CHAPTER 18: INTERNAL AUDITS
An internal audit, where the implemented measures are checked against some type of reference, is an effective means of independently verifying an organisation’s security measures, and an essential element of any continual improvement regime (see Chapter 13). It is also a requirement for certifying management systems against their British or ISO standard, and can also be a contractual or legal requirement.
Having said that, conducting regular audits is a valuable activity in its own right, as this can help:
• Identify any weaknesses in your security measures, whether due to people, processes, technology, or some combination of the three;
• Confirm that your security measures are working as intended and to the standard required;
• Show the board and senior management that the organisation’s security efforts are paying off or, conversely, provide vital evidence and support when trying to convince the board that more resources are necessary; and
• Provide valuable inputs for your continual improvement efforts.
Note that for an audit to be valuable, the auditor must be as impartial and objective as possible. Even if the auditee employs the auditor, which inevitably limits their independence, they should at least be independent of the process being audited.
Also be aware that audits are always based on sampling – it is not possible to check everything – and as such are, to some extent, a process dependent on chance.
The audit process
Many auditors start by asking to see your documentation, including policies, procedures and records, since these indicate what should happen. The auditor then checks through, or has the auditee demonstrate, the process in question to see if what really happens matches up with what the documentation states; any discrepancies may be noted as nonconformities.
Another common way to start an audit is with interviews: an auditor may ask the auditee to talk them through the process, which can highlight significant discrepancies before they even move to checking any documentation.
By the time an audit has been completed, the auditor has usually at least checked that:
• There is appropriate documentation that reflects the reality;
• Risk assessments have been conducted, and risk responses have been correctly implemented;
• Relevant legal, contractual and business requirements have been met; and
• Actions and opportunities for improvement9 from previous audits have been pursued.
Where a nonconformity has been recorded, a corrective action should be issued to mitigate it. Where the nonconformity is an open-and-shut case, the auditor should be able to define the corrective action themselves. However, in many instances, the auditee needs to provide input, since they often have the clearest idea of what the problem is and how it can be mitigated. Where there are records of nonconformities (or opportunities for improvement) from a previous audit, these should be checked to confirm that corrective actions have been correctly implemented.
At the end of an audit, the auditor should report to senior management directly to ensure independent, unbiased information. Senior management should review and assess the findings, particularly those with potentially significant financial or strategic impact. Audit reports can be a valuable source of independent information on how the organisation is doing, without the risk of bias from operational managers’ reports.
_______________
9 An opportunity for improvement indicates that a system is in place that meets requirements, but that it is implemented in a manner that might allow a problem to manifest itself further down the line.