Study Document 06

Audit concepts and auditor responsibilities.

A lead auditor guide to audit types, principles, behaviour, independence, confidentiality, competence, evidence collection, findings, and role responsibilities during ISO 27001 audits.

Core idea

An audit is systematic, independent, and evidence-based.

For exam scenarios, the best answer is usually the one that respects audit scope and criteria, gathers verifiable evidence, stays impartial, and avoids personal judgement or blame.

3Main audit types: first-party, second-party, and third-party.
7Commonly tested audit principles for professional judgement.
FVRRObjective evidence should be fact-based, verifiable, reliable, and relevant.

Audit types

Know who is auditing whom, and why.

Questions often test whether the audit is internal, supplier/customer driven, or independent certification related. The audit objective and independence expectations change with the audit type.

Audit type
Meaning
Typical ISO 27001 example
First-party
Internal audit conducted by or for the organization.
Internal ISMS audit before Stage 2 certification or surveillance.
Second-party
Audit of a supplier or provider by a customer or interested party.
Customer audits an outsourced SOC, cloud provider, or managed service supplier.
Third-party
Independent audit performed for certification or formal assurance.
Certification body audits an organization against ISO/IEC 27001 requirements.

Audit principles

Use principles when the scenario is ambiguous.

When several answers seem possible, choose the option that best protects impartiality, evidence quality, confidentiality, and audit objective.

1

Integrity

Act honestly, responsibly, and professionally throughout the audit.

2

Fair presentation

Report audit activities, findings, and conclusions accurately.

3

Due care

Apply diligence, judgement, and care appropriate to audit importance.

4

Confidentiality

Protect information obtained during the audit and use it properly.

5

Independence

Remain impartial and avoid conflicts of interest where possible.

6

Evidence-based

Base conclusions on verifiable evidence, not assumption or hearsay.

7

Risk-based

Focus audit effort on matters that affect audit objectives and risk.

Key audit terms

Separate criteria, evidence, findings, and conclusions.

Many exam answers are wrong because they confuse the requirement being tested with the evidence collected or the finding raised from that evidence.

Term
Meaning
Examples
Exam clue
Audit criteria
The requirement used to judge conformity.
ISO 27001 clause, policy, procedure, contract, legal requirement.
Ask: compared against what?
Audit evidence
Verifiable information collected during audit.
Records, logs, observation, interview statement, system configuration.
Ask: what proves it?
Audit finding
Result of comparing evidence with criteria.
Conformity, nonconformity, observation, opportunity for improvement.
Ask: does evidence meet criteria?
Audit conclusion
Overall outcome after considering objectives and findings.
Recommendation, confidence level, or readiness conclusion.
Ask: what does the audit team conclude?

Audit process

Follow the audit flow from initiation to follow-up.

Use this flow to answer sequence questions and scenario questions about what an auditor should do next.

Initiate the audit

Confirm objective, scope, criteria, feasibility, audit team, independence, confidentiality needs, and logistics.

Prepare audit activities

Review documents, prepare plan, assign work, create checklists, identify risk areas, and confirm communication.

Conduct the audit

Hold opening meeting, collect evidence by interview, review, and observation, sample records, and keep audit notes.

Prepare findings

Compare evidence with criteria, agree finding wording within the audit team, and classify nonconformities consistently.

Report and close

Present conclusions clearly, conduct the closing meeting, issue the audit report, and communicate required actions.

Follow up

Review correction, root cause, corrective action, evidence of implementation, and effectiveness before closure.

Responsibilities

Different roles have different accountability.

Lead auditor exam questions often test whether an action belongs to the auditor, lead auditor, auditee, audit client, or certification body.

Auditor

  • Prepare assigned audit areas.
  • Collect objective evidence.
  • Interview professionally.
  • Record accurate notes.
  • Report findings to the lead auditor.

Lead auditor

  • Plan and manage the audit.
  • Assign team roles.
  • Lead opening and closing meetings.
  • Review finding consistency.
  • Approve report conclusions.

Auditee

  • Provide access to people, records, locations, and systems.
  • Explain processes.
  • Support sampling.
  • Respond to nonconformities.
  • Implement corrective action.

Audit client

  • Requests or commissions the audit.
  • Confirms objectives and scope.
  • Receives audit results where appropriate.
  • Ensures follow-up responsibilities are clear.

Auditor behaviour

Professional behaviour protects audit credibility.

Auditors should be ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, and self-reliant while remaining within audit scope.

Independence

Avoid auditing your own work.

If independence is limited, disclose it, manage impartiality risk, and use team review where needed.

Confidentiality

Protect audit information.

Do not disclose records, screenshots, vulnerabilities, supplier information, or personal data outside authorized channels.

Competence

Match skills to audit scope.

Competence includes audit method, ISO 27001 knowledge, ISMS context, technical awareness, and sector understanding.

Communication

Be clear and respectful.

Ask open questions, listen carefully, avoid blame, confirm understanding, and keep findings evidence-based.

Common mistakes

Typical wrong audit actions.

  • Giving consulting advice during a certification audit instead of reporting evidence-based findings.
  • Raising a nonconformity without clear criteria and objective evidence.
  • Using a checklist as a script and missing process interactions.
  • Accepting verbal claims without corroborating evidence where records should exist.
  • Disclosing sensitive audit information outside the audit arrangement.
  • Auditing a process where the auditor has responsibility or conflict of interest.

Exam technique

Choose the professional audit response.

  • If evidence is insufficient, collect more evidence before concluding.
  • If scope is unclear, clarify with the lead auditor or audit client.
  • If auditee disagrees, explain evidence and criteria calmly; do not argue personally.
  • If confidential information is found, protect it and follow agreed reporting channels.
  • If a serious issue appears outside scope, escalate through the lead auditor rather than ignoring it.

Quick memory aid

Criteria is the requirement. Evidence is what you collect. Finding is the comparison. Conclusion is the audit team's overall judgement. A strong auditor stays independent, confidential, risk-aware, and evidence-based.

Use note

This is a KISCyber learner guide.

This page is an original training summary using user-provided ISO 19011 audit guidance and ISO 27001 Lead Auditor study materials as references. Always use the authorised standard, official course material, and current exam provider guidance when preparing for certification.