Glossary · Compliance concepts

What is Internal Audit?

Also known as: Internal Assessment, Self-Assessment, First-Party Audit

An internal audit is a self-assessment an organization performs on its own management system before an external certification or examination. Its purpose is to find nonconformities and gaps so they can be fixed first. In ISO 27001, internal audits are a mandatory, recurring requirement under clause 9.2 of the standard.

Key takeaways

  • An internal audit is the organization checking itself before an external body does.
  • Its main job is to surface nonconformities while there is still time to fix them.
  • ISO 27001 clause 9.2 makes internal audits a mandatory, recurring activity.
  • Auditors should be objective and not audit their own work.
  • Findings feed corrective action and continual improvement of the system.

What is the purpose of an internal audit?

An internal audit exists to catch problems early. By systematically checking whether controls and processes conform to a chosen standard, the organization can correct gaps before a certification body or external auditor encounters them, when fixes are cheaper and lower-stakes.

For ISO 27001, this is not optional. Clause 9.2 requires the organization to conduct internal audits at planned intervals to determine whether the information security management system conforms to requirements and is effectively implemented and maintained.

How an internal audit is conducted

A typical internal audit follows a planned cycle: define the scope and criteria, select objective auditors, gather evidence, identify findings, and report results to management. The output is a set of conformities, nonconformities, and opportunities for improvement.

  • Plan an audit programme covering all in-scope areas over time.
  • Use auditors who are independent of the area being audited.
  • Test controls against the standard and the organization's own policies.
  • Document nonconformities with evidence and severity.
  • Drive each finding into corrective action and verify closure.

A key principle is objectivity: auditors should not assess their own work, which is why many organizations rotate auditors or bring in an independent internal resource.

Internal audit versus external audit

An internal audit is a first-party activity run by or for the organization itself. An external audit, such as a SOC 2 examination or an ISO 27001 certification audit, is performed by an independent third party whose opinion carries weight with customers and regulators.

The two are complementary. A strong internal audit, supported by continuous control monitoring, means the external auditor finds fewer surprises, which shortens the path to SOC 2 or ISO 27001.

Treating the internal audit as a genuine dress rehearsal, rather than a box-ticking exercise, is what separates a smooth certification from a painful one.

Frequently asked questions

Who can perform an internal audit?
Anyone competent and objective, including internal staff who do not own the area under review, or an outside consultant acting on the organization's behalf. The key requirement is independence from the work being audited.
How often are internal audits required under ISO 27001?
ISO 27001 requires internal audits at planned intervals rather than a fixed frequency, so organizations define a programme, commonly covering the full scope at least annually.
What happens when an internal audit finds a nonconformity?
The organization records it, investigates the cause, and takes corrective action, then verifies the fix. This corrective-action loop is itself a requirement of management-system standards.
Is an internal audit the same as a readiness assessment?
They overlap but are not identical. A readiness assessment gauges how prepared you are for a specific external audit, while an internal audit is a formal, recurring conformity check that standards like ISO 27001 mandate.

Authoritative sources

← Back to the glossary