GOV-021 Audit and Assurance Policy
Description
A documented audit and assurance policy exists that defines the scope, frequency, independence requirements, and reporting responsibilities for the organization's internal audit function. The policy is reviewed at least annually.
Rationale
The audit function requires its own governance to ensure it operates with appropriate independence, scope, and authority. Without a policy, audit activities may be inconsistent, under-resourced, or captured by the functions being audited.
Framework Mappings (3)
| A&A-01 | Audit and Assurance Policy and Procedures | full |
| 8.34 | Protection of information systems during audit testing | partial |
| CA-1 | Policy and Procedures | full |
Evidence (2)
Audit and assurance policy document defining scope, frequency, independence requirements, and reporting responsibilities for the internal audit function.
Example: Internal Audit Policy (Confluence / policy management system), specifying: audit scope, audit cycle frequency (e.g. annual), independence requirement (auditor not responsible for the function audited), reporting line (e.g. to CISO or Audit Committee), and retention period for audit records.
Test: Request the audit and assurance policy. Verify: (1) audit scope is defined and covers information security, (2) audit frequency is stated, (3) independence requirements are explicit — auditors must not audit their own function, (4) reporting line to management or audit committee is specified, (5) the policy is approved and dated within the last 12 months.
Annual internal audit plan showing scheduled audits for the year aligned to the policy.
Example: Annual Audit Plan (Confluence or PDF), dated at the start of the audit year, listing audit subjects, scheduled dates, assigned auditors, and the approval signature of the CISO or Audit Committee chair.
Test: Request the current annual audit plan. Verify: (1) the plan exists and was approved before the start of the audit year, (2) scheduled audits cover the domains defined in the policy, (3) assigned auditors are named and independent of the functions being audited, (4) completion status against the plan is trackable.
Questions (2)
Does your organization have a documented audit and assurance policy that defines scope, frequency, independence requirements, and reporting responsibilities for the internal audit function?
The policy should explicitly state that auditors cannot audit their own function, define the reporting line (e.g. to CISO or Audit Committee), and be approved within the last 12 months.
Does your organization produce and approve an annual internal audit plan before the start of each audit year?
The plan should list audit subjects, scheduled dates, assigned independent auditors, and carry approval from the CISO or Audit Committee. Completion status against the plan should be trackable.