1. Can the same person who manages ISMS for the organisation do the internal audit? Is there a conflict of interest?
2. Does the internal auditor need to be technical in IT. Where system security applications as stated in the policies/ procedures, do the internal auditor need to verify its functionality/ effectiveness or only need to view documented materials. In another word, do the auditor need to test the system for validity?
3. Can an internal audit be carried out in stages over different timeframe or must be done in one process?