning
  • The audit day(s)
  • Audit reporting, nonconformities and audit observations
  • Data collection

Audit report cartoon image

Auditor skills

  • It’s important the internal audit is conducted by a trained and competent auditor who is independent of the area being audited – this allows impartiality and a balance judgement on evidence shown in the audit
  • If you cannot afford to operate your own internal audit function, consider using an independent third-party auditor who can work with you to support your auditing requirements
  • Always use accredited and credible training providers for your auditor pool so that your auditors are confident about what the standards require and the approach they take – this way you will get the most out of the time spent

Audit planning

  • Ensure you work with the auditor to define the scope, so it is clear what will be examined and the types of questions that will be asked
  • Ensure adequate time is planned for conducting the audit – a rushed audit will be ineffective and waste both yours and the auditors time as it will most likely not fully examine the scope
  • The auditor will likely want to speak to several relevant staff members. Ensure this is organised at appropriate intervals so the audit can be conducted thoroughly
  • Your auditor will also need to plan sufficient time for report writing and corrective actions. An inadequate report that is hastily put together will not convey the health, wealth, and strength of the areas of the Management System

The audit day(s)

  • Your auditor will likely use a checklist or an outlined schedule of topics and areas to be covered from the planning stage. Have a copy of this too to guarantee everything is covered
  • For a time-efficient audit, and to ensure everything planned gets covered, allow the auditor to have access to all appropriate evidence required. This is particularly useful to assess issues and nonconformities, and for recalling when writing the audit report. Allowing you to get the most out of the internal audit

Audit reporting

When receiving the audit report, ensure your chosen auditor follows best practise:

  • The audit report should always include an executive summary at the beginning. This will outline the strengths and weaknesses of the processes in the scope of the audit, and a balanced view of the health of the Management System
  • Your auditor should provide you with a concise, factual, and easy to read report which includes numbers and details of any audit findings on the first page so that Senior Management have this information immediately in front of them
  • An auditor should always confirm any audit findings or nonconformities observed before distributing the audit report and final findings list
  • The report should always categorize between nonconformities and auditor observations so it is clear where the problems lie that need fixing immediately vs things that can be improved later on
  • Nonconformance statements need to be concise and directly refer to the standard requirement and/or the internal process or procedural requirement that was found deficient, so you can easily resolve. Make sure hard evidence findings are attached or referenced too.

Even if your audit report has some nonconformances and/or observations, it’s important to take note of the reported positive aspects too and share them among the wider team.

Collecting data

Collecting data on audits and outcomes of audits doesn’t have to be complicated. Simple measures should help your organization understand the progress of audits within the annual audit schedule as well as any audit findings and this all becomes useful data for the Management Review to make effective decisions about the health of the management system.

  • Collecting data allows your organization to look at trends that may be happening within a process or across the business (systemic issues)
  • Data allows comparisons of before and after implementing improvements to see if things are improving
  • Only collect data on what you need and don’t overburden staff or create systems to collect masses of data that will never be analysed

Some examples of useful audit data

Schedule adherence

  • Audits planned vs actual – a measure that audits are being performed
  • Planned hours vs actual hours – a measure that can help plan future audit time more accurately
  • Overdue audits – a simple count of audits that have slipped beyond an acceptable deadline


The overall gain/loss line shows under planning the time for audits

Audit Trends

  • Overdue trend – a measure of increase or decrease in overdue audits that indicates a lack of audit resource or auditee support
  • Nonconformance trends – you can dice the nonconformance data in any way that helps you determine where you are going wrong. The most common NC trends are:
    • By process
    • By ISO clause or area
    • By severity (Major, Minor, Observation)

Internal audits also delve deeper into the implementation and compliance of processes than those performed in certification audits so can be a far more accurate indicator of how well your processes are adopted within the organization.

It is important that Senior Management recognise the need to assign time and resources to internal audits, but it is equally important that auditors perform efficient, clear and effective audits so that Senior Management get a true and accurate picture of the performance of its business operations.

How can CertiKit help?

CertiKit offer both full pre-certification audits and ongoing internal audits performed by a qualified ISO27001 lead auditor. Whether you’re a toolkit customer or not, we’d be happy to assist you with your ISO27001 internal auditing requirements. CertiKit’s internal audits are performed remotely via MS Teams by our consultants in the UK and are most suitable for organizations +/- 2 hours of UK time zone. Please note, CertiKit are not a Registered Certification Body and cannot provide you with a formal management system certification. 

Find out more

We’ve helped more than 4000 businesses with their compliance


Thanks for saving me many, many hours of policy writing!

Le Rucher

View all Testimonials