Every ISO management system standard, whether ISO 27001, ISO 9001, ISO 22301 or ISO 27701, requires organizations to conduct internal audits. This is not optional. Clause 9.2 mandates that organizations plan, establish, implement and maintain an internal audit program. The purpose is twofold: verifying that the management system conforms to requirements, and identifying opportunities for improvement.
Despite this clear mandate, internal audits are one of the most commonly underperformed elements of ISO management systems. Organizations treat them as a checkbox exercise, conduct superficial reviews, or skip them until just before the external certification audit. This undermines both the value of the management system and the likelihood of a successful certification.
Purpose and value of internal audits
Internal audits serve two distinct functions. The conformity function checks whether your management system is implemented and operating as documented. Are policies being followed? Are controls operating effectively? Are records being maintained? This function catches gaps before the external auditor does.
The improvement function is often more valuable. A well-conducted internal audit identifies inefficiencies, outdated procedures, controls that are overly burdensome, and areas where the management system could better serve the organization's objectives. These findings drive meaningful improvements that go beyond compliance.
Planning the audit program
An effective internal audit program requires planning. You need to determine the frequency and scope of audits, considering the importance of processes, the results of previous audits, and any changes to the organization or its context. Not every part of the management system needs to be audited every year, but over a defined cycle (typically three years aligned with the certification cycle), everything should be covered.
The audit program should be risk-based. Areas with higher risk, more frequent changes, or previous findings should be audited more frequently. Areas with stable, mature processes can be audited less often. This approach ensures that audit resources are directed where they create the most value.
Independence and competence
ISO standards require that internal auditors are independent of the activities they audit. This does not mean you need a dedicated internal audit department. It means that the person auditing a process should not be the person responsible for that process. In smaller organizations, this can be achieved through cross-functional auditing: the IT manager audits HR processes, and vice versa.
Competence is equally important. Internal auditors need to understand both the audit process and the subject matter they are auditing. Training your internal auditors in audit techniques, the relevant standards, and your specific management system is an investment that pays for itself in audit quality.
Common mistakes
Several patterns consistently undermine internal audit effectiveness. Conducting audits too late in the cycle, leaving no time to address findings before the external audit. Focusing exclusively on documentation rather than actual practice. Writing findings that are too vague to act on. Failing to follow up on corrective actions from previous audits. And perhaps most critically, treating the internal audit as a formality rather than a genuine assessment.
Reporting and follow-up
Audit findings should be documented clearly, with enough detail to understand the issue, its significance, and where it was observed. Each finding needs a root cause analysis and a corrective action plan with defined responsibilities and timelines. Follow-up verification should confirm that corrective actions were implemented and are effective.
Secure Audit provides internal audit services and training for organizations preparing for or maintaining ISO certifications. Whether you need experienced auditors to supplement your team or training to build internal capability, we can help. Contact us to discuss your internal audit needs.
About the author
Partner | IT Auditor