Internal auditors selection
Assign topic to the user
The conflict can be as Risk function is also seen as SME on the project - I don't know how easy it will be to portray the picture in front of audit that risk function is not a consultant here but only a compliance matter job. Any perspective you can please share with me?
Answer:
Before answering your question let me show you my understanding of your scenario:
Lines of defense:
1st - front-line employees with their roles and responsibilities with regards to their activities and applied internal controls and other risk responses.
2nd - organization’s compliance and risk functions providing independent oversight of the risk management activities of the first line of defense.
3rd - internal and external auditors who report independently to the senior management.
SME = Subject Matter Expert
Considering these information, there could be a confli ct of interest if the same person does risk assessment and internal audit (an auditor cannot audit his own work). In this case, this involves if this person is not doing the risk assessment according to the methodology, and if this job is not taking into account all the reasonable threats and vulnerabilities.
Regarding other organization's processes, as long as you can evidence that the internal audit is performed in an unbiased and independent way, and that there is no conflict of interest between the audited processes and the audit team, there is no problem if someone performing a compliance or risk function performs the internal audit, even if he is not part of the organization (in this scenario the SME would be acting as a second party auditor, which will not interfere on your certification process).
These articles will provide you further explanation about internal audits:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Nov 13, 2018