I am managing ISMS and as per the standard and as a continual improvement I have to perform an internal audit for ISMS. An internal audit dept is performing an internal audit. I need clarification in understanding when an auditor can raise an NCR(Minor) and when he can raise an Observation? Suppose I say that since I am certified by an external auditor and I have passed a certification audit by complying with all the mandatory requirements of ISO 27001, you cannot raise an NCR for my ISMS but only can raise Observation.
So am I correct, or internal auditor can still raise an NCR for me?