Internal Audit

Internal audit is an independent and objective assessment of whether your organisation's processes, controls and compliance efforts work as intended. The audit identifies weaknesses, verifies adherence to requirements and provides management with a basis for decisions about improvements.

Back to Dictionary

What is internal audit?

Internal audit is the organisation's self-monitoring. It is the process whereby you systematically examine whether your policies, controls and procedures work in practice. The purpose is not to find errors for their own sake, but to ensure continuous improvement and give management an honest picture of the state of affairs.

Independence is crucial. The person conducting the audit must not be the same person who carries out the work being audited. If your IT department has implemented a control, the audit of that control must be performed by someone outside IT.

Internal audit differs from external audit. An external audit is carried out by an independent third party, typically in connection with certification (e.g. ISO 27001) or statutory financial audit. Internal audit is your own ongoing control mechanism.

The results of internal audit feed into the management review and form the basis for corrective actions and improvements to your compliance framework.

The audit process

A structured internal audit typically follows these phases:

Planning: Develop an audit programme covering all relevant areas over a defined period. Prioritise on the basis of risk assessment and previous findings.
Preparation: Define the scope, criteria and method for the individual audit. Review relevant documentation in advance: policies and procedures, previous audit reports and any non-conformities.
Execution: Conduct interviews, observations and document reviews. Compare actual practice with defined requirements and controls.
Reporting: Document findings, classify non-conformities and prepare recommendations. Report to management.
Follow-up: Verify that corrective actions have been implemented and are effective.

ISO 27001 calls internal audit internal audit and sets specific requirements for planning, independence and documentation.

Regulatory requirements for internal audit

ISO 27001 (clause 9.2) requires you to conduct internal audit at planned intervals to verify that your ISMS meets both the organisation's own requirements and the standard's requirements.

GDPR does not mention internal audit directly, but the regulation's requirements for accountability and documentation make it practically necessary to carry out regular internal reviews of data protection measures.

NIS2 requires essential and important entities to have policies for assessing the effectiveness of their cyber security measures. Internal audit is a central tool for that.

DORA requires independent audit of ICT risk management in financial undertakings, including testing and assessment of controls.

Several regulatory frameworks thus point in the same direction: you must be able to document that your controls work, and internal audit is the most recognised method for doing so.

Best practice for internal audit

Use a risk-based approach to prioritise. You rarely have the resources to audit everything at once, and the greatest risks deserve the most attention.

Ensure genuine independence. The auditor must never audit their own work. In smaller organisations this may mean using external consultants for parts of the audit.

Document everything systematically. The audit programme, individual audit reports, findings, corrective actions and follow-up should all be documented in your records of processing activities or a dedicated audit system.

Treat non-conformities as opportunities for improvement, not as criticism. A culture where employees fear the audit rarely yields honest answers. Security awareness also means understanding that audit exists to help.

Link audit results to the management review. Management must see the aggregated results and make decisions about resources, priorities and improvements.

Frequently Asked Questions about Internal Audit

What is the difference between internal audit and external audit?

Internal audit is carried out by the organisation's own employees (or an outsourced function) and focuses on continuous improvement of processes and controls. External audit is performed by an independent third party, typically in connection with certification or statutory audit.

How often should internal audit be conducted?

ISO 27001 requires internal audit at planned intervals. Most organisations conduct a full audit cycle annually, but critical areas may be audited more frequently. The frequency should be based on risk and previous findings.

Can an external party carry out the internal audit?

Yes, many organisations use external consultants for internal audit to ensure independence and specialist competence. The important thing is that the auditor is independent of the processes being audited.

What happens when internal audit finds non-conformities?

Non-conformities are documented, classified by severity and assigned to a responsible person with a deadline for corrective action. Serious non-conformities are reported to management. Subsequently it is verified that the action has been implemented and is effective.