How to conduct an internal audit and when to use external resource

Internal Audits are a key component in ensuring that your management system(s) are being properly followed and maintained. For many organisations this can be a daunting task, especially given that internal audits must be conducted regularly in order to maintain ISO certification. As a result, the audits often take place in run up to their surveillance audit / re-certification, sometimes with an element of panic setting in.

How often are internal audits required?

When it comes to satisfying the Internal Audit requirement, the two key questions are often, “shall we do it ourselves or contract a third party to do this?” The other is “how frequently do we need to conduct the audit: monthly/quarterly/annually?”
The answer to this question is, it will depend. It will depend upon the maturity of the organisation, the complexity of the organisation and most importantly, does the organisation have the internal resources to conduct such a task?

How to conduct an internal audit

When it comes to conducting Internal Audits then you generally have two choices:

  1. Conduct them utilising internal resources.
  2. Conduct them using a third party, such as an ISO Consultant.

Conducting an audit using internal resources

If you are conducting an internal audit using internal resources then those doing the work need to demonstrate competence in four areas:

  1. Auditor capability – how to be an auditor and conduct an audit
  2. Knowledge of your management system & processes / policies / procedures / etc.
  3. Knowledge of the requirements of the applicable standard (e.g. ISO 9001, ISO 27001…)
  4. Independence from the process – this does not mean employees cannot audit, it’s more a case of they cannot have any daily responsibility for the management of the system

But how do you ensure your internal resource is competent – and confident – enough to complete the internal audit to the required standards?

One way to achieve this is through a formal, generic recognised training course. Alternatively, it can also be achieved through Certificated Internal Auditor training delivered by a consultancy such as Equas. Indeed, many of our clients prefer this as the training is tailored to your organisation / your system and is frequently more cost-effective. It also includes a short session with the consultant, following your own audits, to review how they went and to provide feedback.

Conducting an audit using external resources

If you don’t have the internal resource or expertise to conduct internal audits you have the option to engage a third-party consultancy, such as Equas. They can plan and deliver the Internal Audit and lead the Management Review on your behalf.

Using a third party to conduct your internal audits has a number of benefits over the use of internal resource, including:

  1. Independence – being completely independent means that the auditor will not have any involvement with your systems and processes and therefore will be able to approach the audit without any preconceptions.
  2. Expertise – third-party auditors will generally be certified to conduct internal audits and therefore they will know best practices.
  3. Experience – having conducted dozens, if not hundreds of internal audits, an experienced third party auditor can bring not only qualified best practices but also real-life experiences from the other businesses and industries he or she has experienced, all of which can add value to your own internal audit processes and, indeed, your business overall.
  4. Impartiality – when using an external third-party consultancy you have the added comfort of knowing that they will be impartial. They have no vested interest in one outcome or another.

Their sole purpose is to conduct the audit and provide feedback. They also won’t have the potential conflict of having friends or colleagues responsible for elements that are being audited.

Which is the best choice for your business?

Ultimately, the decision rests with you. The primary objective is ensuring that the Internal Audit is completed in a way that meets the requirements of ISO Standards. Of course, we would be delighted to talk to you about your options and to provide a no-obligation quotation to support you with any or all of your requirements. Contact us today.

Download our free Internal Audit resources

To help you understand the typical requirements of an internal audit you can download our free templates – Internal Audit Agenda and Internal Audit Checklist/Report (examples are for ISO 27001) – just enter your email address below.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch