The value of an internal information Security audit. A few reasons why you should not neglect it.

The Value of Internal Audit

This week’s blog takes a look at internal audit. Whilst it is a mandatory requirement of management systems, internal audit can often be the neglected ‘poor relation’. 

This is particularly true in smaller organisations where the internal audit team consists of ‘volunteers’ who conduct audits as a secondary role to their day jobs.

Their line manager is often an information security officer who is a technical IT person with little or no experience of audit themselves.

Training staff in audit is frequently seen as an overhead, where time spent conducting audits is perceived as time spent away from their more ‘productive’ primary roles.  Furthermore, the situation can be exacerbated by the perpetual turnover of internal audit team members.

Typically, these ‘volunteers’ are often ambitious, seeing internal audit as a way to enhance their skills and develop their understanding of the business, and, as they progress their primary careers and take on more responsibility their internal audit role is passed on.

A fundamental precept of auditing is that nobody should ever audit their own work and many believe auditors should not be involved in auditing their own department/area.

A counter view, however, is that there is little value in staff auditing areas in which they are not specialists themselves.  The latter view is most often expressed by those who don’t understand the nature of modern audit techniques.

Another big misconception surrounding audit, and probably the main reason why it is not fully valued or appreciated, is that audits are just a ‘box-ticking’ exercise where the auditor simply seeks yes/no answers to questions on a pre-set list.

In our experience, we find that there are a number of benefits from internal auditors assessing other areas of the business. 

For starters, they get to establish an understanding of the wider enterprise and often provide ‘cross-fertilisation’ insights and different perspectives into operations and processes.

We often come across ‘volunteers’ who are hungry to gain a holistic knowledge in order to advance their own career, and in the process add real value to an internal audit programme.

Furthermore, internal auditors can be more flexible than external resources and are able to follow up issues that have been raised in detail and discuss and contribute to the next stage of the process in conjunction with the auditees and those in charge of planning the audit schedule.

So, as you can see, in many organisations internal audit is allocated on a ‘short straw’ basis. Even when implementing a new management system, setting up and conducting internal audit is seen as a bit of an afterthought.

Management systems require that when nonconformity is identified that action is taken to ‘control and correct it’. It is the internal auditor’s responsibility to check that this has been done effectively.

One of the most underutilised elements of the Standard, in our opinion, is the requirement to ‘determine if similar non-conformities exist or could potentially occur.

This is an area where the internal auditor, with their holistic view of the organisation, can be of further benefit and help spot risks before they become issues or incidents.

We believe that internal audits can add real value to an organisation. One of the most common pitfalls we see is organisations devising audit schedules which are overly ambitious and complicated, requiring significant time and resources to deliver.

There is a lot of merit in consolidating audits (considering a process or departmental approach) and prioritising audits in high-risk areas and reducing the frequency of some of the ‘run of the mill audits’.

Yes, audit requires a resource, but we believe it is an essential tool in helping organisations to achieve continuous improvement.