Audits & Certification

Selecting and Training Internal Auditors

Alex Fuerst

Alex Fuerst

6 min read
Selecting and Training Internal Auditors

The Uncomfortable Truth About Internal Auditor Selection

The internal audit program lives or dies based on the people you put in those seats. I've watched organizations burn through three audit cycles with zero meaningful findings because they staffed their program with whoever had the lightest workload that quarter. Then I've seen lean startups run circles around enterprise competitors because they invested in two sharp internal auditors who actually understood both the standard and the business.

Here's what most organizations get wrong from day one: they treat internal auditor selection like jury duty—an obligation to fill rather than a strategic capability to build. The result is predictable: checkbox audits that find documentation gaps while missing systemic control failures, audit reports that gather dust, and a certification cycle that feels like theater rather than genuine security improvement.

Clause 9.2 requires internal audits but says remarkably little about who should conduct them. This silence isn't permission to staff casually—it's a trap that catches organizations during certification audits when I ask the internal auditor to walk me through their methodology and they can't articulate why they examined what they examined.

Let me tell you about a financial services firm I audited last year. They had assigned their internal audit function to a junior IT support technician—not because he was qualified, but because he was "interested in security" and had capacity. His audit reports were meticulous in documenting that policies existed and were reviewed annually. He missed that their entire backup infrastructure hadn't been tested in 18 months and that access reviews were being signed off without actually reviewing anything. That's the difference between auditing for compliance and auditing for effectiveness.

Selection Criteria That Actually Matter

The selection criteria that separate effective internal auditors from documentation checkers:

  • Business acumen first, technical knowledge second. Your auditor needs to understand how your organization actually operates, where the money flows, what keeps executives awake at night. Technical knowledge can be taught; institutional understanding takes years.
  • Healthy skepticism without cynicism. The best internal auditors I've worked with maintain professional doubt without becoming adversarial. They question everything while remaining collaborative enough that process owners actually talk to them.
  • Comfort with ambiguity. Real audit findings rarely present themselves cleanly. Your auditor needs to recognize when something "feels wrong" and dig deeper, even when documentation technically checks out.
  • Independence from the areas being audited. This seems obvious, but I regularly encounter internal auditors who report directly to the same manager responsible for the controls they're auditing. That's not independence—that's conflict of interest with a compliance veneer.

According to ISO/IEC 27008:2019, which provides detailed guidance on control assessment, effective auditors need both technical competence and the analytical skills to distinguish between controls that look compliant and controls that actually mitigate risk. The technical specification emphasizes that auditors must understand not just what controls exist, but how they function within the broader organizational context.

Solving the Independence Challenge

Clause 9.2.2 explicitly requires that auditors don't audit their own work. This seems straightforward until you're in a 50-person company where the IT manager is also the Information Security Officer and the only person who understands the technical controls well enough to audit them.

I've seen organizations solve this several ways, with varying degrees of success:

The rotation model works well for medium-sized organizations. Train multiple people across different departments. The finance auditor examines Control 8.9 (configuration management); the IT auditor examines Control 5.15 (access control for supplier relationships). Everyone stays sharp, and you build organizational understanding of the ISMS across departments. The downside: this requires significant training investment and coordination.

The hybrid model combines internal staff with external expertise. Your internal auditor handles controls like Control 5.1 (policies for information security) and Control 5.2 (information security roles and responsibilities), while you bring in external resources for highly technical areas like Control 8.24 (use of cryptography). This approach works particularly well for cloud-dependent organizations that can leverage ISO/IEC 27017 specialists for cloud-specific controls.

The reciprocal arrangement involves partnering with a similar organization to audit each other. I've seen this work brilliantly between non-competing companies in the same industry, and I've seen it fail spectacularly when the reciprocal relationship became "I'll go easy on you if you go easy on me."

Pro tip: One manufacturing client solved their independence problem creatively. They had a quality management system already, with trained ISO 9001 auditors. They cross-trained their QMS auditors on ISO 27001, creating a pool of internal auditors who understood audit methodology but had no day-to-day involvement in information security operations. The Information Security team reciprocated by learning enough about QMS to audit those processes. Both programs improved.

Small Organization Solutions

For organizations under 50 employees, complete independence is often impossible. Here's what works in practice:

  • Partial external support: Use internal resources for organizational controls (Control 5.x series) and business-focused controls, bring in external auditors for technical controls
  • Board-level oversight: Have a board member or external advisor review internal audit findings for technical controls where independence is compromised
  • Documentation transparency: When auditor independence is limited, document the conflict clearly and compensate with additional external review during certification audits

Building Competence That Survives Turnover

Training internal auditors isn't about memorizing the standard—it's about developing judgment. The most effective training programs I've observed combine three elements:

Standard comprehension with practical application. Don't just teach what Control 8.8 (management of technical vulnerabilities) requires—teach how to recognize when vulnerability management processes exist on paper but fail in practice. Use real examples from your industry sector.

Risk-based thinking development. Train auditors to ask "What could go wrong here?" rather than "Does this document exist?" This aligns with the risk-based approach required throughout Clause 6 and helps auditors focus on controls that actually matter to your organization's risk profile.

Evidence evaluation skills. Following ISO/IEC 27008 guidance, train auditors to distinguish between different types of evidence and their reliability. A screenshot of a configuration setting is evidence; a policy stating that configurations should be secure is not evidence of actual security.

Consider cross-training with related standards. Organizations implementing ISO/IEC 27018 for privacy protection or ISO/IEC 27036 for supplier relationships often find that auditors with broader competence catch issues that single-standard auditors miss.

Ongoing Competence Maintenance

Competence isn't a one-time achievement. Effective programs include:

  • Regular exposure to external audits: Have internal auditors observe external certification audits when possible. The learning curve is steep.
  • Industry threat intelligence updates: Internal auditors need to understand evolving threats to assess whether controls remain relevant.
  • Cross-functional collaboration: Regular interaction with IT, HR, legal, and business units helps auditors understand organizational changes that affect control effectiveness.

What the Auditor Looks For

During certification audits, I examine your internal audit program from several angles:

Auditor qualification evidence: Can your internal auditors articulate their methodology? Do they understand the difference between compliance checking and effectiveness assessment? I'll ask them to walk me through their approach to auditing a specific control.

Independence demonstration: I'll map reporting relationships and look for conflicts of interest. If independence is compromised, how does the organization compensate? Is this documented and approved by top management?

Evidence quality: I review internal audit working papers. Do auditors gather appropriate evidence as outlined in ISO/IEC 27008? Are findings supported by facts, or are they based on assumptions?

Business understanding: Can internal auditors explain why specific controls matter to your organization? Do they understand your critical business processes and how information security supports them?

Common failure point: Internal auditors who can recite control requirements but can't explain why those requirements exist for your specific organization. This often indicates training focused on memorization rather than comprehension.

Making Internal Audits Actually Useful

The best internal audit programs I encounter don't just find nonconformities—they drive continuous improvement. This happens when auditors understand that their role extends beyond compliance checking to business enablement.

Effective internal auditors ask questions like: "This control works as documented, but could it work better?" They identify opportunities to streamline processes while maintaining security effectiveness. They catch control gaps before they become incidents.

For organizations with cloud dependencies, ensure your internal auditors understand cloud-specific considerations from ISO/IEC 27017. Traditional audit approaches often miss shared responsibility boundaries and configuration drift in cloud environments.

Investment vs. Overhead

Yes, building a competent internal audit function requires investment. Training costs money. Good auditors command higher salaries than checkbox checkers. But the return on investment becomes clear during your first certification audit when you don't face major nonconformities, and becomes obvious when your internal auditors catch control failures before they become security incidents.

The organizations that struggle most with ISO 27001 implementation are those that treat internal audit as a necessary evil rather than a valuable business function. The ones that succeed recognize that effective internal auditors are force multipliers for the entire ISMS.

Remember: your internal auditors are often the first line of defense against control failures. Staff that function with people who understand both the business and the standard, and your entire security program becomes more robust. Cut corners here, and the weaknesses will show up in the worst possible places—during certification audits, incident investigations, or risk assessments when stakeholders question your security posture.

For practical guidance on building your internal audit program or resolving auditor competence challenges, connect with the IX ISO 27001 Info Hub community, where practitioners share real-world solutions to these common implementation challenges.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

Read more

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

Executive Summary: * Architecture-Documentation Alignment: Zero Trust implementations fail audit when security architecture shifts to identity-centric models but ISMS documentation still describes perimeter-based controls * Multi-Framework Convergence: Zero Trust principles naturally align with ISO 27001's risk-based approach and map directly to NIST CSF, CMMC, and TISAX requirements—creating implementation synergies