Conducting internal audits of your ISO (27001 and otherwise) Management Systems is an essential part of gaining and maintaining your ISO certification(s).

Internal audits are primarily designed for organisations to have an opportunity to “check their own homework” ahead of paying the fee to have an external auditing body in to assess your system against the requirements of the standard in a more formal manner, risking the status of certification if anything seriously broken is found.

Internal vs external audits

Internal and external auditors are two completely different bodies, with totally different aims. 

• An external auditor is checking to see if your system is secure, effective and does the job you built it to do, in line with the standard to which you are being audited. They are not allowed to consult/advise, and can therefore only assess your system against the requirements of the standard. 

• An internal auditor is checking your system with a much broader lens, their main job is to find all the gaps/anything that may come up in the external audit. They are there to determine the effectiveness, safety, structure and function of the system (ISMS or MS or otherwise), whilst also advising on ways the system might be improved to suit the organisation better. They may suggest future risk reductions and constructive operational improvements. An internal audit should be conducted in such a way that the auditor is able to cover a wide range of the standard, in depth and precisely.

When you outsource this internal audit process, as a general rule you will be paying for specialists in the field, who will audit in a similar way to external auditors.

So what are the pros and cons of outsourcing your INTERNAL audits?

Although we always think outsourcing is a good idea, there are some cons:

• It’s a higher cost upfront

• It’s slightly more organisation

• It can be pointless if the outsourced auditor is rubbish

• It requires you provisioning an external body access to your systems - though, you have to do this for an external audit anyway.

And so what are the pro’s?

• A specialist auditing body will have staff who are experts in the field/certifications they’re auditing

• It will save an organisation money (in the way of saving time/resources - avoiding having to employ someone to audit as part of their role)

• The timescale can be flexible

• There won’t be any risk of bias (checking one's own homework syndrome ;))

• An external body will provide a much more in depth report

• For fast growing companies, outsourcing the internal audit eradicates need for an internal audit team/person

Do you want to outsource your internal audits?

If you want to know more about outsourcing your internal audits, please get in touch to speak to a member of our team, who will be happy to advise you further.