How Often Should You Audit? Designing an ISO 27001 Internal Audit Program That Keeps You Ready

Annual audits create panic. Continuous audits build confidence. Here is how to design a schedule that spreads control testing throughout the year so you are never caught off guard.

Book a 15-Minute Audit Program Diagnostic

Introduction

“The certification audit is in three months. We should probably do an internal audit first.”

If this sentence sounds familiar, you are not alone.

Most organizations treat internal audits as a pre-certification dress rehearsal a once-a-year scramble to check boxes before the real auditor arrives.

This is exactly backwards.

ISO 27001 Clause 9.2 requires internal audits at planned intervals. Not “once per year.” Not “right before certification.”
Planned intervals means you decide the cadence based on risk, complexity, and control criticality.

The trade-off is real:

Audit everything annually → Simple to schedule, but gaps hide for 11 months.
Spread audits quarterly → More work to coordinate, but issues surface early.

Here is the truth: The right answer is not one or the other. It is both.

In this guide, we’ll show you how to design an internal audit program that keeps you continuously ready without overwhelming your team or your auditors.

Perfect for compliance managers, internal auditors, and anyone tired of the annual audit fire drill.

Why Internal Audit Programs Fail (And How to Fix Them)

Before we dive into scheduling, let’s understand why most internal audit programs fail to deliver value.

Failure Mode	Why It Happens	The Fix
Annual scramble	“We’ll audit everything in Q4”	Spread audits throughout the year
Same scope every year	No risk-based prioritization	Risk-driven audit planning
Auditors audit their own work	No independence	Separate internal audit function
Findings with no follow-up	No tracking system	CAPA process in SharePoint
Management ignores results	Reports are too long	Executive summary dashboard
Audit fatigue	Too many audits, no coordination	Integrated audit calendar
No evidence preserved	Reports get lost	Centralized audit repository

The solution is not more auditing.

The solution is smarter auditing.

What ISO 27001 Actually Requires

Let’s start with the standard itself.

Clause 9.2 – Internal Audit

Requirement	What It Means
9.2.1 a)	Conduct audits at planned intervals → You need a schedule
9.2.1 b)	Determine if the ISMS conforms to ISO 27001 → Check against the standard
9.2.1 c)	Determine if the ISMS is effectively implemented → Check against your own requirements
9.2.2 a)	Plan, establish, implement audit program → Document your approach
9.2.2 b)	Define audit frequency, methods, responsibilities → Be specific
9.2.2 c)	Select auditors with objectivity and impartiality → No auditing your own work
9.2.2 d)	Report results to relevant management → Findings go to decision-makers
9.2.2 e)	Retain documented information as evidence → Keep everything

Notice what is missing:

The standard does not require annual audits
It does not require auditing everything every time
It does not prescribe how many audits

The only non-negotiable: You must have a plan, follow it, and keep evidence.

The Audit Frequency Trade-Off

Approach	Pros	Cons	Best For
Annual (everything at once)	Simple; one audit window	Gaps hide for 11 months; fatigue; findings pile up	Small orgs; low-risk environments
Semi-annual (two chunks)	More feedback; lighter lift	Still gaps between audits	Medium orgs; moderate risk
Quarterly (spread across year)	Early detection; no year-end panic	More coordination; needs auditor availability	High-risk controls; critical systems
Continuous (ongoing testing)	Real-time monitoring; immediate remediation	Automation investment required	Mature orgs; automated controls
Risk-based (mixed frequency)	High-risk more often; low-risk less often	More design effort	Most organizations (sweet spot)

The sweet spot for most organizations:

Critical controls: Quarterly
High-risk controls: Semi-annually
Medium-risk controls: Annually
Low-risk controls: Every 2 years or sample-based

The Risk-Based Audit Schedule

Instead of auditing everything at the same frequency, audit based on risk.

Risk Level	Audit Frequency	Examples
Critical	Quarterly	Access control (A.9), Vulnerability management (A.12.6), Incident response (A.16)
High	Semi-annually	Asset management (A.8), Supplier security (A.5.19), Cryptography (A.10)
Medium	Annually	Physical security (A.11), HR security (A.7), Compliance (A.18)
Low	Every 2 years or sample	Administrative controls, low-risk policies

Quarterly Audit Rotation Example

Quarter	Control Groups Audited
Q1	Access Control (A.9) + Vulnerability Management (A.12.6)
Q2	Incident Management (A.16) + Business Continuity (A.17)
Q3	Supplier Security (A.5.19) + Asset Management (A.8)
Q4	Full system audit (sample) + Management Review prep

Benefits:

No single audit overwhelms the organization
Issues surface within 90 days, not 365
Auditors become familiar with controls over time
Certification audit prep is continuous

Want a ready-to-use internal audit calendar + CAPA tracker?

See how a risk-based schedule looks in a SharePoint audit program hub no spreadsheets, no chasing, no missing evidence.

See the Audit Program Hub

The 5-Step Internal Audit Program Design

Step 1: Define Your Audit Universe

What to Build in SharePoint:

/Audit Program/
  /Audit Universe/
    - Control Groups List (linked to Annex A)
    - Processes List (key ISMS processes)
    - Departments List (areas of the business)
    - Suppliers List (if in scope)

Questions to Answer:

What controls need auditing? (All Annex A applicable controls)
What processes need auditing? (Risk assessment, internal audit, management review)
What departments need auditing? (IT, HR, Finance, etc.)
What suppliers need auditing? (Critical vendors)

Output: A complete list of everything that could be audited.

Step 2: Risk-Rank Your Audit Universe

What to Build in SharePoint:

/Audit Program/
  /Risk Rankings/
    - Control Risk Ratings (Critical/High/Medium/Low)
    - Process Criticality Ratings
    - Department Risk Scores
    - Supplier Risk Ratings

Control	Inherent Risk	Control Effectiveness	Audit Priority
A.9 Access Control	Critical	Medium	Quarterly
A.12.6 Vulnerability Mgt	Critical	High	Quarterly
A.8 Asset Management	High	Medium	Semi-annual
A.7 HR Security	Medium	High	Annual
A.18 Compliance	Low	High	Biennial

Step 3: Build Your Audit Schedule

What to Build in SharePoint:

/Audit Program/
  /Schedule/
    - Annual Audit Calendar (visual)
    - Quarterly Audit Plan
    - Monthly Audit Tasks
    - Auditor Assignments

Annual Calendar View (Power BI or SharePoint Calendar):

Month	Audits Planned	Auditor	Status
Jan	A.9 Access Control	Internal Audit	Completed
Feb	A.12.6 Vulnerability Mgt	Internal Audit	Completed
Mar	Follow-up on Q1 findings	Internal Audit	In Progress
Apr	A.16 Incident Management	Internal Audit	Planned
May	A.17 Business Continuity	Internal Audit	Planned
Jun	Follow-up on Q2 findings	Internal Audit	Planned
Jul	A.5.19 Supplier Security	Internal Audit	Planned
Aug	A.8 Asset Management	Internal Audit	Planned
Sep	Follow-up on Q3 findings	Internal Audit	Planned
Oct	Full System Audit (sample)	External Consultant	Planned
Nov	Management Review Prep	Internal Audit	Planned
Dec	Annual Audit Report	Internal Audit	Planned

Pro Tip: Build in follow-up audits the month after each major audit to verify remediation. This closes the loop and prevents repeat findings.

Step 4: Define Audit Methods and Tools

What to Build in SharePoint:

/Audit Program/
  /Methods/
    - Audit Checklists (by control)
    - Interview Templates
    - Evidence Request Lists
    - Sampling Methodology
  /Tools/
    - Audit Finding Log
    - CAPA Tracker
    - Auditor Calendar

Method	When to Use	Evidence
Document review	Policies, procedures, records	Screenshots, PDFs
Interview	Process understanding	Minutes, notes
Observation	Physical security, user behavior	Photos, witness logs
System review	Access logs, config reviews	Exports, screenshots
Sampling	Large populations	Sample criteria

Sampling Guidelines

Population Size	Sample Size
<100	10–15
100–500	15–25
500–1000	25–35
>1000	35–50

Pro Tip: Document your sampling methodology in your audit procedure. Auditors will ask how you selected samples. Have an answer.

Step 5: Implement Finding Management (CAPA)

The Mistake: Finding logged. Email sent. Nobody follows up. Next audit, same finding.

The SharePoint Solution: Corrective Action Preventive Action (CAPA) Tracker.

/Audit Program/
  /Findings/
    - Open Findings View
    - Closed Findings View
    - Findings by Owner
    - Repeat Findings Dashboard
  /CAPA/
    - CAPA Form (linked to finding)
    - CAPA Workflow
    - CAPA Status Dashboard

CAPA Workflow:

Finding identified during audit
CAPA created in SharePoint list
Root cause documented (required)
Corrective + preventive actions assigned
Owner + due date + notifications
Verification by auditor
Closure with evidence + trend reporting

Pro Tip: Require root cause analysis before approval. “We fixed it” is not enough. “We fixed it and prevented recurrence” is audit gold.

Canadian Cyber note: Our ISMS SharePoint Platform includes a pre-built CAPA tracker with automated workflows.
Findings go in. Actions get done. Evidence stays organized.

The Audit Schedule Options (With Trade-Offs)

Option 1: The Classic Annual Audit

Pros	Cons
Simple to schedule One audit window Easy to resource	Gaps hide for 11 months Audit fatigue Findings pile up

Best for: Very small organizations (<20 employees), low-risk environments, first-year certification.

Option 2: The Split Annual (Two Halves)

Best for: Small-medium organizations, moderate risk, growing teams.

Option 3: Quarterly Rotation (Risk-Based)

Best for: Medium-large organizations, high-risk environments, mature ISMS.

Option 4: Continuous Auditing (Automated)

Best for: Large enterprises, highly regulated industries, mature automation.

Option 5: Hybrid (Recommended)

Combine approaches:

Critical controls: Quarterly automated checks
High-risk controls: Semi-annual manual audits
Medium-risk controls: Annual sampling
Low-risk controls: Biennial or integrated with other audits

Most organizations win with Hybrid. It reduces fatigue, increases visibility, and keeps you audit-ready all year.

Practical Use Cases: Audit Programs in Action

Use Case 1: Quarterly Access Control Audits

The Challenge: Access creep happens monthly. Annual audits miss 11 months of drift.

The Solution:

Quarterly automated review of Azure AD/AD users, service accounts, privileged access
Sample-based manual checks: terminated users still active, excessive permissions, orphaned accounts
Findings feed into CAPA tracker + trend dashboard

Outcome: Access risks surface within 90 days, not 365.

Use Case 2: Integrated Supplier Audits

The Solution:

Supplier risk ratings determine audit frequency
Findings go into the same CAPA workflow
Supplier dashboard shows status end-to-end

Use Case 3: Phased Policy Audits

Quarter	Policies Audited
Q1	InfoSec Policy, Access Control Policy
Q2	Incident Response Policy, BCP Policy
Q3	Supplier Security Policy, HR Security Policy
Q4	All policies (sample check)

Use Case 4: Continuous Control Monitoring

Control	Automated Check	Frequency
A.9.2.3 Removal of access rights	Check terminated employees vs active accounts	Daily
A.12.6.1 Vulnerability management	Check last scan date per asset	Weekly
A.12.4.1 Event logging	Check logging enabled / forwarding	Daily
A.18.1.1 Compliance	Check for new regulations / updates	Weekly

Outcome: When something fails, you know immediately—not at the next audit.

The Internal Audit Toolkit: What to Build in SharePoint

Here is the complete toolkit for managing your internal audit program all within SharePoint.

Audit Program Hub: schedule + findings + CAPA dashboards
Audit Plans: annual + quarterly plans, scopes, assignments
Audit Checklists: one per control group
Findings: open/closed views, repeat finding trends
CAPA Tracker: ownership, due dates, verification evidence
Reports: quarterly reports + annual report + management review inputs
Auditor Resources: training, methodology, sampling guidance

Innovative Ideas: Next-Level Internal Auditing

Idea 1: Risk-Based Audit Scoring

Score audit findings (Critical=10, High=5, Medium=2, Low=1) and trend it by department/control group so leadership sees where risk is accumulating.

Idea 2: Automated Finding Assignment

Log a finding → Power Automate assigns the correct owner → creates tasks → escalates if not acknowledged in 48 hours.

Idea 3: Audit Heat Map

Green/yellow/orange/red dashboard by control health (no findings vs repeat findings) so everyone knows what needs attention.

Idea 4: Continuous Audit Dashboard

Automated checks feed a SharePoint list; Power BI shows pass/fail; alerts go out instantly.

Idea 5: Peer Audit Exchange

Swap auditors with a non-competing org for independence without big consulting bills.

Best Practices for Internal Audit Success

Ensure auditor independence. No one audits their own work.
Document everything. Plans, checklists, evidence, findings, CAPAs, reports.
Train your auditors. ISO 27001 basics + interviewing + report writing.
Link audits to risk. High-risk areas get tested more often.
Track trends. Repeat findings = root cause not fixed.
Report to management. Visual summaries beat long reports.
Celebrate improvements. “Red to green” drives engagement.

The 5 Audit Findings You’ll Avoid with Good Planning

Finding	Root Cause	Prevention
Internal audits not conducted as planned	No schedule or not followed	Published audit calendar + reminders
Auditors lack independence	Auditing own work	Designated independent auditors
Finding closure not verified	No CAPA verification	CAPA tracker with verification evidence
Management not informed of results	Reports not shared	Automated reporting / dashboards
No evidence of audits	Reports lost	Centralized audit repository

Why This Works Better With Our ISMS SharePoint Platform

You can build all of this with native SharePoint and Power Automate. You should.

But if you want to skip the months of building and testing, our ISMS SharePoint Platform delivers it pre-built.

Audit Component	DIY Timeline	Our Platform
Audit program hub	2 weeks	✅ Pre-built dashboard
Risk-based audit schedule	3 weeks	✅ Template with risk weighting
Audit checklists (93 controls)	4 weeks	✅ Ready to use
Finding log	1 week	✅ Pre-configured
CAPA tracker with workflow	3 weeks	✅ Automated
Audit calendar	1 week	✅ SharePoint calendar
Power BI audit dashboard	4 weeks	✅ Template included
Auditor assignment workflows	2 weeks	✅ Power Automate ready
Management report templates	2 weeks	✅ Included
Evidence folders per audit	2 weeks	✅ Pre-created

Executive Insight

Organizations that shift from annual audits to risk-based quarterly reviews reduce repeat findings by up to 60% within one certification cycle.
Audit maturity is not about frequency. It is about timing aligned to risk.

Audit Reality Check

If your organization only discovers control failures during certification audits, you do not have an internal audit program.

You have an annual compliance event.

Why Hybrid Wins

Critical controls monitored quarterly
High-risk controls reviewed semi-annually
Lower-risk controls sampled annually

This approach balances operational effort with real risk exposure.

What Changes When You Centralize Audits in SharePoint

Findings cannot disappear in inboxes
Root cause becomes mandatory, not optional
Evidence stays attached to the control
Leadership sees risk trends instantly

Most Audit Programs Have 3–5 Hidden Gaps

Gaps typically exist in:

Follow-up verification timing
Auditor independence documentation
Control sampling methodology
CAPA trend analysis

Most teams do not realize these weaknesses until the external auditor points them out.

Continuous Audit Readiness Is a Competitive Advantage

Mature organizations do not scramble for audits.

They monitor, adjust, and improve continuously.

That confidence shows in every customer security review, every procurement questionnaire, and every certification audit.

Metric	DIY	Our Platform
Time to first audit	3 months	1 week
Audit completion rate	60% (manual)	95% (automated)
Finding closure time	60+ days	21 days (avg)
Repeat finding rate	30%	8%
Management review prep	2 weeks	2 hours

Our ISMS SharePoint Platform is not software. It is 4,000 hours of audit program experience, packaged into a 2-day deployment.

The 15-Minute Audit Program Diagnostic

You do not need to guess whether your audit program will survive certification.

Book 15 minutes with our team. We will open your current audit program (or our demo tenant) and show you:

Where your audit schedule has gaps (most have 3–5)
One control group you should audit quarterly (that you currently audit annually)
How to turn audit from a fire drill into a continuous process

Book a Discovery Call

This is not a sales pitch. It is a diagnostic.

The Question That Separates You

“Can we build an audit program with spreadsheets and email?”

Yes. Thousands of organizations do.

“Should we build an audit program with spreadsheets and email?”

Only if you enjoy:

Finding out about control failures at year-end
Chasing auditors for reports
Losing findings in email threads
Explaining repeat findings to certification auditors
Recreating audit evidence every year

Our ISMS SharePoint Platform does not just track audits. It operationalizes them.
You are not buying software. You are buying the ability to stop reacting to findings and start preventing them.

Conclusion: Your Path to Continuous Audit Readiness

Internal audits are not a certification requirement to check.

They are how you know your ISMS is working.

With a risk-based audit schedule, you can:

Surface issues within 90 days, not 365
Focus effort where risk is highest
Keep leadership informed continuously
Avoid the annual audit panic
Enter certification audits with confidence

This is not about passing audits.
It is about knowing before the auditor tells you that your controls are working.

Ready to master your internal audit program? Explore our ISMS SharePoint Platform and turn audit from a burden into a strategic advantage.

Explore ISMS SharePoint Platform

Stay Connected With Canadian Cyber

LinkedIn

Instagram

Facebook

TikTok

YouTube