Internal and External Audits and Evidence
Key Takeaways
- Internal audits are performed by or for the organization to assess controls before external scrutiny.
- External audits are performed by independent parties and may support regulatory, customer, or contractual obligations.
- Audit evidence should be relevant, reliable, complete, and tied to the control objective.
- Auditors commonly sample tickets, logs, configurations, reports, approvals, and exception records.
- A finding should include condition, criteria, cause, risk, and corrective action.
Internal and External Audits and Evidence
An audit evaluates whether controls meet a requirement and operate as expected. The requirement may come from law, regulation, contract, framework, policy, or management directive. Audits are not the same as penetration tests. An audit asks whether required controls exist and can be evidenced. A penetration test tries to find exploitable weaknesses under agreed rules.
Internal vs External Audits
| Audit type | Performed by | Common purpose | Example |
|---|---|---|---|
| Internal audit | Internal audit team or hired party working for management | Find gaps before external review and improve controls | Review privileged access process before renewal season |
| External audit | Independent outside auditor | Provide assurance to regulators, customers, or partners | Annual control audit required by a customer contract |
| Compliance audit | Internal or external | Test against specific obligations | Confirm incident notification and access review requirements |
| Operational audit | Internal or external | Improve process efficiency and control operation | Review why deprovisioning tickets are late |
Independence matters. An administrator can provide evidence, but the administrator should not be the only person judging whether their own control is effective for an independent audit.
Evidence Examples
| Control objective | Useful evidence | Weak evidence |
|---|---|---|
| New user access is approved | Access request tickets with approver, role, date, and fulfillment log | A screenshot of the login page |
| Firewalls are reviewed quarterly | Review meeting record, rule export, decisions, change tickets | A statement that the firewall is important |
| Backups are tested | Restore test results, date, scope, failures, and signoff | Backup product brochure |
| Security logs are retained | SIEM retention settings, storage policy, sample event search | A policy with no system evidence |
| Exceptions are managed | Exception register with owner, expiration, and approval | An informal chat message |
Auditors often use sampling. If the period is January through March, they may select a sample of users created during that period and ask for matching approvals. If two samples fail, the auditor may expand the sample or issue a finding.
Audit Finding Scenario
An external auditor tests 25 terminated employees. Four accounts were disabled late, and two had active VPN tokens after the directory account was disabled. The policy requires all access to be removed within 24 hours.
A useful finding includes:
- Condition: Six sampled users had incomplete or late deprovisioning.
- Criteria: Company policy requires removal within 24 hours.
- Cause: VPN token revocation was not included in the automated leaver workflow.
- Risk: Former personnel could retain remote access.
- Corrective action: Add VPN token revocation, daily reconciliation, and exception alerting.
Evidence Handling
Audit evidence may contain sensitive information. Screenshots, exports, logs, and tickets should be shared through approved channels, minimized to the audit need, and protected from unnecessary disclosure. Redaction may be appropriate when the evidence contains passwords, secrets, personal data, or unrelated customer information.
Common Traps
- Providing policies when the auditor asks for operating evidence.
- Producing evidence outside the audit period.
- Editing screenshots in a way that destroys reliability.
- Forgetting exceptions and failed samples.
- Treating an internal self-assessment as independent external assurance.
- Ignoring remediation after an audit finding is issued.
An auditor asks for proof that new privileged users were approved before access was granted. Which evidence is best?
Which statement best distinguishes an external audit from an internal audit?
Which items are characteristics of useful audit evidence? Select three.
Select all that apply