Audit flow
| Step | Auditor action | Output |
|---|---|---|
| 1. Define audit objective | Confirm scope, criteria, and audit questions | Audit plan |
| 2. Understand context | Review ISMS scope, risks, SoA, previous findings | Audit context notes |
| 3. Select samples | Pick controls, suppliers, assets, users, projects, records | Sampling plan |
| 4. Request evidence | Ask for records that prove operation | Evidence request list |
| 5. Interview owners | Test awareness, accountability, and operation | Interview notes |
| 6. Test consistency | Compare policy, process, records, and actual practice | Audit working papers |
| 7. Identify findings | Classify nonconformity, weakness, or improvement | Findings log |
| 8. Link to risk | Tie findings to risk and control impact | Risk-linked finding |
| 9. Track correction | Verify corrective action and effectiveness | Closure evidence |
| 10. Feed management review | Escalate trends, unresolved risks, resource needs | Management review inputs |
Evidence quality test
| Evidence type | Strong when | Weak when |
|---|---|---|
| Policy | Approved, communicated, reviewed, used | Exists but nobody follows it |
| Register | Current, owned, sampled, linked to process | Spreadsheet exists but stale |
| Review record | Shows evaluation and decisions | Report was received only |
| Interview | Matches documented process and evidence | Person guesses or contradicts records |
| Technical record | Directly shows control operation | Screenshot without context |
| Contract | Matches risk and relationship | Generic template only |
| Corrective action | Root cause and effectiveness verified | Action closed by assertion |
Audit challenge questions
- What risk does this control treat?
- Who owns the control?
- How do you know it operated during the audit period?
- What happens when the control fails?
- What evidence would prove this without relying on verbal explanation?
- Where is the decision recorded in the Statement of Applicability or risk treatment plan?
Related notes
- Iso27001
- Auditor guide
- Internal audit
Note Metadata
Aliases: Internal Audit Guide
Source: 06 Auditor Guide/Internal Audit Execution Guide.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.