Organization name, logo Internal Audit Version
Procedure # date
Purpose
The Internal Audit is to be conducted to ensure compliance with all rules, regulations, policies,
procedures and statutes pertaining to the organization to be audited. The Internal Audit provides
an independent and objective assurance of all operations and uses a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and governance
processes.
Scope
The scope of internal audit activity includes examining and evaluating the policies, procedures
and systems which are in place to ensure – system reliability, integrity of information,
compliance with policies, procedures, laws and regulations, safeguarding of assets, efficient use
of resources, established objectives and goals for operations or programs, issues related to
internal controls, special investigations, and other areas of interest and concern. Internal Audit is
responsible for coordinating audit planning and scheduling activities with external auditors.
Definition
Internal auditing is an independent, objective activity designed to add value and improve an
organizations operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
Authority
The Internal Audit team, under the direction and support of the <management> and <audit
committee> has the authority to conduct any audits, reviews, and special requests or investigate
any matters within its scope of responsibilities with or without prior notice to department heads
and other employees. The audit process will allow unrestricted access to any reports, data, and/or
information pertaining to the employee records, asset records and issue independent audit,
review, and/or any special reports without management influence.
Responsibilities
The Internal Audit process will carry out the following responsibilities:
• Examine and evaluate the adequacy and effectiveness of the organization’s internal
controls and the quality of performance in carrying out assigned responsibilities.
1 Internal
� Organization name, logo Internal Audit Version
Procedure # date
• Review the systems established to ensure compliance with those policies, plans,
procedures, laws, regulations, and contracts which could have a significant impact on
operations and reports, and determine whether the organization is in compliance.
• Review the means of safeguarding assets and verify the existence of such assets in the
asset register.
• Review operations or programs to ascertain whether results are consistent with
established objectives and goals and whether the operations or programs are being carried
out as planned.
• The Internal Auditor will report all activities directly to the <management> committee.
Procedure
Listed below are the steps to be followed for conducting an Internal Audit:
1. Pre Audit Phase
• Develop a preliminary audit plan;
• Inform <management> of upcoming audit via email; Ensure that the email is sent at least
a month prior to each planned audit;
• Schedule an opening meeting with department heads and staff, and other stakeholders as
appropriate, to go over and finalize the audit program;
• Request for the established policies, procedures, meeting minutes of previous audit
meeting, corrective action reports;
• Obtain the organization chart, network diagrams;
• Previous audit reports (if any), Asset Inventory;
• Scope statement;
• Statement of Applicability;
• Previous Risk Assessment reports;
• Metrics and Measurements document;
• Business continuity plans and Disaster recovery procedures;
• Prepare the agenda for the opening meeting and if possible email the audit plan to those
involved and a preliminary HOD Questionnaire for awareness to the types of questions
that would be asked;
• Request the client to assign a member from their staff to accompany the auditor during
the audit process as a silent observer.
The outcome of this phase is the audit plan which is subject to change if necessary.
2 Internal
� Organization name, logo Internal Audit Version
Procedure # date
2. Opening Meeting
• To discuss the Audit Plan – type of audit(ISO Standard) , number of auditors, scope of
audit, audit start date, duration of the audit and approximate end date;
• Verify that the management understands the role of the auditor and ensure management
commitment;
• Ask the management if they have any particular areas of risk or concern which they would
like reviewed;
• Review audit findings from previous internal audit reports, if applicable;
• Develop a list of key personnel in the auditee department to be contacted for meetings or
information;
• Discuss the procedure for preparing and reviewing the formal audit report, which is a
compilation of reportable findings and auditee responses;
• Inquire about current developments relating to the organization function, activity,
department;
• Confirm if any changes have been made to the organization chart, job responsibilities,
policies, procedures;
• Establish priorities of the audit;
• Discuss any other applicable topics.
Following are questions that can be asked during the opening meeting. These questions
are also listed out in the HOD Questionnaire –
a. Can you explain the workings of your department, please?
b. What are your main concerns with respect to network performance and
information security?
c. What are the critical information assets your department deals with?
d. Have there been any security incidents in the past?
e. What security precautions do you already take?
f. What are major hindrances to the normal functioning of your department?
<Refer to the Audit Plan located in the Internal Audit Report>
You must obtain client confirmation in the form of a signature on a printed copy of the
audit plan.
The outcome of this phase is to get a clear understanding of the events and practices that
have an impact on the organization. It identifies areas which will require special attention
or consideration during the audit.
3 Internal
� Organization name, logo Internal Audit Version
Procedure # date
3. Audit Process
Audit interview will be conducted on the following:
• Department
Departmental audits are designed to review and evaluate the activities and operations of that
department to ensure compliance with organization controls taking into consideration the
organizations established policies and procedures, any application laws and regulations, and
validate the records maintained.
• Management Commitment Audits
Management commitment audits are designed to evaluate the awareness level of policies,
procedures and controls which impact the organizational goals and objectives in terms of
security.
Pointers for useful and promising site visits -
1. Maintain communication with the client at all times;
2. Address interview scheduling such that client’s business operations are not
hampered; as far as possible, draw up an interview schedule in coordination with
the client;
3. Take notes from each meeting in addition to the answers of the questionnaire.
Pertinent observations may help verifying the conditions or security levels in the
actual audit.
Types of Audits
Based on the type of audit to be conducted, the auditor will use
• (Security/only ISO 27001 based or standard-based – ISO 27001 Internal Audit Checklist,
• COBIT/ITIL/ISO20000-based or custom requirements) – ISO 20000 Internal Audit
Checklist
<Refer to ISO 27001 Audit Checklist> for auditor guidelines, interview questions, verification,
sampling and ISMS rating summary.
<Refer to ISO 20000 Audit Checklist> for interview questions, verification, sampling. (To be
completed by Khushbu)
Obtain client acknowledgement via email or signature on printed copy of the checklist rating
results.
4 Internal
� Organization name, logo Internal Audit Version
Procedure # date
4. Audit Report Process
• Prepare the Audit Report with the following guidelines:
1. Findings, recommendations will be expressed objectively.
2. The Audit Report will be organized so as to clearly and concisely disclose relevant,
timely, and important information that can be used to enhance or improve relevant
aspects of the organization’s operations.
3. Findings, recommendations, and comments will contain all relevant information
necessary for the auditee to fully understand the reported conditions. The Audit report
will present factual matters accurately and completely.
4. The Audit Report will identify the most significant conditions requiring
management’s attention.
5. All draft Audit Reports and the Final Audit Report shall be deemed “confidential,”
and the auditor shall take appropriate measures to ensure their limited distribution to
those individuals with a legitimate business need for possessing the information
contained therein.
• Distribute the final Audit Report to all department heads concerned, management and
audit committee with the suggested changes.
• Schedule the Closing meeting
• After department heads have received the audit report, the Closing meeting will provide
the opportunity for those concerned to discuss findings, conclusions, and
recommendations with the auditor.
• Ask department heads to provide their responses to the auditor's findings and
recommendations, either in writing or in sufficient detail for the auditors to capture them.
This will be entered into the final draft report.
< Refer to the Internal Audit Report >
5. Closing Meeting
A closing meeting will be held so that everyone can discuss the audit report and review
management responses. This is an opportunity to discuss how the audit went and any
remaining issues.
6. Post Audit Follow Up Phase
5 Internal
� Organization name, logo Internal Audit Version
Procedure # date
• Follow-up reviews will be performed on an issue-by-issue basis and will occur shortly
after the expected audit completion date, to determine whether corrective action has been
taken on audit recommendations.
• The auditor will conduct a follow-up review to verify the completion of agreed-upon
management actions and ascertain the status of open recommendations.
• A follow-up report will be generated for distribution to the management and audit
committee.
• The purpose of the follow-up is to verify that the auditee has implemented the agreed-
upon corrective actions. The auditor will interview staff, perform tests, or review new
procedures to perform the verification.
• The auditor will then send a letter to the organization indicating whether they have
satisfactorily corrected all problems or whether further actions are necessary. If further
corrective action is required, the organization will need to write a management response.
Otherwise, the issue will be reported as resolved.
< Refer to Audit Feedback Form >
6 Internal
� Organization name, logo Internal Audit Version
Procedure # date
Appendix A
Audit Plan
HOD Questionnaire
Internal Audit Report
Audit Feedback Form
Appendix B
ISO 27001 Audit Checklist
ISO 20000 Audit Checklist
7 Internal
