Internal Audit is one of the main instruments used to measure information security process performance, compliance and effectiveness. Effective Internal Audit is one of the most basic factors used in the continuous improvement of information security. An effective internal audit means an effective Information Security Management System.

We have compiled for you the elements that should be considered in order to conduct an effective internal audit:

• The scope of the audit should be well defined, planned in accordance with the scope and shared with the relevant parties in a reasonable time before the audit.
• The internal auditor should be independent of the unit being audited.
• The Internal Auditor should have the necessary certification and knowledge.
• Previous audit findings and observations should be reviewed prior to the audit.
• The audit question list should be prepared, but the scope should not be limited to the audit question list.
• The opening meeting should be held with the participation of all concerned.
• It should be stated that the audit is not an individual performance control, but an activity to identify the areas that are open to improvement in the system, and it should be acted accordingly throughout the audit.
• Any information received during the audit should be noted. (Names of interviewees, events, inconveniences…etc.)
• It should be ensured that concrete and objective evidence is presented to the audit.
• Audit evidence and findings ID, number, date etc. must contain distinctive information
• A closing meeting should be held with the participation of all concerned.
• Detected findings should not be reported without holding an anthem with the person concerned.
• Root cause analysis of the detected findings should be done.
• Plans should be requested to close the detected findings in a reasonable time and the action plans presented should be checked periodically.
• Internal audit results should constitute input to YGG meetings.