Frequently Asked Questions (FAQs)
Q1: What are the typical deliverables from an internal audit engagement?
Ans: The typical deliverables from an internal audit engagement would include:
- Internal Audit Program: A structured plan defining the audit process, scope, objectives, and methodology.
- Internal Auditor Notes: Documentation of observations and notes taken during the audit process.
- Internal Audit Report: A detailed report highlighting the findings, including Non-Conformance Reports (NCRs), risks, and recommendations for improvement.
- Weekly Status Reports: Regular updates on audit progress, timelines, and any emerging issues.
- Validation of Closed NCR: A verification process ensuring that corrective actions for identified NCRs have been implemented and are effective.
- External Audit Support: Clarification of internal audit findings, and supporting auditors with evidence regarding internal audit.
Q2: What are the requirements for internal audit in ISO 27001:2022?
Ans: The requirements for internal audits in ISO 27001:2022 include:
- Reviews must be conducted by individuals independent of the area being audited.
- Auditors must have the appropriate competence and not be in the line of authority.
- Results should be reviewed in the management review process and, if necessary, reported to top management.
- Records of the audits must be maintained.
- Corrective actions must be initiated if any deficiencies in information security management are identified.
Q3: We are a small healthcare company offering virtual healthcare services with a team of 15, including just 2 IT staff members. Are there any restrictions on who can conduct internal audits?
Ans: According to ISO 27001, auditors must be independent, meaning they cannot audit areas for which they are responsible. This includes IT personnel overseeing the controls being audited. Internal audits should not be carried out by the same individuals managing the technology controls. While the specific situation varies by organization, it may be beneficial to identify someone outside of the IT department with experience in controls and provide them with training for internal audits. However, finding such individuals internally can be challenging, especially when they lack prior experience with technology controls. Additionally, there is the risk of turnover, which can require further training and onboarding. In many cases, outsourcing the audit may be a more efficient option, as the cost often ends up being comparable to the expense of training and retaining in-house staff.
Q4: How often should an ISO 27001 internal audit be conducted?
Ans: Typically, an internal audit is conducted annually. However, the frequency may vary based on your organization’s size, risk profile, and specific requirements.
Q5: What are the main stages involved in an internal audit?
Ans: The key stages include planning, conducting the audit, reporting findings, addressing non-conformities, and implementing corrective actions.
Q6: Can we perform the internal audit ourselves, or do we need a third party?
Ans: You can perform the audit internally if you have qualified personnel and can ensure independence of the other auditor. However, using a third party ensures an objective and unbiased assessment.
Q7: How long does the internal audit process usually take?
Ans: The duration depends on the organization’s size and complexity. A typical internal audit can range from a few days to several weeks