While the purpose and intent behind an internal and an external audit vary slightly, they should follow the same process. Think of an internal audit as a prep session, or the chance to find and solve an issue prior to external personnel discovery. The external audit should be thought of as validation, for the organizational processes in place. The internal audit allows stakeholders of the organization to understand the tactical components of the Information Security Management System (ISMS) so that externally, you can highlight your program. If done correctly, the external audit should not be stressful.
Requirements for Internal and External Audits:
An internal audit may be performed by a third party to minimize any conflicts of interest within the organization. Once an organization has a requirement for a regulatory and compliance team, internal audits may be conducted by a designated individual or team.
A benefit of outsourcing your internal audit is removing any organizational bias (I.e., the vendor is disposable to raise critical concerns). This reduces the concern or repercussions of calling issues out!
Internal Audits should follow the same process as an external audit to provide a training opportunity to answer questions and present evidence effectively. During an internal audit we recommend interviewing the business process owner instead of isolating the interviews with the compliance or security team, even if they are not going to be part of the external audit, as organizations may have different audit strategies.
During the interview process, asking the business process owner where they reference the policies, procedures, or work instructions, checks to see if there are duplicative documents or legacy versions being used. All too often security will assume they have the authoritative version when the business uses their own documentation. This happens often when the document management process is cumbersome or does not allow engineers to document in an efficient manner. Live demonstrations are better during the internal audit versus a collection of evidence, as used during an external audit. This allows the auditor to see error warnings or dates that indicate problems or are ignored.
Internal audits should be scheduled accordingly and take place throughout the year; the ISMS committee or audit board will be the ultimate decision-makers for internal audit scheduling. It is recommended to reassure business process owners and audit participants because they may feel the pressure of having findings and that they must defend themselves. This exercise is not to call any person or a group out, but to identify issues with processes and policies. There are times that the root cause of the problem is the policy cannot be followed without impacting the business. In other words, if there are problems uncovered it should be a team effort to fix them. This should feel like an awareness activity for most employees, along with a chance to ask questions and learn more about the plans and policies in place. If you find an internal audit to be more difficult to conduct than an external audit, you are doing it correctly! This is the time for all departments to explain their day-to-day processes and report on important items.
An external audit is performed by an auditing firm that is either certified or authorized to validate and provide assurance to the compliance of a standard or framework. The difference between an internal and external audit is requirements on how the audit is conducted and documentation. Auditing firms follow rigorous guidelines on how an audit is conducted and what may or may not be accepted as evidence. The external auditor can only know what is presented to them, so it is possible for them to be wrong. If an auditor makes a mistake, Generally, the auditing firm has an escalation process to evaluate disputes. During the process of an external audit, auditors will not only look to see the configurations in place but rather test to see if these controls are functioning properly. Another topic of interest is the importance of understanding how to prepare for an external audit.