Internal audit checklists are sourced directly from the audit criteria. The Standard, or the ISMS will provide direction on how a particular activity should be conducted. The corresponding checklist question would follow a theme of ‘how does your department meet this requirement’ or ‘how do you ensure that this policy is followed”.
Auditors should attempt as far as possible to understand, what a particular requirement of the Standard is aiming to achieve and tailor questions to enable the extraction of the appropriate level of detail. The auditor who quotes verbatim from the Standard is likely to be greeted with confusion by an auditee.
It is worth bearing in mind that the terminology of the Standard will not always be used by business departments, ‘needs and expectations of interested parties’ is more likely to be captured as ‘customer requirements’, ‘business objectives’ may be referred to as ‘departmental goals’, ‘milestones, ‘targets’ or similar.
Once you have used your high-level checklist question to gain an insight into an organisational process, then ask additional questions to extract greater detail and gain corroboration. These additional questions cannot be planned, so the auditor must pay attention to the answers that are received and tailor questions to extract additional detail as required.
related BLog
No items found.
No items found.
"
URM is extremely trustworthy and reliable. We rely on URM for multiple services throughout the year, including penetration testing and PCI DSS audit services. As a smaller business, we have to be organised in our approach to compliance obligations and URM is a dependable partner which makes the difference.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.