Audits & Certification

Writing Internal Audit Findings That Drive Improvement

Alex Fuerst

Alex Fuerst

6 min read
Writing Internal Audit Findings That Drive Improvement

The Anatomy of Findings That Actually Drive Change

After conducting hundreds of ISO 27001 internal audits, I've learned that finding problems is the easy part. Any competent auditor can walk through an organization and identify nonconformities. The real challenge—the one that separates auditors who drive genuine improvement from those who produce shelf-ware reports—is writing findings that survive management pushback and actually get fixed properly.

The dirty secret of internal auditing is that most findings are worthless. Not because they don't identify real issues, but because they're written in a way that guarantees they'll be contested, minimally addressed, or closed through cosmetic changes that leave the underlying problem untouched.

This isn't about diplomatic language or softening your message. It's about forensic precision in documenting what you found, why it matters, and what needs to happen next.

The Four Pillars of Audit-Proof Findings

Every finding that drives real improvement has four non-negotiable components. Miss any of them, and you've given management an escape hatch to avoid meaningful remediation.

The Unassailable Observation

Your observation must be specific enough that someone reading it six months later—a certification auditor, new CISO, or board member—can understand exactly what you found without your interpretation. This is raw evidence, not opinion.

Weak: "Risk assessments are not being conducted as required."

Strong: "Reviewed the information security risk register (Document ID: ISMS-RISK-001, version 2.3, dated 15 March 2024). The register contains 34 identified risks, of which 18 have not been reassessed since their initial entry between July 2022 and February 2023. Per interviews with the IT Manager on 20 June 2024, risk reassessment occurs 'when we have time' rather than following the documented annual cycle specified in ISMS-POL-003 Section 4.2. No evidence of risk assessment activity was available for the period January-June 2024."

The second observation is contestation-proof. It includes specific documents, dates, quantities, and direct quotes from interviews. Per Clause 9.2.2 of ISO 27001:2022, your internal audit must retain documented information as evidence of the audit results—this level of specificity is that evidence.

Ironclad Criteria References

Every finding needs a clear answer to "says who?" The criteria establishes this isn't personal preference—it's a requirement the organization committed to meeting. For ISO 27001:2022 audits, your criteria arsenal includes:

  • Clause references: Direct requirements from the standard (e.g., Clause 8.1 for operational planning, Clause 6.1.2 for risk assessment)
  • Annex A controls: Specific security controls (e.g., Control 5.15 for access control, Control 8.9 for configuration management)
  • Internal policies and procedures: The organization's own documented requirements
  • Cross-standard requirements: Where applicable, related standards like ISO 27017 for cloud services or ISO 27018 for PII protection

For the risk assessment finding above, your criteria might reference: "Clause 6.1.2(c) requires that information security risk assessments be performed at planned intervals or when significant changes occur. The organization's documented procedure ISMS-POL-003 Section 4.2 specifies annual reassessment of all identified risks."

Business-Relevant Risk Impact

Connect your finding to actual business consequences, not abstract compliance concerns. Those 18 unassessed risks aren't just a policy violation—they represent potential threats that may have evolved in severity or likelihood over 18+ months without management awareness.

ISO/IEC TS 27008:2019 emphasizes that assessment findings should help organizations "identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities." Your impact statement should do exactly that.

Outcome-Focused Requirements

Specify the required outcome, not the solution. Prescribing specific fixes is where auditors overstep and where findings get contested. Require that outdated risk assessments be current and that the documented reassessment cycle be followed—how management achieves that is their prerogative.

The Evidence Problem: Why Specificity Matters

I once reviewed an internal audit finding at a financial services firm that simply stated "inadequate incident response procedures." When I asked what specifically was inadequate, neither the original auditor nor the CISO could explain. The finding had been "closed" by adding two paragraphs to the incident response procedure—paragraphs that addressed nothing specific because the finding specified nothing.

Weak evidence creates weak findings, and weak findings enable superficial fixes.

Pro tip: Use the "handover test"—could another auditor pick up your working papers and understand exactly what you found without additional explanation? If not, your documentation isn't specific enough.

Your observations must include:

  • Specific documents, systems, or records examined (with version numbers and dates)
  • Exact quantities, timeframes, and dates
  • Direct quotes from interviews, policies, or procedures
  • Clear distinction between what you observed directly versus what you were told
  • Reference to specific evidence samples from your testing

Control-Specific Finding Frameworks

Different types of controls require different evidence approaches. Here's how to structure findings for common control categories:

Access Control Findings (Controls 5.15-5.18)

For access management issues, your evidence should include system queries, user account lists, and privilege assignments. A robust finding might reference: "Extracted user account data from the production ERP system on [date]. Analysis identified 23 accounts with administrative privileges, including 7 accounts belonging to users whose employment terminated between 8-24 months ago (detailed in Appendix A). This violates Control 5.15 requirements for access rights management and the organization's User Access Policy Section 3.4 requirement for immediate access revocation upon termination."

Asset Management Findings (Controls 5.9-5.14)

Asset-related findings require clear inventory discrepancies or classification issues. Strong evidence includes: "Performed physical verification of 127 IT assets listed in the asset register (ISMS-INV-2024-Q2). Identified 34 devices physically present but not recorded in the register, and 18 devices listed as 'in use' that could not be located. This indicates incomplete asset inventory as required by Control 5.9."

Configuration Management Findings (Control 8.9)

Technical configuration issues need specific system states or setting discrepancies. Effective findings reference actual configuration files, settings screens, or vulnerability scan results with clear benchmarks from your organization's hardening standards.

What Auditors Really Look For

Having been on both sides of the audit table, here's what external auditors examine when reviewing your internal audit findings:

  • Evidence traceability: Can they follow your evidence trail from observation to conclusion?
  • Sampling adequacy: Is your sample size appropriate for the finding scope?
  • Criteria validity: Are your referenced requirements current and applicable?
  • Risk proportionality: Does the finding severity match the actual business impact?
  • Closure verification: Can the corrective action be objectively verified?

External auditors particularly scrutinize findings where organizations claim "no significant issues." Weak internal audit findings suggest either ineffective internal auditing (a Clause 9.2 nonconformity) or management interference in the audit process.

The Corrective Action Test

Before finalizing any finding, apply this test: Could this finding be closed without actually fixing the underlying problem? If yes, rewrite it.

Consider these two approaches to the same access control issue:

Closeable finding: "User access controls need improvement."
Superficial fix: Update the access control policy document.

Audit-proof finding: "Seven terminated employee accounts retain administrative access to production systems 8-24 months post-termination, creating ongoing unauthorized access risk. Require: (1) immediate disabling of identified orphaned accounts, and (2) implementation of automated account deprovisioning tied to HR termination processes to prevent recurrence."

The second version requires demonstrable action—accounts must be disabled and processes must be implemented. The organization can't paper over this finding with a policy update.

Beyond the Big Four: Common Mistakes That Kill Findings

The Opinion Trap: Phrases like "appears to be," "seems inadequate," or "could be improved" signal opinion, not evidence. State facts: "The backup verification log shows 14 failed backup attempts in the past 30 days with no documented resolution actions."

The Solution Prescription: Don't specify technical solutions. Require outcomes instead. Say "ensure all servers have current security patches" rather than "implement automated patch management system X."

The Compliance-Only Impact: Findings that only cite compliance violations miss the business impact. Always connect to operational risk, data protection, or business continuity concerns.

The Vague Timeline: "Soon," "timely," or "as soon as possible" aren't requirements. Either specify exact dates or tie corrective actions to business cycles: "before the next quarterly risk assessment" or "within one complete patch cycle."

Building Your Evidence Arsenal

Effective findings require multiple evidence types. Build your case with:

  • Documentary evidence: Policies, procedures, logs, reports, configuration files
  • Physical evidence: System screenshots, asset photos, facility observations
  • Testimonial evidence: Interview notes with specific quotes and attributions
  • Analytical evidence: Your analysis of gaps between requirements and reality

Per ISO/IEC TS 27008:2019 guidance on control assessments, evidence should be "appropriately recent and valid" for the systems and controls in scope. Include evidence collection dates and ensure your findings reflect current conditions, not historical states that may have been remediated.

The Management Response Dynamic

Remember that your findings will face management scrutiny. Strong findings acknowledge legitimate business constraints while maintaining clear requirements. Include phrases like "recognizing current resource constraints" or "considering the planned system replacement timeline" when appropriate, but don't water down your requirements.

Effective internal audit findings create a paper trail that external auditors, board members, and regulators can follow. They demonstrate that your ISMS has effective monitoring and continuous improvement mechanisms—core requirements of Clauses 9 and 10 in ISO 27001:2022.

The goal isn't to be adversarial with management—it's to create findings so well-documented and clearly justified that the path to genuine improvement becomes obvious and unavoidable.

Need help developing robust internal audit processes for your ISO 27001 implementation? Connect with experienced practitioners and access additional resources through the IX ISO 27001 Info Hub or explore our comprehensive guides on ISO27001-hub.com.

Need personalized guidance? Reach our team at ix@isegrim-x.com.

Related Articles

Read more

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

ISO 27001 and Zero Trust Architecture — Modern Security Meets Compliance

Executive Summary: * Architecture-Documentation Alignment: Zero Trust implementations fail audit when security architecture shifts to identity-centric models but ISMS documentation still describes perimeter-based controls * Multi-Framework Convergence: Zero Trust principles naturally align with ISO 27001's risk-based approach and map directly to NIST CSF, CMMC, and TISAX requirements—creating implementation synergies