Skip to main content
Status — April 2026: The internal audit program is in setup. First audit cycle targeted to complete by Q3 2026 ahead of the external certification audit.
Owner: Security Officer · Reviewed by: CTO, CEO · Policy version: 0.9 (draft)

Purpose

Internal audit provides independent, periodic assurance that the Denialbase ISMS is:
  1. Conformed — controls are designed and operating as documented (ISO 27001 clause 9.2, SOC 2 CC4.1).
  2. Effective — controls are actually mitigating the risks they’re intended to address (ISO 27001 clause 10.1).
  3. Improving — findings are tracked, closed, and fed back into the risk register and management review.

Scope

Every audit cycle covers the full ISMS:
  • All Annex A controls listed in the Statement of Applicability.
  • All SOC 2 Trust Services Criteria (CC, A, C, PI, P as applicable).
  • All mandatory ISO 27001 clauses (4–10).
  • Sampling of evidence from the last 12 months.

Independence

ISO 27001 requires that internal auditors be independent of the activity being audited. Denialbase meets this by:
  1. Internal rotation — no one audits an area they operationally own.
  2. External partner — for the most independent areas (e.g. auditing the CTO’s change management), a qualified third-party consultant performs the audit on a rotating basis.
  3. No self-audit — the Security Officer does not audit their own policy documents; a delegated auditor or external reviewer does.

Audit schedule

1

Annual full audit

One comprehensive audit cycle per year covering every Annex A control and TSC. Approximately 3–4 weeks of auditor time.
2

Quarterly spot audits

Focused audits on high-risk or recently-changed areas. Examples: access reviews post-offboarding, deploy-pipeline changes, new subprocessor onboarding.
3

Post-incident audits

After any Sev-1 or Sev-2 incident, a post-incident audit assesses whether controls operated as intended and what should change.
4

Pre-external-audit readiness review

2–4 weeks before any external ISO or SOC audit, a readiness review identifies and closes gaps.

Methodology

1. Plan

  • Define audit scope, criteria (control numbers), and sample size.
  • Notify audit subjects of audit window and evidence requests.
  • Publish audit plan to management.

2. Fieldwork

  • Document review — policies, procedures, records for each in-scope control.
  • Observation — walk-throughs of controls in action (deploy pipeline, access review, incident drill).
  • Testing — sample-based evidence verification:
Control typeTypical sample
Access reviews10% of user accounts or 25 accounts, whichever higher
Privileged access100% of privileged-access events in the period
Change management15 random PRs, 100% of emergency changes
Backup verificationAll monthly backup tests in the period
Incident response100% of Sev-1/Sev-2 incidents + 10% of all incidents
Audit log integrityRandom 30-day sample; end-to-end lineage
Vendor reviews100% of subprocessors with BAA

3. Report

  • Findings classified as major non-conformity, minor non-conformity, observation, or opportunity for improvement.
  • Each finding includes: control reference, description, evidence, severity, risk rating, recommended corrective action.
  • Report delivered to the Security Officer and reviewed at the next Management review.

4. Corrective action

  • Each non-conformity becomes a tracked item in the Risk register.
  • Root-cause analysis required for majors.
  • Corrective action verified in the next audit cycle (or sooner for criticals).

Auditor qualifications

Internal auditors must have:
  • Familiarity with ISO 27001:2022 or SOC 2 TSC (formal certification preferred but not required).
  • Technical understanding sufficient for the scope they audit (e.g. Rails + Terraform + GCP for our stack).
  • No conflicting operational responsibility in the area.
  • Signed confidentiality commitment.

Records retained

RecordRetention
Audit plans6 years
Audit reports6 years
Evidence samples6 years
Corrective action trackingUntil closed + 3 years
Auditor qualification recordsEmployment + 3 years

Current status

Audit activityStatusOwnerTarget
Audit program policy finalizationIn progressSecurity Officer2026-05
First internal auditor onboarded (external contractor)In progressSecurity Officer2026-05
First full internal audit cyclePlanned2026-06
First external certification auditPlanned2026-09

Relationship to external audits

Internal audit is independent of and complementary to:
  • SOC 2 Type I / Type II — external auditor performs an attestation against our controls.
  • ISO 27001 Stage 1 / Stage 2 — external certification body audits the ISMS.
  • HIPAA risk assessment — independent assessor reviews HIPAA safeguards (also performed annually).
Internal audit findings are provided to external auditors on request as evidence of the ISMS’s self-correcting operation.