Elaborating an audit checklist

I hope this makes sense? (I note from the course I did you mentioned it was up to the auditor which way, but I am struggling to establish which would work better)

Answer: Basing your checklist on the documentation review can provide you a more comprehensive checklist, since it involves not only the Statement of Applicability but on other documents like laws the organization must comply with, contracts signed between the organization and customers or suppliers, and implemented policies and procedures.

This article will provide you further explanation about building an audit checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

This material will also help you regarding internal audit:
- ISO Internal Audi t: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

We received this question:

>If for example under access control, in the XXX document of business I am doing an internal audit for, it clearly states that access requests are made by the IT administration and any approval or rejection is dealt with by the information and security manager or senior clerk. Would I still need to speak to the relevant people to ask this question, or would I simply note down that this information is in policy document number xxxx and effectively tick it off my list?
>
>The reason for asking is because this document is around 72 pages long and it could take considerable time to do these for each area within this one document. I would just like to be sure before I proceed with the checklist.

Answer: You must include asking some questions to relevant people about this document to ensure people are acting accordingly what was planned (remember, in an audit you must verify if controls are planned and implemented properly and if people are performing as expected).

Regarding the size of the document, you can choose some critical questions to make (you do not have to cover all the document in a single audit) considering the time you have to perform the audit. One interesting question is if you ask to the auditee to show you one access request he has made, explaining how he performed it.