Internal Audit Schedule & Checklist
| Property | Value |
|---|---|
| Document ID | FW-003 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC4.2 / ISO 27001: 9.2 |
1. Purpose
This document defines the internal audit program for the Information Security Management System (ISMS) and security controls. Internal audits verify control effectiveness, identify gaps, and drive continuous improvement.
2. Audit Program Overview
2.1 Audit Objectives
- Evaluate the design and operating effectiveness of security controls
- Verify compliance with policies, procedures, and standards
- Identify control gaps and improvement opportunities
- Prepare for external audits (SOC 2, ISO 27001)
- Support management oversight and decision-making
2.2 Audit Scope
| Area | In Scope |
|---|---|
| Policies and procedures | All security policies |
| Access controls | User access, authentication, authorization |
| Change management | Development, deployment processes |
| Incident response | Detection, response, recovery |
| Vulnerability management | Scanning, patching, remediation |
| Vendor management | Third-party security |
| Data protection | Classification, handling, encryption |
| Business continuity | Backup, disaster recovery |
| Physical security | Office security (if applicable) |
| Personnel security | Training, onboarding, offboarding |
3. Annual Audit Schedule
3.1 2026 Audit Calendar
| Quarter | Audit Area | Timing | Auditor | Status |
|---|---|---|---|---|
| Q1 | Access Control Review | February | Internal | ⏳ Planned |
| Q1 | Change Management Audit | March | Internal | ⏳ Planned |
| Q2 | Vendor Security Review | April | Internal | ⏳ Planned |
| Q2 | Incident Response Test | May | Internal | ⏳ Planned |
| Q2 | Vulnerability Management | June | Internal | ⏳ Planned |
| Q3 | Data Protection Audit | July | Internal | ⏳ Planned |
| Q3 | Full ISMS Audit | August-September | Internal | ⏳ Planned |
| Q4 | Business Continuity Review | October | Internal | ⏳ Planned |
| Q4 | Pre-Certification Review | November | External | ⏳ Planned |
3.2 Recurring Reviews
| Review | Frequency | Owner |
|---|---|---|
| User access review | Quarterly | Security Team |
| Privileged access review | Monthly | Security Team |
| Vendor access review | Quarterly | Security Team |
| Policy review | Annual | CISO |
| Risk assessment | Annual | Security Team |
| Penetration test | Annual | External Vendor |
4. Audit Process
4.1 Audit Workflow
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Planning │───▶│ Fieldwork │───▶│ Reporting │───▶│ Remediation │───▶│ Follow-up │
│ │ │ │ │ │ │ │ │ │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
4.2 Audit Phases
| Phase | Activities | Duration |
|---|---|---|
| Planning | Define scope, objectives, schedule; notify stakeholders | 1 week |
| Fieldwork | Gather evidence, conduct interviews, test controls | 2-4 weeks |
| Reporting | Document findings, prepare report, discuss with management | 1 week |
| Remediation | Develop action plans, implement fixes | Per finding |
| Follow-up | Verify remediation, close findings | Ongoing |
5. Audit Checklists
5.1 Access Control Audit Checklist
| # | Control | Test Procedure | Evidence | Pass/Fail |
|---|---|---|---|---|
| 1 | Unique user IDs | Verify no shared accounts in IdP | IdP user list | |
| 2 | Access request process | Sample access request tickets | 5 tickets | |
| 3 | Approval documentation | Verify manager approval | Ticket approvals | |
| 4 | Role-based access | Review RBAC configuration | IdP role settings | |
| 5 | Quarterly access review | Verify reviews completed | Review reports | |
| 6 | Termination process | Sample terminations, verify access revoked | HR records, IdP logs | |
| 7 | MFA enforcement | Verify MFA enabled for all users | IdP MFA report | |
| 8 | Privileged access | Review admin account list, justification | PAM/IdP | |
| 9 | Vendor access | Review active vendor accounts | Vendor inventory | |
| 10 | Access logging | Verify access logs collected | SIEM configuration |
5.2 Change Management Audit Checklist
| # | Control | Test Procedure | Evidence | Pass/Fail |
|---|---|---|---|---|
| 1 | Change request process | Review change management policy | Policy document | |
| 2 | Change documentation | Sample 5 changes for complete tickets | Change tickets | |
| 3 | Approval workflow | Verify approvals present | Ticket approvals | |
| 4 | Testing evidence | Verify testing performed | Test results | |
| 5 | CAB review | Review CAB minutes for high-risk changes | Meeting notes | |
| 6 | Emergency changes | Review emergency change process | Emergency tickets | |
| 7 | Rollback procedures | Verify rollback plans documented | Change tickets | |
| 8 | Separation of duties | Verify developer ≠ approver | Ticket comparison | |
| 9 | Production access | Verify restricted production access | IAM configuration | |
| 10 | Deployment automation | Review CI/CD pipeline security | Pipeline config |
5.3 Incident Response Audit Checklist
| # | Control | Test Procedure | Evidence | Pass/Fail |
|---|---|---|---|---|
| 1 | IR policy exists | Review incident response policy | POL-008 | |
| 2 | IR team defined | Verify roles and contacts | Contact list | |
| 3 | Detection capabilities | Review SIEM alert rules | SIEM config | |
| 4 | Incident tickets | Review incident handling | Sample tickets | |
| 5 | Post-incident reviews | Verify lessons learned documented | Review reports | |
| 6 | Tabletop exercises | Verify annual exercise conducted | Exercise records | |
| 7 | Communication procedures | Review notification process | Procedures | |
| 8 | Evidence handling | Review chain of custody | Evidence logs | |
| 9 | Escalation procedures | Verify escalation paths | Procedures | |
| 10 | External contacts | Verify forensics, legal contacts | Contact list |
5.4 Vulnerability Management Audit Checklist
| # | Control | Test Procedure | Evidence | Pass/Fail |
|---|---|---|---|---|
| 1 | Scanning coverage | Verify all systems scanned | Scan scope | |
| 2 | Scan frequency | Verify weekly scans | Scan logs | |
| 3 | Remediation SLAs | Verify SLA definitions | PROC-004 | |
| 4 | Critical remediation | Sample critical vulns, verify timeline | Remediation tickets | |
| 5 | High remediation | Sample high vulns, verify timeline | Remediation tickets | |
| 6 | Risk acceptance | Review accepted risks | Acceptance records | |
| 7 | Penetration testing | Verify annual pentest | Pentest report | |
| 8 | Dependency scanning | Verify dependency scans in CI/CD | Pipeline config | |
| 9 | Remediation tracking | Review vulnerability dashboard | Dashboard | |
| 10 | Patch management | Verify patching procedures | Patch records |
5.5 Vendor Management Audit Checklist
| # | Control | Test Procedure | Evidence | Pass/Fail |
|---|---|---|---|---|
| 1 | Vendor inventory | Verify complete inventory | Vendor list | |
| 2 | Risk classification | Verify vendors classified by risk | Classifications | |
| 3 | Security assessments | Sample critical vendors, verify assessment | Questionnaires | |
| 4 | SOC 2 reports | Verify SOC 2 obtained for critical vendors | Reports | |
| 5 | Contract clauses | Review security terms in contracts | Sample contracts | |
| 6 | Access controls | Review vendor access, verify time-limited | Access records | |
| 7 | Monitoring | Verify vendor activity logged | Logs | |
| 8 | Annual review | Verify annual reassessment | Review records | |
| 9 | Offboarding | Sample terminated vendors, verify access revoked | Termination records | |
| 10 | Fourth-party risk | Review subcontractor management | Procedures |
5.6 Data Protection Audit Checklist
| # | Control | Test Procedure | Evidence | Pass/Fail |
|---|---|---|---|---|
| 1 | Classification policy | Review data classification policy | POL-005 | |
| 2 | Data inventory | Verify data inventory exists | Data catalog | |
| 3 | Encryption at rest | Verify database encryption | Config screenshots | |
| 4 | Encryption in transit | Verify TLS configuration | SSL scan results | |
| 5 | Key management | Review key management procedures | POL-004 | |
| 6 | Data retention | Review retention schedules | Policy | |
| 7 | Secure disposal | Verify disposal procedures | Disposal logs | |
| 8 | Data backup | Verify backup encryption | Backup config | |
| 9 | Access controls | Verify data access restricted | Access configs | |
| 10 | DLP controls | Review DLP implementation (if applicable) | DLP config |
6. Finding Classification
| Rating | Definition | Remediation Timeline |
|---|---|---|
| Critical | Control failure with significant risk exposure | 7 days |
| High | Material control weakness | 30 days |
| Medium | Control improvement needed | 90 days |
| Low | Minor improvement opportunity | 180 days |
| Observation | Best practice recommendation | Optional |
7. Audit Report Template
Executive Summary
- Audit scope and objectives
- Summary of findings
- Overall assessment
Detailed Findings
For each finding:
- Finding ID and title
- Rating (Critical/High/Medium/Low)
- Description
- Risk/Impact
- Recommendation
- Management response
- Remediation timeline
Appendices
- Evidence list
- Interviews conducted
- Documents reviewed
8. Finding Tracker
| Finding ID | Audit | Rating | Description | Owner | Due Date | Status |
|---|---|---|---|---|---|---|
| AUD-2026-001 | ||||||
| AUD-2026-002 | ||||||
| AUD-2026-003 |
9. Auditor Independence
Internal auditors must:
- Not audit their own work
- Maintain objectivity and independence
- Report to appropriate level (CISO or above)
- Have adequate training and competence
- Document audit methodology
10. Related Documents
- Information Security Policy (POL-001)
- Evidence & Audit Log Tracker (RISK-005)
- Control Mapping Matrix (RISK-004)
11. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Compliance Team | Initial release |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.