The aim of internal audit is to surface the maximum number of gaps and nonconformities in your management system while there is still time to fix them. The deeper the testing, the more is found. The more found internally, the fewer surprises emerge at external audit. The relationship is best-effort, not guaranteed; what internal audit controls is the depth of internal examination, not the outcome of an audit conducted by another party.
The discipline is not complicated. It is simply uncommon.
What thorough actually means
The difference between a paper-exercise internal audit and a thorough one is not the depth of the template. It is the discipline applied. A thorough internal audit interrogates the management system end to end. Six dimensions distinguish thorough from paper-exercise work.
Full clause coverage. Every requirement in Clauses 4 through 10. Every applicable Annex A control. Not a curated subset. Selective sampling against a pre-tick checklist surfaces a fraction of what a thorough audit surfaces, and conceals which controls were not meaningfully examined.
Evidence testing standard. Policies are not evidence of operation. Records are. The audit tests whether the records actually exist, whether they are current, whether they cover the sampled periods, and whether the process owner can demonstrate how the control operates. Evidence accepted at face value produces a finding count that does not reflect reality.
Control-narrative defensibility. Each control links back to a real risk and a real treatment decision. Where the link is broken or assumed, the gap is documented. Control narratives that look defensible in isolation often fail when the chain from asset to risk to treatment to residual risk acceptance is traced.
Scope challenge. Scope decisions, exclusions, and Statement of Applicability entries are examined the way they would be examined under audit conditions. An exclusion that looks reasonable to the implementer often reveals as a gap when challenged. Defensible scope is one of the audit's most valuable internal deliverables.
Finding clarity. Nonconformities are written in language that closes cleanly: specific clause, specific evidence, specific gap. Findings phrased as "consider improving" do not function as findings; they satisfy a clause without doing the work.
Structured reporting. The audit report is the input to management review and the foundation for corrective action. Its structure determines whether the organisation can act on it. A report that buries findings in narrative is harder to action than a report structured around specific, owned, dated commitments.
Why Clause 9.2 requires it
Internal audit is mandatory under Clause 9.2 of every ISO management system standard: ISO/IEC 27001:2022, ISO/IEC 42001:2023, ISO/IEC 27701, ISO 9001, and the VDA ISA framework underlying TISAX. The Harmonized Structure is identical across all of them. Internal audits must be conducted at planned intervals against an audit programme. Evidence, findings, and corrective action follow-up must be documented. Results must be reported to management. This is required before a certification body can certify or recertify.
What the standard does not require is that internal audit be performed at any particular depth or rigour. The standard permits internal audit at the lowest cost or effort acceptable to the organisation. Whether such internal audit actually serves the organisation is a separate question.
The impartiality problem
Clause 9.2 requires the internal auditor to be objective and impartial regarding the activity being audited. In any organisation under approximately one hundred people, true impartiality between auditor and auditee is structurally difficult internally. The ISMS manager who designed the controls cannot meaningfully audit them. The compliance officer who wrote the policies cannot meaningfully audit the controls those policies describe. The internal auditor who reports to the senior leader operationally responsible for the system cannot independently audit that leader's commitment to the system.
External internal audit addresses this. An external practitioner, governed by written confidentiality and ISO/IEC 17021-1 impartiality discipline, audits the management system at full independence.
Beyond ISO: regulator-aligned internal audit
Internal audit is also effectively required, less explicitly, across most major regulatory frameworks. SOC 2's Common Criteria CC4.1 and CC4.2 require ongoing and separate evaluations of internal control effectiveness. NIS 2 Article 21(2)(f) requires policies and procedures to assess the effectiveness of cybersecurity risk-management measures. EU AI Act Article 17 requires a quality management system for high-risk AI systems, including internal audit of its effectiveness.
None of these frameworks include a clause as explicit as ISO 9.2. All of them include an evaluation expectation that internal audit is the cleanest way to satisfy. Internal audit applied with ISO discipline to a regulator-aligned scope produces an evidence record that withstands the relevant regulator's review.
The arithmetic of internal audit
The work of internal audit is identification. Maximum identification of gaps internally tends toward minimum surprises externally. The relationship is not a guarantee. Audit outcomes depend on the certification body's auditor, on operational reality at the time of external audit, and on decisions outside the audit process. What internal audit controls is the depth of internal examination. Done thoroughly, it surfaces what is there. Done as a paper exercise, it does not.
Organisations that commission paper-exercise internal audit and then face external audit are not benefiting from internal audit. They are receiving the external auditor's findings, late, with consequences. Organisations that commission thorough internal audit face external audit having already addressed what would have surfaced. External audit still finds things; that is the nature of audit. The difference is the volume and the materiality.
What to ask before commissioning internal audit
If you are evaluating an internal audit provider, four questions distinguish thorough work from paper-exercise work.
What is your audit methodology? Ask to see an anonymised report. The structure of findings, the depth of evidence testing, and the language used to describe gaps are all visible from a sample report. Methodology that produces vague, unspecific findings will not produce thorough work.
How do you handle impartiality and confidentiality? A serious practitioner operates under a written impartiality discipline and shares findings with no third party. Both should be evidenced before the engagement begins.
What is their independence discipline? ISO/IEC 17021-1 keeps certification auditing and consulting strictly separate, so the body that certifies you cannot have consulted to you within the prior two years. A serious internal audit provider keeps your internal audit fully independent of any certification decision and confidential to you. This protects you and signals impartiality discipline.
What will I receive that supports management review? Internal audit feeds management review. The output should be structured so that decisions, corrective actions, and risk treatment can be taken from it directly. A report that requires translation before it can drive management review is doing less than half the work.
The decision
The standard requires internal audit. The standard does not require that it be done well. The decision facing your organisation is whether the internal audit you commission will surface the gaps in your management system, or whether it will satisfy Clause 9.2 without doing the work.
There is no neutral middle. Internal audit done thoroughly identifies what is there. Internal audit done as a paper exercise identifies less than what is there. The cost difference between the two is real. The difference in audit outcomes is also real.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
How often is internal audit required?+
ISO/IEC 27001:2022 Clause 9.2 requires internal audits at planned intervals against an audit programme. Most organisations operate an annual internal audit cycle that covers the full management system across a defined period, typically twelve months. For larger or higher-risk operations, a rolling audit programme covering different parts of the system every quarter is common. The standard does not prescribe a frequency; it requires the programme to be defined and followed.
Who can perform internal audit?+
The internal auditor must be competent and impartial regarding the activity being audited. ISO 19011 requires demonstrable competence: relevant knowledge, skills, training, and experience for the standard and scope being audited. The standard does not prescribe a specific certificate name, but competence must be evidenced. The auditor must not audit their own work or work they are operationally responsible for. In smaller organisations, true structural impartiality is difficult to achieve internally, which is one reason external internal audit is common.
Can I do internal audit in-house?+
Yes, with caveats. The auditor must be impartial regarding the audited activity. In organisations above approximately one hundred people with a dedicated compliance function separate from the ISMS implementation team, internal audit can be performed credibly in-house. In smaller organisations where the same individuals design, implement, and operate the ISMS, the impartiality requirement effectively precludes credible in-house internal audit.
What does external internal audit typically cost?+
Cost depends on scope, certification standard, organisation size, and audit duration. For a focused ISO 27001 internal audit at a small or mid-sized organisation, a fixed-fee engagement is typical. Multi-standard audit programmes (ISO 27001 plus ISO 42001 or TISAX) and three-year audit programmes tied to a certification cycle reduce per-audit cost compared to one-off engagements.
Can one internal audit cover multiple standards?+
Yes. The Harmonized Structure means a single audit programme can cover ISO 27001, ISO 42001, ISO 27701, and the VDA ISA framework underlying TISAX in an integrated way. This is significantly more efficient than running separate audits. The audit report identifies findings against each standard separately so that each certification body can use the relevant section.
Need internal audit delivery? AuditVantage® provides internal audit at three engagement scopes for ISO/IEC 27001, ISO/IEC 42001, ISO/IEC 27701, TISAX, SOC 2, NIS 2, and EU AI Act Article 17 QMS internal audit. Single annual audit, multi-standard audit programme, or three-year audit programme tied to your certification cycle. See the Internal Audit service →
Have a question on this topic?
Discuss your situation with us. Tell us what you are working towards and we will tell you whether we can help, and how.
Talk through your internal auditAuditVantage® provides advisory and audit-readiness services only. AuditVantage® is not a law firm; matters requiring legal advice or a formal legal opinion are referred to qualified counsel. ISO certification decisions rest with accredited certification bodies. Internal audit findings remain a confidential output between AuditVantage® and the engaging organisation; we do not share internal audit results with any certification body, regulator, or third party.