UnixTime

Research Note

Internal Audit Execution Guide

- What risk does this control treat? - Who owns the control? - How do you know it operated during the audit period? - What happens when the control fails? - What evidence would...

On this page

Audit flow

Step Auditor action Output
1. Define audit objective Confirm scope, criteria, and audit questions Audit plan
2. Understand context Review ISMS scope, risks, SoA, previous findings Audit context notes
3. Select samples Pick controls, suppliers, assets, users, projects, records Sampling plan
4. Request evidence Ask for records that prove operation Evidence request list
5. Interview owners Test awareness, accountability, and operation Interview notes
6. Test consistency Compare policy, process, records, and actual practice Audit working papers
7. Identify findings Classify nonconformity, weakness, or improvement Findings log
8. Link to risk Tie findings to risk and control impact Risk-linked finding
9. Track correction Verify corrective action and effectiveness Closure evidence
10. Feed management review Escalate trends, unresolved risks, resource needs Management review inputs

Evidence quality test

Evidence type Strong when Weak when
Policy Approved, communicated, reviewed, used Exists but nobody follows it
Register Current, owned, sampled, linked to process Spreadsheet exists but stale
Review record Shows evaluation and decisions Report was received only
Interview Matches documented process and evidence Person guesses or contradicts records
Technical record Directly shows control operation Screenshot without context
Contract Matches risk and relationship Generic template only
Corrective action Root cause and effectiveness verified Action closed by assertion

Audit challenge questions

  • What risk does this control treat?
  • Who owns the control?
  • How do you know it operated during the audit period?
  • What happens when the control fails?
  • What evidence would prove this without relying on verbal explanation?
  • Where is the decision recorded in the Statement of Applicability or risk treatment plan?
  • Iso27001
  • Auditor guide
  • Internal audit

Note Metadata

Aliases: Internal Audit Guide

Source: 06 Auditor Guide/Internal Audit Execution Guide.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.