Module 6: Performance Monitoring

Conducting Audits

18 min
+50 XP

Conducting Effective Internal Audits

Internal auditing is both an art and a science. This lesson provides practical guidance for conducting professional, effective audits that add value.

Audit Mindset and Approach

The Right Attitude

You Are Not:

  • A police officer looking to catch people doing wrong
  • There to prove you're smarter than the auditee
  • Looking for reasons to write findings
  • The enemy

You Are:

  • A colleague helping improve the ISMS
  • Providing objective assessment of conformity
  • Identifying both strengths and weaknesses
  • A partner in achieving certification
  • Looking for evidence, not problems

Professional Characteristics

Objectivity:

  • Base conclusions only on evidence
  • Don't let personal opinions influence findings
  • Avoid conflicts of interest
  • Don't audit your own work

Ethical Behavior:

  • Maintain confidentiality
  • Don't share audit information inappropriately
  • Respect intellectual property
  • Report findings honestly

Fair Presentation:

  • Report findings truthfully and accurately
  • Present both positive and negative findings
  • Don't exaggerate issues
  • Give credit where due

Due Professional Care:

  • Be thorough but efficient
  • Allocate time appropriately
  • Remain alert to significant issues
  • Use resources effectively

Confidentiality:

  • Keep audit findings confidential until formally reported
  • Don't gossip about what you find
  • Protect sensitive information
  • Secure audit working papers

Effective Interview Techniques

Opening the Interview

Start Positively:

  • Introduce yourself and your role
  • Explain the audit purpose
  • Assure confidentiality
  • Estimate time needed
  • Put the interviewee at ease

Example Opening: "Hi, I'm conducting an internal audit of our access control processes. This isn't about catching anyone doing something wrong—it's about verifying our processes are working effectively. I expect this will take about 30-45 minutes. Is this a good time?"

Asking Effective Questions

Use Open-Ended Questions:

  • "Can you walk me through how you perform user access reviews?"
  • "Tell me about the last time you responded to a security incident."
  • "How do you ensure backups completed successfully?"

Ask for Examples:

  • "Can you show me an example of a completed access review?"
  • "Could you demonstrate how you would provision a new user account?"

Probe When Needed:

  • "Can you elaborate on that?"
  • "What happens if...?"
  • "How often does that happen?"

Avoid Leading Questions:

  • ❌ "You do keep records of that, don't you?"
  • ✅ "What records do you keep of that process?"

Active Listening

Listen More Than You Talk:

  • 70% listening, 30% talking
  • Don't interrupt
  • Let silence happen
  • Focus on what's being said

Show You're Listening:

  • Maintain appropriate eye contact
  • Nod acknowledgment
  • Take notes
  • Ask follow-up questions

Clarify Understanding:

  • "So if I understand correctly..."
  • "Let me make sure I have this right..."
  • "What I'm hearing is..."

Handling Difficult Situations

If Someone Becomes Defensive:

  • Remain calm and professional
  • Reaffirm you're not there to blame individuals
  • Focus on processes, not people
  • Acknowledge their expertise

If Someone Says "I Don't Know":

  • Ask who would know
  • Ask where you could find the information
  • Ask how they would find out

If You Find a Serious Issue:

  • Stay calm
  • Don't immediately call it a major nonconformity
  • Gather complete evidence
  • Thank them for their honesty
  • Report through proper channels

Taking Notes During Interviews

What to Record:

  • Key responses to questions
  • Names, dates, specific examples
  • Location of evidence
  • Discrepancies or concerns
  • Positive observations
  • Direct quotes if significant

How to Take Notes:

  • Don't write everything—focus on key points
  • Ask permission to take notes
  • Review notes immediately after interview

Document and Record Review

What to Look For

When Reviewing Documentation:

  • Completeness: Are all required elements present?
  • Current: Is it the latest version?
  • Approved: Is there evidence of approval?
  • Accurate: Does it reflect actual practices?
  • Accessible: Can people find and use it?
  • Clear: Is it understandable?

Sampling Strategies

Statistical Sampling:

  • Population < 10: Review all
  • Population 10-30: Review 5-10
  • Population 30-100: Review 10-20
  • Population > 100: Review 20-30

Judgmental Sampling:

  • Select samples based on risk
  • Include recent examples
  • Include examples from different time periods

What Sampling Can Tell You:

  • If you find issues in 3 out of 10 samples, there's likely a systemic problem
  • If you find issues in 1 out of 30 samples, it might be isolated

Verifying Evidence

Triangulation: Verify findings through multiple sources:

  1. Documentation says: Policy states passwords must be 12+ characters
  2. Interviews confirm: IT staff says they enforce 12-character minimum
  3. Observations verify: Password system minimum is set to 12 characters

Result: Conforming

Discrepancy Example:

  1. Documentation says: Access reviews performed quarterly
  2. Interviews indicate: IT manager says quarterly reviews are done
  3. Records show: Last access review was 9 months ago

Result: Nonconformity (process not being followed)

Writing Findings

Characteristics of Good Findings

Clear and Specific:

  • ❌ "Access controls are not working properly"
  • ✅ "Access reviews are required quarterly per Procedure ACS-01 section 3.2, but review records show the last review for the Finance system was completed on 15 June 2024, which is 6 months ago"

Evidence-Based:

  • Include specific examples
  • Reference documents reviewed
  • Note who was interviewed
  • Cite dates and systems

Requirement-Referenced:

  • State what requirement is not met
  • Cite ISO 27001 clause or Annex A control
  • Reference internal policies/procedures

Objective, Not Emotional:

  • ❌ "The password policy is terrible and nobody follows it"
  • ✅ "Testing of 20 user accounts found 5 accounts with passwords not meeting the 12-character minimum required by Password Policy v2.1 section 4.1"

Finding Structure

Example Finding:

Finding #: 2024-Q3-001

Classification: Minor Nonconformity

ISO Clause: 9.2 Internal Audit

Requirement: Clause 9.2.1 states internal audits shall be conducted at planned intervals. The internal audit program specifies that all Annex A controls shall be audited at least once every two years.

Finding: Annex A Control A.7.4 (Physical Security Monitoring) has not been audited since March 2022, which is 30 months ago, exceeding the two-year requirement.

Evidence: Review of Internal Audit Schedule 2022-2024 and completed audit reports. No audit report found covering A.7.4 since March 2022.

Impact: Without regular auditing, there is no independent verification that physical security monitoring controls remain effective.

Audit Time Management

Stay on Schedule

Allocate Time Appropriately:

  • Opening meeting: 15-30 minutes
  • Document review: Specific time blocks
  • Interviews: 30-60 minutes each
  • Physical inspection: 30-60 minutes
  • Closing meeting: 30-60 minutes

Avoid Time Wasters:

  • Getting sidetracked into non-audit discussions
  • Reviewing excessive detail
  • Waiting for auditees
  • Excessive socializing

Maintaining Professional Relationships

During the Audit

Be Respectful:

  • Arrive on time
  • Dress professionally
  • Use appropriate language
  • Respect people's time
  • Thank people for cooperation

Be Transparent:

  • Explain what you're doing and why
  • Share findings as you discover them
  • Don't surprise auditees at closing meeting
  • Answer questions honestly

Be Collaborative:

  • Position audit as helping the organization
  • Recognize good practices
  • Suggest improvements constructively

Common Audit Mistakes to Avoid

  1. Auditing by checklist only - Use checklists as guides, not rigid scripts
  2. Accepting "we do that" without evidence - Always verify
  3. Focusing only on finding problems - Note what's working well too
  4. Not documenting positive findings - Good practices should be recognized
  5. Writing vague findings - Always be specific with evidence
  6. Arguing with auditees - Stay professional
  7. Rushing to finish - Take time needed for thorough audit
  8. Delaying report writing - Write findings promptly while fresh

Key Takeaways:

  1. Approach audits as a helper, not a hunter
  2. Base all findings on objective evidence
  3. Ask open-ended questions and listen actively
  4. Triangulate findings through multiple sources
  5. Write clear, specific, evidence-based findings
  6. Maintain professionalism and objectivity
  7. Recognize good practices as well as issues
  8. Manage time effectively
  9. Build collaborative relationships
  10. Be thorough, fair, and respectful

Next Lesson: We'll provide an Audit Report Template to document your findings professionally.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Audit Checklists

Next

Audit Report Template