Question: Are internal and external audits planned, executed, and tracked to closure?
Why This Matters
Audits verify implementation and uncover blind spots. Systematic planning and closure tracking ensure findings drive improvement.
Maturity
0 — Unaware
No formal audit plan or schedule.
No formal audit plan or schedule.
1 — Ad Hoc
Audits conducted sporadically.
Audits conducted sporadically.
2 — Defined
Annual audit plan with defined scope and responsibility.
Annual audit plan with defined scope and responsibility.
3 — Managed
Findings tracked to closure with evidence.
Findings tracked to closure with evidence.
4 — Integrated
Audit outcomes inform risk and training updates.
Audit outcomes inform risk and training updates.
5 — Optimized
Automated audit scheduling and analytics on findings.
Automated audit scheduling and analytics on findings.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Document audits performed in the past year. |
| 1 → 2 | Publish formal audit calendar. |
| 2 → 3 | Implement CAPA tracking for findings. |
| 3 → 4 | Review findings in risk committee meetings. |
| 4 → 5 | Automate reminders and trend dashboards. |
Enablers
- People: Internal Auditor, CISO, Management Rep
- Process: Plan → Execute → Report → CAPA → Verify
- Technology: GRC or audit-tracking system
Evidence
- Audit plan and reports
- CAPA log and closure proof
- Meeting minutes of management review
KPIs
- Number of audits completed per year
- Percentage of findings closed on time
- Average closure duration
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Tracking | Airtable / Odoo | CAPA and status |
| Scheduling | Google Calendar | Reminders |
| Dashboards | Metabase | Finding analytics |
Common Pitfalls
- Audit plan approved but not executed
- Findings repeated year after year
- No evidence of closure
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 9.2 (Internal Audit) |
| DPDP Act 2023 | Sec 10 (Assessment and Review) |
| NIST CSF 2.0 | GV.MA-02 / IM.ME-02 |
| NIRMATA Mapping | CA-Q03 ensures audit discipline and closure. |