Internal Audit

Table of contents

Updated on May 28, 2024

The Internal audit module in Conformio allows you to create all the internal audit documents required by the ISO 27001 standard with as little work as possible. Its guided way through the steps presents a streamlined internal auditing process and provides resources if the company needs additional information regarding the audit itself (how to do it, who to nominate to conduct it, creating the procedure, etc.).

Accessing Internal Audit

There are 2 ways to access the Internal Audit:

Through the Internal Audit step in the Implementation steps;
Through Registers and Modules.

Note: From a procedural point of view, there is no difference in accessing the Internal Audit module through the Registers and Modules or Implementation steps.

Accessing through Internal Audit

Follow these steps to access the Internal Audit:

Go to Compliance and select Implementation steps;
Find the Internal Audit and click the View step button;
From the step, click the Open Register button.

Note: We recommend first completing the Internal Audit Procedure document under Implementation steps before accessing the Internal Audit module.

Accessing through Registers and Modules

Go to Registers and Modules;
Click the Go To Register button in the Internal Audit module.

Scheduling Internal Audit

To schedule an internal audit, click the Schedule New Audit(s) button.

Data fields with a red asterisk are mandatory. When you fill out all the mandatory fields, click the Schedule button to schedule an audit.

Note: When the first audit is scheduled, you receive an option to start scheduling a new one. You can click NO if your first audit is enough or click YES to schedule another audit.

By clicking YES, you are redirected to a new pop-up where you have to input all the required information. By clicking NO, you are redirected to the module’s main page.

When scheduled, the audit is listed in the Internal Audit as a list entry. Here you can:

See additional information about the audit;
Edit the audit.

Starting Internal Audit

If all the information is correct, you can start the audit.

By clicking the Start Audit button, you will be redirected to another page of the Internal Audit for the specific audit you selected.

For the first audit, you switched to the Documentation Review phase.

To progress with the audit, do the following:

Select the items as relevant or not relevant;
Review all relevant items listed;
Add a new section or entry to the default checklist (if needed).

Adding New Section

To add a new section to the default checklist, do the following:

Click the Add New Section button;
Enter the title of the new section;
Click the checkmark button to confirm the section creation.

Adding New Entry

To add a new entry to the default checklist, do the following:

Click the Add New Entry button
Enter the mandatory information in the pop-up window opened;
Click the Save button.

The added item will be saved to the end of the checklist on the right.

Saved custom entries will be added to the end of the list under the Custom Section.

After all the relevant items are marked as reviewed, click the Next button to proceed to the Adapting the Checklist.

Adapting the Internal Audit Checklist

Here, you can further review and adapt the checklist to your needs.

To add more items, do the following:

Click the Add New Entry button;
Enter the mandatory information in the pop-up window opened;
Click the Save button.

When satisfied with the checklist, click the Next button and proceed to the Performing the Audit phase of the Internal Audit Module.

Deleting Internal Audit Checklist Items

To delete the item from the Internal Audit Checklist, do the following:

Click the Delete button next to the item you want to delete;
Click the Confirm button to complete the deletion.

You can delete items at any step in the audit process.

Editing Internal Audit Checklist Items

To edit the item from the Internal Audit Checklist, do the following:

Click the Edit button next to the item you want to delete;
Enter the new information in the pop-up window opened;
Click the Save button to confirm the edits.

You can edit items at any step in the audit process.

Performing Internal Audit

Here, you are performing the audit by marking the items on the checklist as compliant or not compliant and providing written evidence.

As with the previous steps, you can add additional checklist items.

After reviewing the checklist items, concluding which items are compliant or not, and providing written evidence for each item, you can download the checklist by clicking the Print Checklist button.

Click the Next button to proceed to the next phase and to save the custom checklist for future audits.

Audit Report

Audit Report is the final stage of the audit, where you must complete the final report to complete the audit.

If you have non-compliant items, you must:

Add a nonconformity, which will be included in the final report;
Enter improvements into the Observations field for minor issues or suggested improvements;
Use the Audit Conclusions field to make general conclusions about the audit.

Adding nonconformity

A nonconformity is not required for minor issues or recommendations for improvements. To report minor issues or recommendations, enter them in the Observations field.

A nonconformity is required for major issues. To add a nonconformity, do the following:

Click the Add a nonconformity button;
Select a nonconformity from the already-defined list of nonconformities;
Check the box in front of the applicable nonconformity;
Click the Add button.

If you need to add a new nonconformity when selecting nonconformities, do the following:

Select Report a New Nonconformity;
Enter the mandatory information in the pop-up window opened;
Proceed with solving the nonconformity as described in the Register of Nonconformities and Corrective Actions;
Click the Save button to save the nonconformity to the register.

Completing Internal Audit

Before completing the audit, enter information in the Observations and Audit Conclusions fields. If necessary, upload evidence as an attachment if it is not already in Conformio.

To complete the Internal audit, click the Complete the Audit & Create Report button.

After the report is created, you are redirected back to the module’s main page, where all the audits are listed. The audit you completed will change its status to completed. You can access all created files under Related Documents in the wizard menu.

You can access the documents created by the internal audit in the Documents Explorer in the folder Lists Reports Statements and Plans.

Frequently Asked Questions:

1. Is an Internal audit plan or a program a mandatory document, and what does it include?

An Internal audit program is a mandatory document according to ISO 27001, while an Internal audit plan is a different document and is not required by the standard. Conformio automatically creates the Internal audit program in the Internal Audit module. Conformio does not create an Internal audit plan since it is rarely used for smaller companies. As a workaround, you can create an Internal audit plan document as a Word file and upload it to Document Explorer.

2. Is an Internal audit procedure a mandatory document?

An Internal audit procedure is not a mandatory document. However, it is recommended to write such a document because it helps clarify the internal audit process. Conformio helps you complete the Internal audit procedure using the built-in template and the wizard that provides several options for adapting the document for your company.

3. Can the person implementing the ISMS perform the internal audit?

It would be a conflict of interest if the same person implemented ISO 27001 and audited their work. In other words, the internal auditor should not actively participate in the ISMS implementation.

Note: If the internal auditor has written some of the ISMS documents but did not participate in their implementation – even though this is not an ideal situation, this could be an acceptable solution.

Was this article helpful?

Yes No