📋 Audit guide - international practice
Six basic questions about the audit - how it happens, who is responsible for what and what standards he works for (ISO 19011, IIA, COBIT, SOC, NIST). Examples are fictional, intended for teaching.
Audit Life Cycle
ISO 19011:2018 - Audit activities with continuous improvement loop
Application
Suitable for any audit - both ISO 27001, quality and NIS2 compliance check. The steps remain the same.
Reference
ISO 19011:2018 (Guidelines for auditing management systems) · IIA Global Internal Audit Standards 2024.
Safety Note
First check where the risk is greatest. Every finding must be proof - not just a conversation.
Roles of governance and confidence
IIA Three Lines Model 2020
Application
Shows who is responsible: Line 1 does work, Line 2 monitors, Line 3 (audit) independently checks.
Reference
IIA Three Lines Model (2020, previously:.
Safety Note
Internal audit should not test your own work. It therefore reports directly to the board and not to the management - otherwise the assessment is not objective.
Classification of audit parties
Types of audit - Sides 1, 2 and 3
Application
Helps to understand how independent the auditor is and why the audit takes place - for its own improvement, supplier's inspection or certificate.
Reference
ISO 19011:2018 (3.1 audit parties) · ISO/IEC 17021-1 · ISO/IEC 27006.
Safety Note
The ISO 27001 certificate can only be issued by an independent (3rd party) authority. The customer checks its suppliers - it is a 2nd party audit (important for the NIS2 supply chain).
Map of international auditing standards
Standard landscape after audit objective
Application
Helps to choose the right standard by what you want to achieve - certificate, better IT management or compliance with the law.
Reference
ISO · ISACA (COBIT) · AICPA (SOC) · IASB (ISA) · IIA · NIST · EU Regulations (NIS2, GDPR, DORA).
Safety Note
Standards overlap. One good ISO 27001 often also covers a large part of SOC 2 and NIS2. Put the controls together to avoid doing one job twice.
Audit evidence and sample
Sufficient + adequate evidence · confidence hierarchy
Application
The conclusions should be based on evidence, not mentioned. The sample shall examine a part and conclude on the whole.
Reference
ISO 19011:2018 (6.4.7 sample) · NIST SP 800-53A (Examine / Interview / Test) · ISA 500 · ISA 530.
Safety Note
System exports and re-examination are more reliable than human story. Ask for evidence that the auditee cannot easily adapt.
Classification and opinion of findings
Non-compliance (ISO) and audit findings (ISA / SOC)
Application
Dissociates findings by severity and formulates an opinion. It depends on whether the certificate is issued and how much confidence the audit gives.
Reference
ISO/IEC 17021-1 (NC classification) · ISA 700 9.3.20055 (audit opinions) · AICPA SOC reports.
Safety Note
Major NC means that control does not work seriously. The certificate shall not be issued until it has been corrected and verified.