The email from Sarah, a newly appointed Information Security Manager at a mid-sized financial services firm, arrived at 11:47 PM. "Our external audit is in 8 weeks. We've never done an internal audit. What do we do?"
I've received variations of this email at least thirty times in my career. And each time, I think the same thing: This is going to be painful.
Internal audits aren't just a checkbox requirement in ISO 27001—they're your dress rehearsal before the big performance. In fifteen years of preparing organizations for certification, I've seen companies ace their external audits because they mastered internal auditing, and I've watched others fail spectacularly because they treated it as an afterthought.
Let me share what I've learned from conducting over 200 internal audits across industries, geographies, and organizational sizes. This isn't theory—this is what actually works in the real world.
Why Internal Audits Fail (And It's Not What You Think)
Before we dive into how to do internal audits right, let me tell you about the three catastrophic mistakes I see repeatedly:
Mistake #1: The "Checkbox Charlie" Approach
I walked into a manufacturing company in 2020 to help prepare for their Stage 2 audit. They proudly showed me their internal audit reports. Six pages of "Compliant, Compliant, Compliant" with zero findings.
Red flag.
I asked to see evidence for one control—access reviews for privileged accounts. After 30 minutes of searching, we discovered they hadn't performed access reviews in 14 months. Their auditor had simply asked, "Do you do access reviews?" The IT manager said "Yes," and the auditor checked the box.
Their external audit found 23 major non-conformities. They failed certification. The "checkbox" audit hadn't prepared them—it had given them false confidence.
"An internal audit that finds nothing wrong is usually wrong. The goal isn't to prove you're perfect—it's to find problems while you still have time to fix them."
Mistake #2: The "We Don't Have Time" Syndrome
A SaaS company I consulted for in 2021 scheduled their entire internal audit program for one week. Every control. Every process. Every department.
It was chaos. Auditors rushed through interviews. Evidence reviews were superficial. The report was meaningless.
Three months later, their certification audit identified 18 non-conformities that should have been caught internally. The CEO was furious: "Why did we waste time on internal audits if they didn't find anything?"
Mistake #3: The "Friend Audit"
This one hurts to watch. The IT Manager auditing their own team. The HR Director auditing HR processes. Everyone being "nice" to avoid creating tension.
I've seen internal audit reports where serious control failures were worded as "suggestions for improvement" to avoid hurting feelings. Then the external auditor finds the same issues and writes them up as major non-conformities.
Internal audits with no independence aren't audits—they're polite conversations that waste everyone's time.
The Internal Audit That Actually Works: A Framework Tested Across 200+ Audits
After years of trial and error, here's the approach that consistently produces results:
Phase 1: Strategic Planning (4-6 Weeks Before Audit)
This is where most organizations rush and regret it later. Do this right, and everything else flows smoothly.
Step 1: Define Your Audit Universe
First, map everything that needs to be audited. I use this framework:
Category | What to Include | Why It Matters |
|---|---|---|
ISMS Scope | All systems, processes, locations, and people within ISO 27001 scope | External auditor will verify you've audited everything in scope |
Annex A Controls | All 93 controls (or subset if you've documented exclusions) | Must demonstrate each control is operating effectively |
ISMS Processes | Context, leadership, planning, support, operation, performance evaluation, improvement | Clause 4-10 requirements are mandatory |
Previous Findings | All non-conformities from last audit (internal or external) | Auditor will check if corrective actions were effective |
High-Risk Areas | Areas with most security incidents, compliance issues, or changes | Focus audit effort where problems are most likely |
I remember working with a healthcare provider that forgot to include their disaster recovery site in their audit scope. You can imagine the external auditor's reaction when they discovered a completely unaudited location processing patient data. Don't make this mistake.
Step 2: Build Your Audit Team (The Right Way)
Here's the uncomfortable truth: your internal audit team needs to be independent, competent, and empowered to tell the truth.
I've developed a selection matrix that works:
Role | Requirements | Red Flags |
|---|---|---|
Lead Auditor | - ISO 27001 Lead Auditor certification or equivalent<br>- Understanding of organization's business<br>- Strong communication skills<br>- Ability to handle conflict professionally | - Reports directly to area being audited<br>- Recently joined organization (< 6 months)<br>- Known for "going easy" on people |
Auditors | - Technical knowledge of areas being audited<br>- Audit training (minimum awareness level)<br>- Independence from audited area<br>- Objectivity and integrity | - Auditing their own work<br>- Close personal relationships with auditees<br>- Lack of technical understanding<br>- Junior staff with no audit support |
Technical Experts | - Deep subject matter expertise<br>- Understand audit process<br>- Can explain technical findings clearly | - Taking over the audit<br>- Defending rather than evaluating<br>- Unable to communicate with non-technical staff |
Pro Tip from the Trenches: In organizations with fewer than 50 people, true independence is nearly impossible. I've solved this by:
Using external auditors for sensitive areas
Rotating audit assignments to minimize bias
Having senior leadership directly involved in critical audits
Implementing peer review of all findings
A fintech startup I worked with had only 18 employees. We brought in an external auditor for the most critical controls and had their CEO personally audit HR and physical security. It worked because everyone understood the constraints and committed to objectivity.
Step 3: Create Your Audit Schedule
This is where strategy meets reality. Here's my proven scheduling framework:
Audit Cycle | Best For | Frequency by Area |
|---|---|---|
Continuous (Year-Round) | Organizations with mature ISMS, 100+ employees | - Critical controls: Quarterly<br>- High-risk areas: Semi-annually<br>- All other areas: Annually |
Phased (Quarterly Blocks) | Mid-sized organizations, 20-100 employees | - Q1: Annex A Controls 5.1-5.18<br>- Q2: Controls 5.19-5.37<br>- Q3: ISMS processes + previous findings<br>- Q4: Integration audit + management review |
Concentrated (Pre-Certification) | Small organizations, first-time certification | - 12 weeks out: ISMS processes<br>- 8 weeks out: Technical controls<br>- 4 weeks out: Follow-up audit<br>- 2 weeks out: Management review |
I helped a 200-person software company implement continuous auditing in 2022. They audit 3-4 controls every month. By the time their annual external audit comes around, they've already found and fixed issues. Their last three external audits had zero major findings.
Compare that to a company that crams all auditing into two weeks before certification—they found 31 non-conformities during their internal audit and only had time to fix 22 before the external audit. They failed certification because they didn't allow time for proper remediation.
"The companies that pass external audits easily are the ones that give themselves time to fail internally first."
Phase 2: Audit Preparation (2-3 Weeks Before Execution)
This phase separates amateur audits from professional ones.
Develop Your Audit Plan
Your audit plan is your roadmap. Here's the template I've refined over 200+ audits:
Essential Components:
Section | What to Include | Common Mistakes to Avoid |
|---|---|---|
Audit Objectives | - Verify control effectiveness<br>- Identify non-conformities<br>- Assess improvement opportunities<br>- Prepare for external audit | Being vague ("check security stuff") |
Audit Scope | - Specific controls being audited<br>- Locations included<br>- Time period covered<br>- Exclusions with justification | Leaving scope ambiguous |
Audit Criteria | - ISO 27001:2022 clauses<br>- Annex A controls<br>- Organization policies<br>- Applicable laws/regulations | Only referencing ISO standard, forgetting internal policies |
Audit Team | - Lead auditor<br>- Supporting auditors<br>- Technical experts<br>- Observers (if any) | Not clarifying roles and responsibilities |
Schedule | - Date/time for each activity<br>- Auditees for each session<br>- Evidence to review<br>- Buffer time | Over-scheduling with no flexibility |
Logistics | - Meeting rooms<br>- Equipment needed<br>- Access requirements<br>- System access needed | Assuming everything will "just work" |
Real-World Example: I was conducting an audit at a manufacturing facility in 2019. We'd scheduled interviews with the plant manager, but nobody had arranged access to the production floor. We lost 90 minutes waiting for security clearance. Now I include a logistics checklist in every audit plan.
Create Your Audit Checklist (But Don't Become a Slave to It)
Here's my controversial take: audit checklists are essential, but if you just read questions off a list, you're doing it wrong.
The best auditors use checklists as memory aids, not scripts. Here's how I structure them:
Control 5.15: Access ControlThe checklist guides the conversation, but I'm listening for gaps, inconsistencies, and risks that no checklist can anticipate.
I once found a critical vulnerability during an audit because an IT administrator casually mentioned they "sometimes" use a shared admin account "when things are urgent." That wasn't on my checklist—I caught it because I was actually listening, not just checking boxes.
Phase 3: Audit Execution (1-3 Days Depending on Scope)
This is where theory meets reality. Here's what actually happens during an effective audit:
Opening Meeting (30-45 Minutes)
Never skip this. I've seen auditors dive straight into interviews to "save time." It always backfires.
My Opening Meeting Agenda:
Topic | Duration | Key Points to Cover |
|---|---|---|
Introductions | 5 min | Names, roles, audit experience |
Audit Objectives | 5 min | Why we're here, what we're trying to achieve |
Scope and Criteria | 5 min | What's included, what standards we're using |
Methodology | 10 min | How we'll conduct interviews, review evidence, document findings |
Schedule | 5 min | Walk through the agenda, confirm availability |
Logistics | 5 min | Where to work, system access, who to contact |
Questions | 5-10 min | Address concerns, clarify expectations |
Critical Point: Set the tone here. I always say something like: "Our job isn't to catch you doing things wrong—it's to find issues while we have time to fix them. If we find problems, that's actually good news because we can address them before the external auditor arrives."
This mindset shift transforms the audit from adversarial to collaborative.
Document and Record Review
This is where you separate real implementation from documentation theatre.
My Evidence Review Approach:
Evidence Type | What I Look For | Red Flags |
|---|---|---|
Policies & Procedures | - Current and approved<br>- Accessible to relevant staff<br>- Actually being followed | Documents dated 2+ years ago, different versions in circulation, staff unaware of content |
Records & Logs | - Complete and timely<br>- Show actual usage<br>- Demonstrate controls working | Gaps in records, backdated entries, suspiciously perfect compliance |
System Configurations | - Match documented standards<br>- Security settings enabled<br>- No unauthorized changes | Default configurations, security features disabled, undocumented systems |
Reports & Metrics | - Regular generation<br>- Reviewed by management<br>- Action taken on findings | Reports generated but not read, metrics that always look perfect, no evidence of follow-up |
Story from the Field: I was auditing a company's backup procedures in 2021. Their policy said backups ran nightly with weekly restoration testing. The backup logs showed consistent successful backups—perfect compliance, right?
Then I asked, "Show me evidence of last month's restoration test." Silence. They hadn't tested a restoration in 11 months. The "successful" backups were running, but nobody knew if they could actually restore data.
We tested one backup during the audit. It failed. The backup system had been misconfigured for months, creating corrupted backup files that would have been useless in a real disaster.
That's why you don't just review logs—you verify actual effectiveness.
Interviews and Observations
This is where art meets science. Technical auditing skills matter, but so do people skills.
My Interview Framework:
1. Start with Open Questions
"Walk me through how you handle access requests."
"Tell me about the last security incident you dealt with."
"How do you stay updated on security threats?"
2. Follow the Evidence Trail
"You mentioned quarterly reviews—can you show me the last one?"
"You said you notify users about suspicious activity—show me an example."
3. Explore Edge Cases
"What happens when someone requests access after hours?"
"How would you handle access for a contractor working remotely?"
4. Test Understanding, Not Just Procedures
"Why do you think we require password rotation?"
"What would happen if we didn't review access logs?"
I learned this approach the hard way. Early in my career, I'd ask yes/no questions: "Do you review access logs?" People would say "Yes," and I'd check the box. Then I'd discover they hadn't actually performed a review in months—they just knew they were supposed to.
Now I ask: "Show me the last access log review you performed. Walk me through what you found and what actions you took."
The difference is night and day.
"In auditing, the question 'Do you do this?' tells you what people know they should do. The question 'Show me' tells you what they actually do."
Site Inspections and Physical Verification
Don't skip the physical world. I can't tell you how many times I've found critical issues by actually walking the facility.
Physical Inspection Checklist:
Area | What to Verify | What I've Found |
|---|---|---|
Server Rooms | Access controls, environmental controls, physical security | Propped-open doors, cleaning staff with unrestricted access, fire suppression systems disabled |
Workstations | Screen locks, clean desk policy, visitor restrictions | Passwords on sticky notes, confidential documents in public areas, unescorted visitors |
Disposal Areas | Secure shredding, hard drive destruction, media handling | Regular trash bins with confidential papers, hard drives in e-waste without sanitization |
Remote Locations | Same standards as main facility | Branch offices with no security controls, home offices accessing production systems |
I'll never forget auditing a financial services company that had excellent digital security but kept printed account statements in a dumpster behind their building. Anyone could walk up and grab boxes of customer data. Their cybersecurity was Fort Knox, but their physical security was a screen door.
Phase 4: Finding Documentation and Classification
This is where many auditors struggle. How do you classify findings? When is something a minor non-conformity versus a major one?
My Finding Classification Framework:
Classification | Definition | Examples | Action Required |
|---|---|---|---|
Major Non-Conformity | - Complete absence of required control<br>- Systemic failure of process<br>- Could lead to ISMS failure | No access control policy exists<br>Access reviews never performed<br>Backup system completely non-functional | Must be corrected before certification<br>Root cause analysis required<br>Corrective action plan with evidence |
Minor Non-Conformity | - Control exists but not fully effective<br>- Isolated lapse in implementation<br>- Doesn't threaten ISMS integrity | Access review delayed by 2 weeks<br>One backup test missed<br>Password policy not enforced on legacy system | Corrective action plan required<br>Verify effectiveness in next audit<br>May not prevent certification |
Observation | - Not a non-conformity<br>- Potential for improvement<br>- Best practice opportunity | Could improve access request workflow<br>Consider multi-factor authentication<br>Documentation could be clearer | Not mandatory to address<br>Track for continuous improvement<br>May become requirement in future |
Positive Finding | - Exceeds requirements<br>- Innovative approach<br>- Best practice example | Automated access reviews<br>Enhanced monitoring beyond requirements<br>Proactive security culture | Share across organization<br>Document as best practice<br>Consider for other areas |
Critical Writing Tips:
Good finding documentation includes:
What you audited (specific control or process)
What you expected to find (requirement or criteria)
What you actually found (objective evidence)
Why it matters (impact or risk)
What needs to happen (recommendation)
Bad Finding: "Access controls are not working properly."
Good Finding: "Control 5.15 (Access Control) - During review of access provisioning for Q3 2024, we identified that 8 out of 15 access requests (53%) were approved and implemented without documented approval from the data owner, as required by the Access Control Policy section 4.2. This increases the risk of unauthorized access to sensitive systems and could result in data breaches or compliance violations. Recommendation: Implement a workflow system that prevents access provisioning without documented data owner approval."
See the difference? The second version is specific, evidence-based, and actionable.
Phase 5: Closing Meeting and Reporting
The closing meeting is your moment to demonstrate value. Don't waste it.
My Closing Meeting Structure:
Segment | Duration | Content |
|---|---|---|
Thanks and Context | 5 min | Acknowledge cooperation, set positive tone |
Summary of Audit | 5 min | What was audited, methodology used |
Positive Findings | 10 min | What's working well (yes, really!) |
Non-Conformities | 20 min | Major findings first, then minor, with evidence and impact |
Observations | 10 min | Improvement opportunities |
Next Steps | 5 min | Report timing, corrective action process, follow-up audit |
Q&A | 15 min | Address concerns, clarify findings |
Pro Tip: I always start with positive findings. Here's why: when I audited a manufacturing company in 2020, they had implemented automated vulnerability scanning that exceeded ISO requirements. I highlighted this first. It completely changed the room's energy. When we discussed findings, the team was receptive because they knew I'd seen their good work too.
Auditing isn't about crushing people—it's about helping them improve.
Phase 6: Corrective Actions and Follow-Up
The audit report isn't the end—it's the beginning of the improvement cycle.
Corrective Action Process That Actually Works:
Step | Timeline | Responsibility | Deliverable |
|---|---|---|---|
Root Cause Analysis | Within 1 week of finding | Process owner | Document showing why non-conformity occurred |
Corrective Action Plan | Within 2 weeks | Process owner + ISMS manager | Specific actions, timelines, resources needed |
Implementation | Varies by finding | Assigned personnel | Evidence of implementation |
Effectiveness Check | 30-60 days after implementation | Internal auditor | Verification that corrective action solved root cause |
Closure | After effectiveness verification | ISMS manager | Updated audit records, lessons learned |
I worked with a healthcare company that took corrective actions seriously. When we found their access review process was failing, they didn't just perform the missing reviews. They:
Analyzed why reviews were missed (no automated reminders)
Implemented automated workflow with escalations
Trained staff on new process
Monitored completion for 3 months
Verified no reviews were missed
That's what effective corrective action looks like.
Compare that to a company that responded to the same finding with: "We performed the missing access reviews." Three months later, the same problem recurred because they hadn't addressed the root cause.
"Corrective action isn't about fixing the symptom—it's about eliminating the disease. If the same problem keeps recurring, your corrective action didn't work."
The Internal Audit Program: Making It Sustainable
One audit doesn't make a program. Here's how to build something sustainable:
Annual Audit Program Planning
Elements of a Mature Audit Program:
Component | Purpose | Frequency |
|---|---|---|
Risk-Based Scheduling | Focus audit effort on highest-risk areas | Annually (review and adjust quarterly) |
Competence Management | Ensure auditors maintain and develop skills | Ongoing (formal review annually) |
Methodology Review | Improve audit approach based on lessons learned | Annually |
Stakeholder Feedback | Gather input from auditees and management | After each audit |
Metrics and KPIs | Measure program effectiveness | Monthly reporting |
Integration Planning | Coordinate with other assurance activities | Quarterly |
Audit Metrics That Actually Matter
Forget "number of audits completed." Here are metrics I track:
Metric | Why It Matters | Target |
|---|---|---|
Finding Recurrence Rate | Shows if corrective actions are effective | < 10% |
Time to Close Findings | Indicates responsiveness to issues | Major: < 30 days<br>Minor: < 60 days |
External Audit Alignment | Measures internal audit predictive accuracy | > 80% of external findings also found internally |
Stakeholder Satisfaction | Reflects perceived value of audits | > 4.0/5.0 rating |
Coverage Completeness | Ensures entire ISMS is audited | 100% over audit cycle |
The best metric? A healthcare client I worked with tracked "findings found internally vs. externally." In year one, internal audits found 12 issues while external audits found 23 (34% internal detection rate). By year three, internal audits found 31 issues while external audits found only 4 (89% internal detection rate).
That's a mature audit program.
Common Pitfalls and How to Avoid Them
After conducting and reviewing hundreds of internal audits, here are the traps I see repeatedly:
Pitfall #1: Sampling Too Small or Too Convenient
The Trap: "I'll just review last week's logs." "Let me check these three user accounts."
Why It Fails: You're not getting a representative sample. Issues might exist in data you didn't examine.
The Fix: Use statistically meaningful samples. For populations:
Under 50: Check 100%
50-500: Check at least 10-15%
Over 500: Check at least 50 items
And make sampling random, not convenient. I use random number generators to select samples. It eliminates bias and provides defensible evidence.
Pitfall #2: Accepting "We're Planning To..." as Evidence
The Trap: Auditor: "How do you handle incident response?" Auditee: "We're implementing a new ticketing system next month."
Why It Fails: Future plans aren't current compliance. ISO 27001 requires controls to be operating now.
The Fix: Politely redirect: "That sounds promising for the future. For today's audit, show me how you're currently handling incidents." If they can't demonstrate current compliance, it's a finding.
Pitfall #3: Death by Documentation
The Trap: Spending 90% of time reviewing policies and 10% verifying implementation.
Why It Fails: Perfect documentation doesn't mean working controls. I've seen gorgeous procedure manuals that nobody follows.
The Fix: Use the 40/60 rule:
40% document review (policies, procedures, records)
60% validation (interviews, observations, testing)
If you're only reading documents, you're not really auditing.
Pitfall #4: The "Everything's Perfect" Report
The Trap: Audit report showing 100% compliance with zero observations.
Why It Fails: Nothing is perfect. If you found nothing to improve, you didn't look hard enough.
The Fix: Even in mature organizations, I find observations for improvement. A clean audit should have:
0-2 major non-conformities (if you're prepared)
2-5 minor non-conformities (areas for tightening)
5-10 observations (continuous improvement opportunities)
If your internal audit looks drastically different, your external audit will be a shock.
Real-World Success Story: From Chaos to Excellence
Let me close with a transformation story that shows what's possible.
In 2020, I started working with a 45-person software company preparing for ISO 27001 certification. Their first internal audit was a disaster:
Conducted in 2 days by one person
Checklist audit with yes/no questions
Zero findings documented
No evidence collected
Their external audit found 27 non-conformities. They failed certification.
We rebuilt their program from scratch:
Year 1:
Trained 5 internal auditors
Implemented quarterly audit cycles
Created detailed audit procedures
Established corrective action tracking
Result: Next external audit had 8 minor findings. Achieved certification.
Year 2:
Added root cause analysis requirements
Implemented audit management software
Started tracking audit metrics
Introduced cross-functional auditing
Result: External surveillance audit had 2 minor findings.
Year 3:
Moved to continuous auditing
Integrated with GRC platform
Added predictive risk analytics
Developed internal auditor career path
Result: Latest external audit had zero findings. Auditor commended their program as "best practice."
The CEO told me: "Three years ago, audits were something we dreaded and rushed through. Now they're how we get better at what we do. Our internal audit program has become a competitive advantage."
That's what's possible when you take internal audits seriously.
Your Action Plan: Starting This Week
If you're building or improving your internal audit program, here's what to do:
This Week:
[ ] Document your ISMS scope and identify what needs auditing
[ ] Identify potential internal auditors (with appropriate independence)
[ ] Review your last external audit report for improvement areas
Next 2 Weeks:
[ ] Create an annual audit schedule based on risk
[ ] Develop audit plan template and checklists
[ ] Schedule training for internal auditors
Next 30 Days:
[ ] Conduct pilot internal audit on limited scope
[ ] Review findings and refine methodology
[ ] Establish corrective action tracking process
Next 90 Days:
[ ] Complete first full audit cycle
[ ] Measure effectiveness of corrective actions
[ ] Gather feedback and improve process
Final Thoughts: The Art and Science of Internal Auditing
After fifteen years and over 200 internal audits, here's what I've learned:
Internal auditing is equal parts detective work, teaching, and relationship building. You need the technical skills to identify issues, the communication skills to explain them constructively, and the organizational savvy to ensure they get fixed.
The best internal auditors I've worked with share common traits:
Curious: They ask "why" until they understand root causes
Objective: They follow evidence, not assumptions
Practical: They recommend realistic solutions
Collaborative: They partner with auditees to improve, not just criticize
Persistent: They follow through until issues are truly resolved
Your internal audit program can be a checkbox exercise that wastes time and finds nothing useful. Or it can be a strategic tool that identifies risks early, drives continuous improvement, and makes external audits a formality rather than a crisis.
The choice is yours.
"The goal of internal auditing isn't to find people doing things wrong. It's to find systems that need improving and fix them before they cause real damage. Done right, internal audits transform from unwelcome interruptions into essential business intelligence."
Now go build an internal audit program that makes your organization stronger, not just compliant.
Want to dive deeper into ISO 27001 implementation? Check out our comprehensive guides on risk assessment, control implementation, and certification preparation. At PentesterWorld, we turn compliance complexity into practical action.