Question about auditors

1. Does the external auditor need to sit privately with the internal auditor and see his IA plan and its IA report and verify all his findings?

The external auditor does not need to sit privately with the internal auditor to perform the audit if he can use any other methods to find needed evidence to confirm that the internal audit is performed according to the standard.

Regarding the internal audit findings, the external auditor can work with a sample, provided this sample can provide enough confidence that the process is being performed according to the standard´s requirements.

2. Does the external auditor have a commitment and or obligation to verify his findings and corrective actions taken? Or simply look into his plans and its final report.

ISO 27001 requires the verification not only of internal audit plans and results (clause 9.2) but also of the results of any corrective action taken (clause 10.1), so corrective actions taken as a result of internal audits need to be verified by the external auditor (again, this verification can be performed over a sample). 

3. It’s well known that IA is not fully impartial and his IA report might not be a bit biased and or impacted by his senior management if he/she is not independently reporting to the highest authority?

In fact, problems of conflict of interest and impartiality can occur, but to be compliant with ISO 27001 an organization needs to ensure objectivity and impartiality from internal auditors and that these are reported to relevant management (clauses 9.2 e) and 9.2 f)), and the external auditor should verify the fulfillment of these clauses. 

4. Can the Internal audit out of transparency disclose any Nonconformities to the external auditor and or anything that the external auditor himself can not find during his short visit?

Members of an organization can provide additional information for an external auditor if they think this can improve the results of the external audit and help improve the organization, but in general disclosure of such information needs to be aligned upfront between auditees and the organization’s top management (normally disclosure of such information without previous alignment can lead to disciplinary process). 

These materials will also help you regarding audits:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/