Internal audit: objective assurance that your systems actually work

• What it is: Independent ISO 27001 and ISO 42001 internal audit.
   

• Who it's for: Boards, audit committees, senior leadership.
   

• What you get: Board ready report with clear findings and recommendations.
   

• Starting point: Free 20 minute scoping call.

​

Internal audit is required by ISO 27001 and ISO 42001. But the real purpose isn't ticking a box—it's giving your board genuine confidence that controls are operating, risks are managed, and the system will hold up under external scrutiny.

I provide independent internal audit as a certified Lead Auditor. My job is to tell you what's actually happening, not what you want to hear.

Many organisations treat internal audit as a formality. Someone reviews their own work, produces a report with minor findings, everyone moves on. The problem: when something actually goes wrong, the foundations turn out to be hollow.

 

Genuine internal audit provides:

 

Objective Assessment — Auditor without stake in the outcome.

 

Board-Level Confidence — Evidence that isn't self-certified.

 

Preparation For External Audit — Strong internal audit makes certification smoother.

 

Continuous Improvement — Find gaps before they become incidents.

 

Regulatory Credibility — Demonstrates you take assurance seriously.

ISO 27001 — ISMS scope, risk assessment, Statement of Applicability, controls, documentation, continual improvement.

 

ISO 42001 — AI lifecycle, AI risk assessment, bias and fairness controls, transparency, human oversight.

 

Integrated Systems — How ISO 27001 and ISO 42001 work together.

 

Surveillance Preparation — Focused audit on areas certification bodies will probe.

Scoping — Agree audit scope: systems, locations, processes.

 

Execution — Document review, interviews, evidence sampling. Typically 2–5 days.

 

Reporting — Clear report: conformities, non-conformities, observations, overall opinion. Written for board consumption.

 

Closing Meeting — Present findings, answer questions. No surprises.

 

Follow-Up (optional) — Remediation advice, maintaining separation from re-audit.

I don't audit systems I designed in the same cycle — If I built your ISMS, I won't audit it until a full cycle has passed.

 

No commercial interest in your outcome — My fee doesn't depend on a clean report.

 

Accountable to your board — Not your operations team.

 

Certification bodies scrutinise internal audit independence. Maintaining separation protects the value of your audit programme.

Enterprises with existing management systems — Need annual internal audit. Internal team lacks capacity, objectivity, or specialism.

 

Organisations building toward certification — Need internal audit as part of certification process.

 

Universities and research institutions — Complex stakeholder environments.

 

Boards and audit committees — Independent validation of management assurances.

 

Approaching surveillance audits — Surface issues before external assessment.

Fees depend on:

​

• Locations and business units in scope.
   

• ISMS/AIMS size and complexity.
   

• ISO 27001, ISO 42001, or both.
   

• Documentation maturity.
   

• Travel requirements.
   

Fixed fee quote after scoping conversation.
 

Note: Gold implementation tier includes one full internal audit cycle.

How often is internal audit required? ISO 27001 and ISO 42001 require audit at planned intervals—typically annually.

​

Can our staff conduct internal audit? Yes, with appropriate competence and independence. Many organisations use a mix.

​

What's the difference from certification audit? Internal audit is by or for your organisation. Certification audit is by an accredited body to award certification.

​

What if you find serious problems? I report what I find. Major non-conformities are documented with remediation guidance.

​

Do you provide a certificate? No. Internal audit produces a report. Only certification bodies issue certificates.

Book a 20 minute scoping call. Tell me about your situation, timeline, and what's at stake. I'll give you an honest view of what's involved and whether I'm the right fit.

​

Book a 20 minute scoping call