While the purpose and intent behind an internal and an external audit vary slightly, they should follow the same process. Think of an internal audit as a prep session, or the chance to find and solve an issue prior to external personnel discovery. The external audit should be thought of as validation, for the organizational processes in place. The internal audit allows stakeholders of the organization to understand the tactical components of the Information Security Management System (ISMS) so that externally, you can highlight your program. If done correctly, the external audit should not be stressful.
An internal audit may be performed by a third party to minimize any conflicts of interest within the organization. Once an organization has a requirement for a regulatory and compliance team, internal audits may be conducted by a designated individual or team.
A benefit of outsourcing your internal audit is removing any organizational bias (I.e., the vendor is disposable to raise critical concerns). This reduces the concern or repercussions of calling issues out!
Internal Audits should follow the same process as an external audit to provide a training opportunity to answer questions and present evidence effectively. During an internal audit we recommend interviewing the business process owner instead of isolating the interviews with the compliance or security team, even if they are not going to be part of the external audit, as organizations may have different audit strategies.
During the interview process, asking the business process owner where they reference the policies, procedures, or work instructions, checks to see if there are duplicative documents or legacy versions being used. All too often security will assume they have the authoritative version when the business uses their own documentation. This happens often when the document management process is cumbersome or does not allow engineers to document in an efficient manner. Live demonstrations are better during the internal audit versus a collection of evidence, as used during an external audit. This allows the auditor to see error warnings or dates that indicate problems or are ignored.
An external audit is performed by an auditing firm that is either certified or authorized to validate and provide assurance to the compliance of a standard or framework. The difference between an internal and external audit is requirements on how the audit is conducted and documentation. Auditing firms follow rigorous guidelines on how an audit is conducted and what may or may not be accepted as evidence. The external auditor can only know what is presented to them, so it is possible for them to be wrong. If an auditor makes a mistake, Generally, the auditing firm has an escalation process to evaluate disputes. During the process of an external audit, auditors will not only look to see the configurations in place but rather test to see if these controls are functioning properly. Another topic of interest is the importance of understanding how to prepare for an external audit.