PPPR-14

Do you have documented, and currently implemented, internal audit processes and procedures?

Explanation

This question is asking whether your organization has formalized, documented internal audit processes that are actively being followed, not just written down and forgotten. Internal audits are systematic, independent reviews of your organization's activities, controls, and processes to ensure they are operating effectively and in compliance with established policies and regulatory requirements. These audits are performed by personnel within your organization (as opposed to external auditors). In a security assessment context, this question matters because: 1. Internal audits demonstrate a commitment to self-assessment and continuous improvement 2. They help identify security gaps before they become serious problems or are found by external auditors 3. They show maturity in your security program - you're not just implementing controls but verifying they work 4. Many compliance frameworks (SOC 2, ISO 27001, etc.) require internal audit processes When answering, you should: - Confirm whether you have documented internal audit procedures - Explain how frequently audits occur (quarterly, annually, etc.) - Mention who performs these audits (internal audit team, compliance team, etc.) - Describe the scope of these audits (what systems/processes they cover) - Explain how findings are tracked and remediated - If possible, mention recent audit activities to demonstrate active implementation

Example Responses

Example Response 1

Yes, our organization has documented internal audit processes and procedures that are currently implemented We maintain a formal Internal Audit Policy and supporting procedures document that outlines the scope, frequency, methodology, and reporting requirements for all internal audits Our dedicated Internal Audit team conducts quarterly audits across all critical systems and annually reviews all security controls The audit schedule is maintained in our GRC platform, with findings tracked to remediation in a formal risk register Our most recent internal audit was completed last month, covering access controls and change management processes, with all findings presented to our executive leadership team Audit reports and remediation plans are retained for a minimum of three years.

Example Response 2

Yes, we have documented and implemented internal audit processes Rather than maintaining a dedicated audit team, we operate on a peer-audit model where department leads are trained to audit other departments on a rotating schedule Our audit procedures are documented in our Information Security Management System (ISMS) and include templates, checklists, and evaluation criteria We conduct security-focused audits semi-annually, with operational audits occurring quarterly All audit findings are categorized by severity, assigned to responsible parties, and tracked to completion in our ticketing system Our Compliance Manager oversees the entire process and reports results to our Security Steering Committee Our most recent audit cycle was completed in Q2 2023, with 92% of previous findings successfully remediated.

Example Response 3

No, we currently do not have formally documented internal audit processes and procedures As a small organization with limited resources, we have prioritized implementing security controls over establishing a formal internal audit program We do conduct informal reviews of our security practices when issues arise or before customer security assessments, but these are ad-hoc rather than following documented procedures We recognize this as a gap in our security program and have plans to develop and implement formal internal audit processes in the next 6-12 months In the interim, we rely on external penetration tests and vulnerability assessments to identify security gaps, and we maintain a risk register to track and remediate findings from these external assessments.

Context

Tab: Organization
Category: Policies, Processes, and Procedures