GOV-011 Compliance Monitoring and Internal Audit
Description
The organization conducts periodic compliance checks and internal audits to verify that information security policies, controls, and requirements are operating as intended. Findings are reported to management, and corrective actions are tracked to closure.
Rationale
Controls that are never tested create a false assurance of compliance. Regular internal verification identifies gaps before external audits, regulatory reviews, or security incidents expose them.
Framework Mappings (7)
| A&A-03 | Risk Based Planning Assessment | full |
| A&A-05 | Audit Management Process | full |
| 5.35 | Independent review of information security | full |
| 5.36 | Compliance with policies, rules and standards for information security | full |
| CA-7 | Continuous Monitoring | partial |
| CC4.1 | COSO Principle 16: Conducts Ongoing or Separate Evaluations | full |
| CC4.2 | COSO Principle 17: Evaluates and Communicates Deficiencies | partial |
Evidence (2)
Internal audit report documenting the scope, findings, and management responses for the most recent compliance and controls review.
Example: Internal Audit Report (PDF / Confluence), dated within the last 12 months, covering one or more security domains, listing findings by severity, and including a management response with agreed remediation actions and owners.
Test: Request the most recent internal audit report. Verify: (1) the report is dated within the defined audit interval, (2) scope is stated and covers information security controls, (3) findings are categorized by severity, (4) each finding has a management response with a named owner and target remediation date, (5) the audit was conducted by someone independent of the function being audited.
Audit finding remediation records showing corrective actions tracked to closure.
Example: Remediation tracker (Jira / ServiceNow / GRC platform) with tickets linked to audit findings, showing each finding's status (open/in-progress/closed), owner, and closure date or current target date.
Test: Request the remediation tracker for findings from the most recent audit. Verify: (1) all findings from the audit report appear in the tracker, (2) each has a named owner and target date, (3) closed findings have a documented closure date and verification step, (4) no findings are overdue without a documented extension and approver.
Questions (2)
Does your organization conduct periodic internal audits or compliance checks of information security controls, with findings reported to management?
An internal audit report should state scope, list findings by severity, include a management response with owners and target dates, and be produced by someone independent of the function audited.
How frequently does your organization conduct information security internal audits?
Most frameworks expect at least annual internal audit activity. Findings should feed directly into the remediation tracker.