Read as
Last updated: April 29, 2026
Independence, audit lifecycle, sampling, common audit areas, severity calibration, follow-through metrics.
Internal audits are the discipline of independently verifying that controls operate as designed. Required by ISO 27001 (clause 9.2), referenced in SOC 2 Common Criteria, and a generally good idea — they catch issues before external auditors find them, before regulators find them, and before incidents reveal them. This module covers running internal audits that produce real value, not just paperwork.
Internal vs external — different jobs
- External audit — independent third party (CB, CPA firm) assesses against a standard. Outcome: certification or attestation. Annual or biennial
- Internal audit — performed by your own org’s audit function (or competent staff outside the audited area). Continuous improvement. As-needed and on schedule
Internal audits should make external audits boring. If your external auditor finds issues your internal audit didn’t, your internal audit isn’t working.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants