CHAPTER 9: INTERNAL AUDITING AND CORRECTIVE ACTION
An ABMS internal audit is an important part of ISO 37001, and those with existing management systems, such as ISO 9001 or ISO 27001, will be familiar with the concept.
Internal audit here is an entirely different concept from internal audit in a financial sense, and relates to testing whether the ABMS is meeting the requirements of ISO 37001 and the documented management system that supports it in the organisation concerned.
This chapter is an expanded version of some material in IT Governance Publishing’s ISO 37001 Toolkit, which has a number of model forms to support the internal audit process discussed below.
1. Define an audit plan or schedule. The number of individual audits will depend on the size and complexity of the organisation, and whether one or two periods per year of intense auditing are preferred to smaller, monthly audits. Auditing planning should be risk based. Where audit plans are to be integrated or combined with, say, ISO 27001, there needs to be clear understanding on the part of both auditees and auditors that ABMS issues are also being examined.
2. Normally, the audit programme will be handled by the compliance function. If that is, say, the manager for ISO 9001 or ISO 27001, then they need to be sufficiently cross-trained to understand ISO 37001. This equally applies if a financial audit or governance manager is used to supervise the planning of ISO 37001 audits.
3. Auditors need to be competent in the requirements of ISO 37001. If a governance or HR specialist undertakes an audit, they need to be aware of the appropriate parts of ISO 37001.
4. Although all areas of ISO 37001 need to be covered over, say, a 12-month period, the actual frequency of an audit needs to be determined based on the organisation’s own ABMS. This is why there needs to be considerable thought given to a 12-month audit plan and certainly if a 24- or 36-month plan is preferred.
5. The audit plan needs to be dynamic because the results of audits might change the frequency or scope of later audits. Reports should never be filed without action.
Where the action is
Corrective actions are the next steps taken where risks or deficiencies are identified. Corrective action means that something does not conform to either ISO 37001 or the requirements of the ABMS. This is one reason why an ABMS shouldn’t have inspirational elements: say what you do and prove what you do.
1. Decide how corrective actions will be styled. A certification body will typically use major and minor categories of nonconformities (NCs) – a major being a ‘showstopper’ where there is a complete breakdown or lack of evidence of compliance to a particular clause of ISO 37001 or part of the ABMS system. If internal audits follow the same approach, then how different NCs are communicated and actioned internally needs to be agreed in advance.
2. For all NCs a corrective action plan or programme will be agreed with the auditee. This will explain what will be done and by when to resolve the NC. The management review process should review all NCs and whether deadlines have been met. NCs may indicate a resolution that needs significant resource, which may need top management direction before anything is done.
3. Annex SL and the requirement under ISO 37001 to manage the inadequacy of anti-bribery controls mean that root cause analysis is important. Resolving the corrective action is not enough – the reason the nonconformity arose needs to be understood and action taken to prevent its reoccurrence. This is really another way of looking at the adequacy of risk-based controls. There are formal root cause analysis concepts or tools that can be used by all manner of management systems.
4. If observations or other formally recorded comments are included in reports, it needs to be decided how these will be actioned: just a record of an auditee’s observation for a future audit trail, or a minor issue that will need resolution in due course. If it is the latter, then there will need to be a tracking system, which some organisations include on a corrective action register or similar record.
The ABMS internal audit process needs careful planning. The correlation with financial and other governance auditing can either test one and other findings or, more likely, define the discreet elements of a system that different members of the audit team will sample.
There also needs to be careful alignment between the way NCs or other formal outcomes are recorded from different audits and then actioned in a coordinated way.
Also consider the way audits align with the investigation process. Although the vast majority of ABMS audits will not generate forensic enquiries, a protocol should be in place.
Internal audit should be a positive process. An ideal scenario is where audit becomes part of the continual improvement mechanism, rather than simply a mechanism for inspection and checking.