Question: Is there a formal link between governance reporting and the organization’s internal audit or assurance function?
Objective — Why This Matters
Audit closes the loop: controls verified, issues tracked, and lessons learned feed policy and design.
Maturity Levels (0–5)
0 — Unaware
No engagement with internal audit.
No engagement with internal audit.
1 — Ad Hoc
Audit requests handled reactively.
Audit requests handled reactively.
2 — Defined
Annual audit plan includes cyber/privacy topics.
Annual audit plan includes cyber/privacy topics.
3 — Managed
Findings tracked to closure; status reported to committee.
Findings tracked to closure; status reported to committee.
4 — Integrated
Risk-based scoping; remediation verified; trend reporting.
Risk-based scoping; remediation verified; trend reporting.
5 — Optimized
Combined assurance model across 3 lines of defense.
Combined assurance model across 3 lines of defense.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Nominate audit liaison; share key policies and risk register. |
| 1 → 2 | Add cyber/privacy topics to audit calendar. |
| 2 → 3 | Use a central CAPA tracker; monthly status to committee. |
| 3 → 4 | Add root-cause analysis and control owner coaching. |
| 4 → 5 | Map combined assurance across lines (Ops, Risk, Audit). |
People / Process / Technology Enablers
- People: Audit lead; control owners.
- Process: CAPA governance; monthly reviews.
- Technology: Issue tracker; evidence repository.
Evidence Required
- Audit plan and last report.
- CAPA list with due dates/owners.
- Closure evidence for last 3 findings.
Metrics / KPIs
- Average age of open findings.
- % findings closed on time.
- Repeat finding rate.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| CAPA tracker | Spreadsheet/Issues | Aging, SLA, owner columns. |
| Evidence | Repo folders | “Finding-ID/…” with closure docs. |
| Reports | Markdown + PDF | Lightweight templates. |
Common Pitfalls
- Findings tracked in email only.
- Fixes applied but no proof captured.
- No re-test/verification step.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 9.2 internal audit, 10.1 improvement |
| NIRMATA Scoring | GL-Q11 needs CAPA linkage + governance reporting. |