Do you have documented, and currently implemented, internal audit processes and procedures?
Explanation
Internal audit maturity is what reviewers are checking: they want documented audit processes and procedures that are genuinely in use rather than merely written and shelved.
Internal audits are systematic, independent reviews of your organization's activities, controls, and processes to ensure they are operating effectively and in compliance with established policies and regulatory requirements. These audits are performed by personnel within your organization (as opposed to external auditors).
In a security assessment context, this question matters because:
- Internal audits demonstrate a commitment to self-assessment and continuous improvement
- They help identify security gaps before they become serious problems or are found by external auditors
- They show maturity in your security program - you're not just implementing controls but verifying they work
- Many compliance frameworks (SOC 2, ISO 27001, etc.) require internal audit processes
When answering, you should:
- Confirm whether you have documented internal audit procedures
- Explain how frequently audits occur (quarterly, annually, etc.)
- Mention who performs these audits (internal audit team, compliance team, etc.)
- Describe the scope of these audits (what systems/processes they cover)
- Explain how findings are tracked and remediated
- If possible, mention recent audit activities to demonstrate active implementation
Example Responses
Example Response 1
Yes, our organization has documented internal audit processes and procedures that are currently implemented We maintain a formal Internal Audit Policy and supporting procedures document that outlines the scope, frequency, methodology, and reporting requirements for all internal audits Our dedicated Internal Audit team conducts quarterly audits across all critical systems and annually reviews all security controls The audit schedule is maintained in our GRC platform, with findings tracked to remediation in a formal risk register Our most recent internal audit was completed last month, covering access controls and change management processes, with all findings presented to our executive leadership team Audit reports and remediation plans are retained for a minimum of three years.
Example Response 2
Yes, we have documented and implemented internal audit processes Rather than maintaining a dedicated audit team, we operate on a peer-audit model where department leads are trained to audit other departments on a rotating schedule Our audit procedures are documented in our Information Security Management System (ISMS) and include templates, checklists, and evaluation criteria We conduct security-focused audits semi-annually, with operational audits occurring quarterly All audit findings are categorized by severity, assigned to responsible parties, and tracked to completion in our ticketing system Our Compliance Manager oversees the entire process and reports results to our Security Steering Committee Our most recent audit cycle was completed in Q2 2023, with 92% of previous findings successfully remediated.
Example Response 3
No, we currently do not have formally documented internal audit processes and procedures As a small organization with limited resources, we have prioritized implementing security controls over establishing a formal internal audit program We do conduct informal reviews of our security practices when issues arise or before customer security assessments, but these are ad-hoc rather than following documented procedures We recognize this as a gap in our security program and have plans to develop and implement formal internal audit processes in the next 6-12 months In the interim, we rely on external penetration tests and vulnerability assessments to identify security gaps, and we maintain a risk register to track and remediate findings from these external assessments.
Context
- Tab
- Organization
- Category
- Policies, Processes, and Procedures
Related questions
- Do you have a documented patch management process?
- Can your organization comply with institutional policies on privacy and data protection with regard to users of institutional systems, if required?
- Is your company subject to the institution's geographic region's laws and regulations?
- Can you accommodate encryption requirements using open standards?
- Do you have a documented systems development life cycle (SDLC)?
- Do you perform background screenings or multi-state background checks on all employees prior to their first day of work?

