ISMS 21: Internal Audit Procedure


This procedure applies to Upmind Automation Limited’s internal audits, including any processing of high-risk personal data and any processing of personal data conducted by data processor subcontractors. It establishes the requirements for their planning, preparation, performance, reporting, following up and closing down.

The objective of this procedure is to establish an independent system for verification of information security controls and the data protection legislation compliance, and its improvement by means of a controlled method for planning, scheduling, coordinating and performing internal audits, and related activities.


The Directors are responsible for the overview and implementation of this procedure.

Appointed internal auditor/s are responsible for the preparation, execution and reporting of audits assigned to them for completion in accordance with their necessary competence and the requirements of this procedure. This may require third parties to be appointed to conduct internal audits to compensate where necessary expertise is not available.

All employees are responsible for assisting in the audit process, as and when required.


The Information Security Manager shall establish an Audit Schedule of sufficient scope to ensure that each aspect of personal information management system and data protection legislation compliance is audited at least annually. It will identify the scope and frequency of audits, along with identifying the type of auditor (internal or supplier) to conduct the audit. The audit plan will be reviewed and agreed by the Director.
The Information Security Manager will propose the audit plan at least 1 month in advance of the start date, programming audits with due consideration to:

  • Business Need
  • Severity of findings at most recent internal audit
  • Programming of other audits in the same area
  • Latest/proposed major revisions to processes, etc.
  • Any other valid reason that may justly impact on the timing of an audit.

Audit performance will be reviewed as part of the management review.

Where necessary, audits will be assigned to an internal auditor who is competent to conduct that type of audit. Internal auditors shall be deemed as ‘competent’ at the discretion of the Information Security Manager. Selection and conduct of audits will ensure objectivity and impartiality.

The internal auditors may undergo a variety of development practices, to further develop their auditing skills.
For specific types of audit, internal auditors will require special skills, (i.e. data protection, technical audits for ISO 27001 compliance, ISO 22301 conformance, financial audits, etc.). Qualification requirements for the identified personnel are at the discretion of the Director. Solution may be through the appointment of a suitable third party.

During the planning and preparation for an audit, the Internal Auditors ensure that the following actions are taken:

  • Preparation of an audit checklist based upon audit.
  • Contact the auditee to agree a mutually convenient date(s) for the audit and to discuss the scope of the audit.
  • The internal auditor/s conduct the audit using a checklist(s) as a guide. They examine the objective evidence and records relevant details.

The Information Security Manager and/or internal auditor/s may expand a checklist if additional questions become necessary, e.g. to determine compliance with the data protection legislation, including any processing of high-risk personal data and any processing of personal data conducted by subcontracted data processors.
Confidentiality during audit: when an internal audit or third party surveillance necessitates checking client files or databases, precautions must be taken to ensure that client confidentiality is preserved. Wherever possible, access is limited to satisfying the internal auditor/s that a file or database exists, is properly identified and is secure. If it is essential to check content, then access is limited to non-sensitive data.

During an audit, the internal auditor/s evaluate the evidence found and analyse the apparent non-conformances to ensure their validity as audit findings.

Where non-conformances are found and the corrective action agreed, the internal auditor/s will note the actions against the non-conformance. Where actions were completed at time of audit the internal auditor/s may sign off the non-conformance.

Following completion of an audit, the internal auditor/s prepare a formal Audit Report comprising an Audit Lead Sheet, a number of Non-Conformance Reports , one relating to each non-conformance identified (including those closed at the time of the audit), and additional sheets covering observations. The findings of the audit are summarised on the Audit Lead Sheet, including the number and nature of non-conformances.

Where the Internal Auditors use support documentation, this may be inserted into the Audit Report as observations, at the discretion of the internal auditor/s and in addition to the normal Audit Lead Sheet.

The internal auditor/s obtain the signature of the main auditee on the Audit Lead Sheet, acknowledging the findings, and on each Non-Conformance Report to agree the non-conformance. A copy of the Audit Lead Sheet is given to the auditee for information and the complete report, together with all working papers, are sent to the Information Security Manager.

The Information Security Manager will file any working papers that do not form part of the official report separately.

On receipt of the completed Audit Report, the Information Security Manager logs the Audit Report, and progresses any Non-Conformance Reports, cross-referencing the Non-Conformance Report Log Number on the Audit Lead Sheet.

The Information Security Manager and relevant staff should consider formally assessing the risks presented to Upmind Automation Limited of the nonconformity (e.g. if it concerns a major flaw in plans for a high-impact critical activity) until it has been closed and adding them to the risk register if appropriate. Short term “workaround” corrective action might be considered pending full root cause analysis and formal closure of the long term corrective action.

The Information Security Manager reviews the observations, with a view to raising a Non-Conformance Report relating to each issue. This then serves to address the findings without a formal non-conformance being raised at audit, and without the Audit Report remaining open for an unnecessarily extended period of time.
When all the non-conformities associated with an audit have been closed the Information Security Manager signs the Internal Audit Report Lead Sheet as completed. A complete copy of the Audit Report is sent to the auditee for confirmation of the closing of the report.

Where the Information Security Manager has reason to believe that the cause of the non-conformance may have resulted in similar non-conformances elsewhere, he/she may require follow-up audits to be carried out on that item, either in the originating area or other affected areas. These are planned in accordance with the process described above.

Should follow-up audits prove necessary, they shall be undertaken in accordance with the requirements of this procedure.

The results of audits shall be summarised by the Information Security Manager and reviewed at management review meetings.