DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-TRN-005

Internal Auditor Training - IMS Audit Methodology

Version

1.0

Owner

IMS Owner

Effective Date

TBD

Review Date

TBD

Internal Auditor Training - IMS Audit Methodology

Document ID: SW-IMS-TRN-005-v1.0
Duration: 4 hours (split into 6 modules + assessment)
Target: Internal auditor pool (3-5 people), IMS Owner, Quality Lead
Format: Self-paced online or facilitated workshop
Validity: 24 months (refresher required)

Welcome Future Auditors!

You're about to become a key part of Swedwise's quality, environmental, and information security management. Internal auditors help us improve, catch issues early, and demonstrate to clients and certification bodies that we practice what we preach.

This isn't about catching people doing things wrong - it's about making our systems work better. Think of it as constructive troubleshooting for our management processes.

Time Investment: 4 hours of focused training, plus 2-4 days per year conducting audits. This is a valuable skill that develops your systems thinking, analytical abilities, and organizational insight.

Course Structure

Module	Topic	Duration	Format
1	Introduction to Internal Auditing	45 min	Reading + video
2	Audit Planning	45 min	Reading + exercise
3	Conducting the Audit	60 min	Reading + role-play
4	Audit Findings and Reporting	45 min	Reading + exercise
5	Follow-up and Corrective Actions	30 min	Reading + case study
6	IMS-Specific Auditing	45 min	Reading + checklist
Assessment	Knowledge check + practical exercise	30 min	Quiz + scenario

Total: 240 minutes (4 hours)

Module 1: Introduction to Internal Auditing (45 minutes)

Why This Matters

You're busy. Clients need you. Projects have deadlines. So why spend time on internal audits?

The real value of internal audits:

Catch small problems before they become big ones
Prove to clients (especially public sector) that we have our act together
Prepare us for certification audits (less stress, fewer surprises)
Share best practices across teams
Give you insight into how the whole company operates

At Swedwise, internal audits are not bureaucracy - they're a learning and improvement tool.

What is an Internal Audit?

Simple definition: A systematic, independent check to see if what we say we do (in our policies and procedures) matches what we actually do.

Not an audit:

Performance review
Witch hunt
Blaming session
Box-ticking exercise

Is an audit:

Fact-finding mission
Improvement opportunity
Evidence-based assessment
Learning conversation

ISO 19011 Auditing Guidelines Overview

ISO 19011 is the international standard for auditing management systems. It's not mandatory, but it's the gold standard for how to conduct professional audits.

Key principles from ISO 19011 (you don't need to memorize this, but understand the spirit):

Principle	What It Means for You
Integrity	Be honest. Don't cover up findings or exaggerate problems.
Fair Presentation	Report what you actually found, not what you think people want to hear.
Due Professional Care	Take the audit seriously. Be thorough but not obsessive.
Confidentiality	Audit findings are internal. Don't gossip about what you discover.
Independence	You can't audit your own work. We'll assign you to areas outside your responsibility.
Evidence-Based Approach	Base findings on facts, not assumptions or hearsay. If you didn't see it or can't verify it, it's not evidence.

Audit Principles in Practice

Scenario: You're auditing the information security controls for our Stockholm office. You notice that one developer has sticky notes with passwords on their monitor.

Wrong approach (assumption-based):

"Security is clearly not taken seriously in Stockholm. Everyone probably has passwords written down."

Right approach (evidence-based):

"I observed one instance of a password written on a sticky note (desk #3, 10:30 AM, 2024-12-15). I interviewed 3 other staff members who confirmed they use password managers. This is an isolated instance, not a systemic issue."

Types of Audits

At Swedwise, we conduct:

1. System Audits

Focus: Is the overall IMS working?
Example: Audit document control procedures across all departments
Frequency: Annually

2. Process Audits

Focus: Is a specific process effective?
Example: Audit the customer onboarding process from sales handoff to delivery
Frequency: Based on risk (high-risk processes audited more often)

3. Compliance Audits

Focus: Are we meeting specific requirements?
Example: Verify all staff completed security awareness training (ISO 27001 requirement)
Frequency: As needed

For certification purposes, we need to cover all three ISO standards (9001, 14001, 27001) and all IMS processes at least once per year.

Your Role as Internal Auditor

Reality check: You will still have your regular job. Internal auditing is an occasional duty, not a full-time role.

Expected commitment:

1-2 audits per year per auditor
2-4 days per audit (prep, execution, reporting)
Annual refresher training (half day)
Total: 2-5 days per year

What you'll do:

Review documents related to your audit area
Interview staff
Check records and evidence
Observe processes in action
Write up your findings
Help verify corrective actions

What you WON'T do:

Audit your own work areas (independence requirement)
Tell people how to do their jobs
Fix the problems you find (that's the process owner's job)
Judge people personally (we audit processes, not people)

Quick Check: Understanding Audit Principles

Question 1: You're auditing environmental aspects and notice that the office recycling bins are not labeled correctly. What should you do?

a) Tell the office manager to fix it immediately
b) Note it as objective evidence and determine if it violates a requirement
c) Ignore it because it's a minor issue
d) Recommend terminating the office manager

Answer: b) Note it as objective evidence and determine if it violates a requirement

Explanation: Document what you observed (unlabeled recycling bins). Then check if there's a requirement for labeling (e.g., in environmental procedures or office guidelines). If there's a requirement, it's a finding. If not, it might be an observation or improvement opportunity. Your job is to assess conformity, not to manage the office or make decisions.

Question 2: During an audit, a colleague mentions "I heard from someone that access reviews are never done on time." What should you do?

a) Include this as a finding in your audit report
b) Ask for evidence (which reviews, when, what records exist)
c) Report the colleague for spreading rumors
d) Ignore it completely

Answer: b) Ask for evidence (which reviews, when, what records exist)

Explanation: Hearsay is not audit evidence. Follow up with questions: "Can you show me examples? Which reviews? What records do you have?" If the claim is true, there will be verifiable evidence. If not, it's just an unsubstantiated rumor.

Module 2: Audit Planning (45 minutes)

The Annual Audit Program

Think of this as: The master schedule for all audits across the year.

The IMS Owner creates an annual audit program that covers:

All three ISO standards (9001, 14001, 27001)
All key processes (customer delivery, support functions, operations)
All locations (Karlstad, Stockholm, Uddevalla, remote workers)
High-risk areas (audited more frequently)

Example Audit Program (simplified):

Audit #	Scope	ISO Standard	Risk	Quarter	Auditor
A-2025-01	Document control	All 3	Medium	Q1	Emma
A-2025-02	Information security controls	ISO 27001	High	Q2	Johan
A-2025-03	Environmental aspects (travel, energy)	ISO 14001	Medium	Q2	Emma
A-2025-04	Customer delivery & project mgmt	ISO 9001	High	Q3	Lisa
A-2025-05	SaaS operations & incident mgmt	ISO 9001, 27001	High	Q3	Johan
A-2025-06	Supplier management	ISO 9001, 14001	Medium	Q4	Lisa

Why risk-based?
We focus more audit time on areas that matter most:

High risk: SaaS operations, information security, customer delivery (audited semi-annually or more)
Medium risk: Document control, supplier management (audited annually)
Low risk: Office administrative processes (audited every 18 months)

Individual Audit Planning

When you're assigned an audit, you'll develop a specific audit plan:

Step 1: Understand the Assignment

What processes/areas are in scope?
What ISO requirements apply?
What's the audit objective?
When is it scheduled?

Step 2: Review Documentation

Read relevant policies and procedures
Review previous audit reports (what was found before?)
Check the risk register (what are known risks in this area?)
Look at recent incidents or nonconformities

Step 3: Prepare Your Audit Plan

Your audit plan includes:

Element	Description	Example
Objective	Why you're auditing	"Verify conformity of access management controls to ISO 27001 requirements"
Scope	What's included/excluded	"User access provisioning and review process, all locations. Excludes physical access cards."
Criteria	What you're checking against	"ISO 27001 Annex A.5.18, SW-ISMS-POL-002, SW-ISMS-PRO-003"
Schedule	When and how long	"March 15, 2025, 9:00-16:00"
Auditees	Who you'll interview	"CISO, IT Manager, 3 random staff"
Documents	What you need to review	"Access request logs, quarterly review records, user lists"

Step 4: Create Your Audit Checklist

Example checklist (access management):

ISO Clause	Requirement	How to Check	Evidence Needed
A.5.18	Access rights granted based on business need	Interview: "How do you determine what access to grant?"	Access request forms, approval records
A.5.18	Regular review of access rights	Review: Are quarterly access reviews documented?	Review logs (last 4 quarters)
A.5.18	Access removed when no longer needed	Check: Sample 5 recent leavers - was access removed?	Termination checklist, system logs

Pro tip: Use a checklist as a guide, not a script. Have conversations, not interrogations.

Practical Exercise: Build an Audit Checklist

Scenario: You're assigned to audit the "Customer Feedback" process (ISO 9001).

Relevant requirements:

ISO 9001 Clause 9.1.2: Customer satisfaction monitoring
SW-QMS-PRO-008: Customer Feedback Procedure (requires: collect feedback, analyze trends, report to management)

Your task: Create an audit checklist with at least 4 check points.

Sample Answer:

ISO Clause	Requirement	Audit Question	Evidence Needed
9.1.2	Monitor customer satisfaction	How do you collect customer feedback?	Feedback forms, survey tools, process description
9.1.2	Analyze feedback trends	Can you show me the last 3 months of feedback analysis?	Analysis reports, trend charts
SW-QMS-PRO-008	Report to management quarterly	Is customer feedback discussed in management reviews?	Management review minutes
SW-QMS-PRO-008	Follow up on negative feedback	What happens when a customer complaint is received?	Complaint log, follow-up records

Notifying the Auditee

Minimum 2 weeks notice (unless there's a good reason for an unannounced audit, which is rare).

What to communicate:

Audit date and duration
Audit scope and objectives
Who you need to interview
What documents/records you'll need to review
Meeting room requirements

Sample notification email:

Subject: Internal Audit - Access Management (March 15)

Hi [Auditee],

I've been assigned to conduct an internal audit of our access management
processes on March 15, 2025, from 9:00-16:00.

Audit Scope:
- User access provisioning and review (all locations)
- Conformity with ISO 27001 A.5.18 and SW-ISMS-PRO-003

I'll need:
- 30-minute opening meeting (9:00 AM) with you and your team
- Access to: access request logs (last 6 months), quarterly review
  records (last 4 quarters), user account lists
- Interviews with: yourself, IT Manager, 2-3 staff members who request
  access regularly
- Closing meeting (3:30 PM) to present preliminary findings

Please book a meeting room and let me know who from your team will be
available.

Looking forward to working with you!

[Your Name]
Internal Auditor

Module 3: Conducting the Audit (60 minutes)

This is where the rubber meets the road. Let's walk through an actual audit day.

Opening Meeting (15-30 minutes)

Purpose: Set the stage, establish rapport, confirm logistics.

Attendees: Audit team, auditee(s), relevant managers

Agenda:

Introductions (if needed)
Reconfirm audit objective and scope - "We're here to verify conformity with ISO 27001 access management requirements, focusing on user provisioning and reviews."
Explain the approach - "I'll review documents, interview staff, and check sample records. This will take about 6 hours total."
Set expectations - "I'll share preliminary findings at the closing meeting. Any nonconformities will be documented for corrective action."
Logistics - "I'll start with document review in conference room A, then interviews at 11:00."
Answer questions

Tone: Professional, collaborative, not adversarial. Smile. This is a conversation, not an interrogation.

What NOT to say:

"I'm here to find out what you're doing wrong."
"This audit will determine your performance rating."
"Last time this area was a disaster."

What to say:

"I'm here to verify our processes are working as intended."
"This is an opportunity to identify improvements."
"Let me know if you have questions as we go."

Gathering Audit Evidence

You have four main tools:

1. Interviews

Good interview questions (open-ended):

"Can you walk me through how you handle [process]?"
"What happens if [exception] occurs?"
"Where do you record [activity]?"
"How do you know if this is working?"
"What training have you received on this procedure?"

Poor interview questions (leading or yes/no):

"You always follow the procedure, right?"
"Do you think this process works?"

Interview tips:

Start with easy questions to build rapport
Listen more than you talk (you have two ears, one mouth - use them proportionally)
Take notes, but maintain eye contact
If you don't understand something, ask for clarification
Avoid arguing or judging
Thank people for their time

Example interview (access management):

Auditor: "Can you walk me through what happens when a new employee needs system access?"

Staff: "Sure. Their manager fills out the access request form and emails it to me."

Auditor: "What do you do when you receive the request?"

Staff: "I check that it's approved by the manager, then I set up the accounts based on their role."

Auditor: "How do you know what access each role should have?"

Staff: "We have a role-based access matrix. Let me show you..." [shows document]

Auditor: "Great, thanks. And where do you record that the access was granted?"

Staff: "It goes in the access log here." [shows log]

Auditor: "Perfect. Can I see an example of a recent request?"

2. Document Review

What you're checking:

Do required documents exist?
Are they current (within review date)?
Are they approved?
Do they align with ISO requirements?
Are they accessible to those who need them?

Example document review (policy check):

Document	Required?	Current?	Approved?	Accessible?	Conformity
Information Security Policy	Yes (ISO 27001)	Yes (v2.0, reviewed 2024)	Yes (CEO signature)	Yes (intranet)	Conforming
Access Control Policy	Yes (ISO 27001 A.5.18)	Yes (v1.1, reviewed 2024)	Yes (CISO signature)	Yes (intranet)	Conforming

3. Record Review (Sampling)

You can't check everything (we're a small company, but even so). Use sampling.

Sampling approach:

For Swedwise size: Sample 5-10 records per process
Pick randomly: Don't just take the first 5 or the most recent
Look for patterns: If you find an issue in your sample, expand the sample

Example sampling (access reviews):

Required: Quarterly access reviews for all users

Your sample:

Q4 2024 review - Stockholm office (check: was it done? documented? timely?)
Q3 2024 review - Karlstad office
Q2 2024 review - Remote workers
Select 5 random users - verify their access was reviewed in each quarter

Finding:

Q4 2024: Complete, documented, on time
Q3 2024: Complete, documented, on time
Q2 2024: No evidence found - this is a nonconformity

4. Observations

What to observe:

How people actually work (vs. how the procedure says they should)
Physical controls (locked doors, clean desks, labeled waste bins)
Environmental aspects (energy use, waste sorting, travel patterns)
Real-time processes (e.g., watch someone complete a task)

Observation tips:

Don't hover - people get nervous
Observe quietly without interrupting (unless it's a safety issue)
Note time, location, and what you saw
Take photos if permitted (and appropriate)

Example observation (clean desk policy):

Policy requirement: "All staff must lock away confidential documents when leaving their desk."

Your observation: "Walked through Stockholm office at 12:15 PM (lunch time). Of 8 desks, 6 were clear. Desk #3 had printed customer contract visible. Desk #7 had printed salary information visible."

Evidence: Photo (with permission), note of time and location

Note-Taking and Documentation

During the audit, document:

What you examined (document title, version, date)
Who you interviewed (name, role, date/time)
What you observed (specific facts, not opinions)
Evidence of conformity or nonconformity

Good note example:

"Interviewed IT Manager (Johan, 2024-03-15, 10:30). He explained access request process. Reviewed access request log for Jan-Mar 2024. Sampled 5 requests - all had manager approval and were processed within 24 hours per procedure requirement."

Poor note example:

"Talked to Johan. Access process seems fine."

Why good notes matter:

You'll write the audit report later (you won't remember everything)
Evidence must be verifiable
Auditee may challenge a finding - you need to back it up
External auditors may review your work

Evaluating Findings

For each requirement, you'll determine:

Conformity

What it means: Requirement is met. Evidence shows effective implementation.

Example: "Training records reviewed for 10 staff members. All completed annual security awareness training within the past 12 months. Requirement met."

In your report: List as conformity (or just don't mention it - we often focus on exceptions).

Minor Nonconformity

What it means: Isolated deviation. Doesn't compromise overall system effectiveness.

Characteristics:

One-off instance
Doesn't indicate systemic failure
Low risk impact

Example: "Training records reviewed for 10 staff members. 9 completed training on time. 1 record (Emma Andersson) shows training completed 2 weeks late. Isolated instance."

Classification: Minor nonconformity (NC)

Major Nonconformity

What it means: Systemic failure, complete absence of a requirement, or multiple related minor nonconformities.

Characteristics:

Widespread problem
Total breakdown of control
High risk impact
Multiple related failures

Example 1 (systemic): "Quarterly access reviews required by procedure. Reviewed last 4 quarters - no evidence of reviews conducted in any quarter. Systemic failure."

Example 2 (absence): "ISO 27001 requires incident management procedure. No incident procedure documented. Complete absence of requirement."

Example 3 (multiple related minors): "Sampled 10 user accounts. 7 have not been reviewed in the past 6 months (requirement: quarterly). Systemic failure."

Classification: Major nonconformity (NC-MAJOR)

Observation (OFI - Opportunity for Improvement)

What it means: Not a nonconformity, but something that could be improved or might become a problem later.

Characteristics:

No requirement is violated (yet)
Potential risk or inefficiency
Good practice opportunity

Example: "Backup logs are reviewed monthly as required. However, logs are stored in multiple locations, making review time-consuming. Consider centralizing logs for efficiency."

Classification: Observation (OBS) or OFI

Role-Play Exercise: Conducting an Interview

Scenario: You're auditing the document control process. You need to interview the IMS Owner about how documents are reviewed and approved.

Your task: Write 5 audit questions you would ask.

Sample Questions:

"Can you walk me through the process when a new procedure needs to be created?"
"How do you ensure that procedures are reviewed by the right people before approval?"
"Where is the document approval recorded?"
"What happens if someone identifies an issue with a published document?"
"How do you communicate document updates to staff who need to use them?"

Follow-up questions (based on answers):

"Can you show me an example of a recent document approval?"
"How long does the approval process typically take?"
"What training do document owners receive on the document control procedure?"

Handling Audit Challenges

Challenge 1: Auditee is defensive or uncooperative

Wrong response: Get confrontational, threaten to escalate

Right response:

Stay professional and calm
Remind them of the audit's purpose (improvement, not punishment)
Stick to facts and evidence
If unresolved, escalate to IMS Owner after the audit
Document the issue in your audit report

Challenge 2: Evidence is missing or unavailable

Wrong response: Assume it doesn't exist and write a major nonconformity

Right response:

Ask when the evidence will be available
Determine if absence is temporary (e.g., person on vacation) or systemic
If truly missing and required, that IS a nonconformity
Document what you looked for and what you found (or didn't find)

Challenge 3: Auditee disagrees with your finding

Wrong response: Argue, get defensive, or back down immediately

Right response:

Listen to their perspective
Review the evidence together
Check the requirement again (are you both interpreting it correctly?)
If still disagree, document both perspectives in the audit report
Lead Auditor (or IMS Owner) makes final determination
Auditee can provide additional evidence during corrective action phase

Challenge 4: You discover something urgent (e.g., major security breach)

Wrong response: Continue the audit as if nothing happened

Right response:

Immediately inform the auditee and relevant manager
Pause the audit if needed to address urgent issue
Document the finding
Follow up with IMS Owner
Resume audit when appropriate

Closing Meeting (30-45 minutes)

Purpose: Present your findings, explain next steps, answer questions.

Attendees: Same as opening meeting

Agenda:

Thank the auditee for cooperation and time
Restate audit scope and objectives
Present findings:
- Start with positive findings (what's working well)
- Then observations (improvement opportunities)
- Finally nonconformities (what needs to be fixed)
Explain each finding clearly:
- What you found (evidence)
- Why it's a finding (requirement violated)
- Classification (major/minor)
Clarify corrective action requirements and timeline
Answer questions (but don't negotiate findings)
Confirm audit report distribution
Close professionally

Tone: Balanced. Recognize the good, be clear about the issues, focus on improvement.

Example closing statement:

"Overall, the document control system is working well. Staff understand the process, documents are well-maintained, and there's good version control. I identified two minor nonconformities related to version numbering and obsolete document removal - these are easily addressable. I also noted an observation about centralizing training records, which could improve efficiency. I'll send you the written audit report within 5 days. You'll have 4 weeks to submit corrective action plans for the minor nonconformities. Any questions?"

Module 4: Audit Findings and Reporting (45 minutes)

Types of Findings - Summary

We covered this in Module 3, but let's consolidate:

Finding Type	What It Means	Example	Corrective Action Required?
Conformity	Requirement met	All training records complete and current	No
Positive Finding	Exceeds requirements; best practice	Automated notifications for document updates (not required but excellent)	No (but share as good practice)
Observation (OFI)	Improvement opportunity; not a violation	Backup logs in multiple locations - consider centralizing	No (but recommended)
Minor NC	Isolated deviation; low risk	1 of 10 training records missing completion date	Yes (within 60 days)
Major NC	Systemic failure; high risk; complete absence	No access reviews conducted in past year (requirement: quarterly)	Yes (within 30 days)

Writing Clear Nonconformity Statements

A good nonconformity statement has four elements:

1. Requirement

What was supposed to happen?

State the specific ISO clause, policy, or procedure requirement.

Example:

"ISO 27001 Annex A.5.18 requires user access rights to be reviewed at regular intervals. SW-ISMS-PRO-003 Section 4.2 specifies quarterly reviews."

2. Evidence

What did you actually find?

State objective facts. Be specific (dates, numbers, names, locations).

Example:

"Review of access review logs for Q1-Q4 2024 showed:

Q1 2024: Review completed, documented

Q2 2024: No evidence of review

Q3 2024: No evidence of review

Q4 2024: Review completed, documented

Interviewed IT Manager (Johan, 2024-03-15) who confirmed reviews were missed in Q2 and Q3 due to workload."

3. Potential Impact

Why does this matter?

Explain the risk or consequence if not corrected.

Example:

"Without regular access reviews, unauthorized access rights may remain undetected, increasing the risk of data breaches or inappropriate access to sensitive information."

4. Required Action (optional in initial finding, required in CAR)

What needs to be fixed?

Example:

"Implement quarterly access reviews as required by procedure. Address root cause (workload) to prevent recurrence."

Complete Nonconformity Example

Nonconformity ID: NC-A2025-02-001

Classification: Minor Nonconformity

Requirement:
ISO 27001 Annex A.5.18 and SW-ISMS-PRO-003 Section 4.2 require user access rights to be reviewed quarterly.

Evidence:
Review of access review logs for Q1-Q4 2024:

Q1 2024: Completed (documented in access-review-2024-q1.xlsx)
Q2 2024: No evidence found
Q3 2024: No evidence found
Q4 2024: Completed (documented in access-review-2024-q4.xlsx)

Interviewed IT Manager (Johan Svensson, 2024-03-15, 10:30) who confirmed Q2 and Q3 reviews were not conducted due to workload during SaaS launch project.

Potential Impact:
Without regular access reviews, unauthorized or excessive access rights may persist, increasing the risk of data breaches or inappropriate access to confidential information.

Classification Rationale:
Classified as Minor NC (not Major) because:

2 of 4 quarters were completed
Issue identified and acknowledged
No evidence of actual security incidents resulting from missed reviews
Not a complete absence of the process (50% completion rate)

However, if this pattern continues, it will escalate to Major NC.

Required Action:

Complete access review for Q1 2025 (immediate correction)
Investigate root cause (workload management)
Implement preventive measures (e.g., scheduled reminders, workload planning, backup reviewer)
Verify effectiveness in Q2 2025

Writing Exercise: Nonconformity Statement

Scenario: You're auditing training records. The procedure (SW-IMS-PRO-007) requires all new hires to complete IMS Awareness training within 30 days of hire. You sample 8 new hires from 2024:

Hire 1 (Jan 15): Training completed Jan 30 (15 days) - OK
Hire 2 (Feb 3): Training completed Feb 28 (25 days) - OK
Hire 3 (Mar 10): Training completed May 5 (56 days) - LATE
Hire 4 (Apr 22): Training completed May 18 (26 days) - OK
Hire 5 (Jun 1): Training completed Jun 20 (19 days) - OK
Hire 6 (Aug 5): No training record found - MISSING
Hire 7 (Sep 12): Training completed Oct 10 (28 days) - OK
Hire 8 (Nov 3): Training completed Nov 25 (22 days) - OK

Your task: Write a nonconformity statement with all four elements.

Sample Answer:

Nonconformity ID: NC-A2025-03-002

Classification: Minor Nonconformity

Requirement:
SW-IMS-PRO-007 (Competence and Training Procedure) Section 3.1 requires all new hires to complete IMS Awareness training within 30 days of their start date.

Evidence:
Reviewed training records for 8 new hires in 2024:

5 employees completed training within 30 days (compliant)
1 employee (Hire 3, start date Mar 10) completed training on May 5 (56 days - 26 days late)
1 employee (Hire 6, start date Aug 5) has no training record (interviewed HR - training not scheduled)

Compliance rate: 62.5% (5 of 8)

Potential Impact:
New employees may begin work without understanding Swedwise's quality, environmental, and information security requirements, increasing risk of nonconformity or incidents.

Classification Rationale:
Minor NC because:

Majority (62.5%) are compliant
Issue affects new hire onboarding, not all staff
Two isolated instances (not systemic failure)

Required Action:

Ensure Hire 6 completes IMS Awareness training immediately
Investigate why Hire 3 and Hire 6 training was delayed/missed
Implement controls to ensure training is scheduled automatically upon hire (e.g., HRIS trigger, onboarding checklist)

Audit Report Structure

Your audit report is the official record of the audit. It should be:

Clear: Anyone reading it understands what you found
Complete: All findings documented with evidence
Objective: Facts, not opinions
Timely: Issued within 5 working days

Standard audit report sections:

Section	What to Include
Audit Information	Audit ID, date, location, auditors, auditees
Audit Objective and Scope	Why you audited, what was covered
Audit Criteria	ISO clauses, policies, procedures used
Executive Summary	1-2 paragraph overview (conformity status, key findings)
Conformities	What's working well
Positive Findings	Best practices worth sharing
Observations	Improvement opportunities (not NCs)
Nonconformities	Detailed findings (requirement, evidence, impact)
Audit Conclusion	Overall assessment of effectiveness
Next Steps	Corrective action timeline, follow-up plan

See Appendix B of SW-IMS-PRO-003 for the full template.

Confidentiality of Audit Results

Important: Audit reports are classified as Internal (confidential).

Who receives audit reports:

Auditee (process owner / department head)
Management Team
IMS Owner
Relevant managers

Who does NOT receive audit reports:

External parties (clients, suppliers) without approval
Staff not involved in the audit or corrective actions
Social media (obviously, but worth stating)

Why confidentiality matters:

Protects organizational reputation
Encourages honest disclosure during audits
Prevents misinterpretation or misuse of findings
Maintains trust in the audit process

Exception: External certification auditors may review internal audit reports as evidence.

Module 5: Follow-up and Corrective Actions (30 minutes)

Your audit report is submitted. Findings are documented. Now what?

Corrective Action Requirements

For each nonconformity (major or minor), the auditee must:

Step 1: Immediate Correction (if applicable)

Fix the specific instance right away.

Example: If one training record is missing, complete the training immediately.

This is NOT enough by itself - you also need to prevent recurrence.

Step 2: Root Cause Analysis

Determine why the nonconformity occurred.

Simple techniques:

5 Whys: Ask "why" repeatedly until you reach the root cause
Fishbone diagram: Categorize potential causes (people, process, tools, environment)
Simple analysis: "What went wrong and why?"

Example (5 Whys for missed access reviews):

Why were Q2 and Q3 access reviews not conducted?
- IT Manager was focused on SaaS launch and forgot.
Why did the IT Manager forget?
- No calendar reminder or automated prompt.
Why was there no reminder?
- Access review process relies on manual memory.
Why does it rely on manual memory?
- No automated scheduling system in place.
Why is there no automated system?
- Process was designed without automation; assumed manual tracking would work.

Root cause: Process design relies on manual memory without reminders or automation.

Step 3: Corrective Action Plan

Address the root cause to prevent recurrence.

Example corrective action plan:

Action	Responsibility	Deadline	Evidence
Immediate: Complete Q1 2025 access review	IT Manager	2025-03-30	Review log
Implement quarterly calendar reminders	IT Manager	2025-04-15	Calendar screenshot
Create backup reviewer role	CISO	2025-04-30	Updated procedure
Evaluate automation options (HRIS integration)	IT Manager	2025-06-30	Feasibility report

Key point: Address the root cause, not just the symptom.

Poor corrective action: "IT Manager will try harder to remember."

Good corrective action: "Implement automated quarterly reminders and assign backup reviewer."

Step 4: Verification of Effectiveness

Prove that the corrective action worked.

How to verify:

Provide evidence that actions were completed (screenshots, records, updated documents)
Demonstrate the issue is resolved (e.g., next quarter's access review is completed on time)
Check sustainability (is it still working 3-6 months later?)

Example verification:

Q1 2025 access review completed on time (evidence: review log dated 2025-04-05)
Calendar reminders in place (evidence: screenshot showing recurring quarterly events)
Q2 2025 access review completed on time (evidence: review log dated 2025-07-03)

Timelines

Nonconformity Type	Corrective Action Plan Due	Implementation Due	Follow-up
Major NC	2 weeks	30 days (or as agreed)	Mandatory follow-up audit
Minor NC	4 weeks	60 days	Document review or optional follow-up audit
Observation	No formal requirement	Recommended if resources allow	No formal follow-up

Extensions can be granted by IMS Owner if justified (e.g., requires budget approval, external dependency).

Verifying Corrective Actions

As an auditor, you may be asked to verify corrective actions:

Verification methods:

Document review: Examine evidence provided (updated procedures, completed records, photos)
Follow-up audit: Conduct a targeted mini-audit to verify implementation
Effectiveness check: Wait 3-6 months and verify the issue hasn't recurred

Verification outcomes:

Outcome	Meaning	Next Step
Closed	Corrective action is adequate and effective	Nonconformity closed; no further action
Pending	Corrective action in progress; partial completion	Remains open; set new deadline
Reopened	Corrective action inadequate or ineffective	Requires rework; may escalate to major NC

Observations - What Happens?

Observations (OFIs) do not require formal corrective action, but:

Process owner reviews the observation
Considers whether to address it (based on resources and priorities)
May implement improvements if valuable
Not tracked formally like nonconformities

Example:

Observation: "Backup logs stored in multiple locations - consider centralizing."
Response: Process owner evaluates feasibility, cost, and benefit. May implement in next quarter or defer if not a priority.

Escalation

What if corrective actions are not completed on time or keep failing?

Escalation path:

IMS Owner reminder: Email reminder as deadline approaches
Management escalation: IMS Owner escalates to Management Team if overdue
Resource allocation: Management may provide additional resources or adjust priorities
Management review: Persistent nonconformities discussed in quarterly management review
Certification risk: If critical for certification, may impact audit readiness

Your role: Focus on conducting quality audits and documenting findings. Escalation is handled by IMS Owner and management.

Case Study: Following Up on a Nonconformity

Scenario: You conducted an audit in March 2025 and identified a Minor NC:

NC-A2025-02-001: Quarterly access reviews not conducted in Q2 and Q3 2024.

Corrective Action Plan (submitted by IT Manager, April 15):

Immediate: Complete Q1 2025 review by March 30 ✓ (completed)
Implement calendar reminders by April 15 ✓ (completed)
Assign backup reviewer by April 30 (pending)
Evaluate automation by June 30 (pending)

It's now July 2025. You're asked to verify effectiveness.

Your verification approach:

Check completion:
- Q1 2025 review: Completed March 28 ✓
- Calendar reminders: Screenshot shows quarterly recurring events ✓
- Backup reviewer: Procedure updated May 5, backup assigned (Lisa) ✓
- Automation evaluation: Report completed June 25, automation not cost-effective ✓
Check sustainability:
- Q2 2025 review: Completed April 5 (on time) ✓
- Q3 2025 review: Due July 7 - check if completed
Verify Q3 2025 review:
- Request evidence: access-review-2025-q3.xlsx, dated July 6 ✓

Verification conclusion:
All corrective actions completed. Process has been effective for two consecutive quarters. Nonconformity CLOSED.

Evidence for closure:

Updated procedure with backup reviewer
Calendar reminders screenshot
Access review logs for Q1, Q2, Q3 2025 (all on time)
Automation evaluation report

Module 6: IMS-Specific Auditing (45 minutes)

Swedwise's IMS integrates three ISO standards: 9001 (Quality), 14001 (Environmental), 27001 (Information Security). You need to understand what's unique about each.

Auditing Integrated Systems

What is integrated?

Single management review process
Unified internal audit program
Common document control procedure
Integrated risk assessment methodology
Shared training and awareness program

What is NOT integrated?

Each standard has unique technical requirements
Different domain expertise needed (quality vs. security vs. environmental)
Different regulatory contexts

Audit approach:

Some audits cover multiple standards (e.g., document control applies to all three)
Some audits are standard-specific (e.g., environmental aspects register is ISO 14001 only)
Cross-reference where appropriate

ISO 9001 (Quality Management) - Key Audit Points

Focus: Customer satisfaction, consistent delivery, continuous improvement

High-priority audit areas:

ISO 9001 Clause	Focus	What to Check
5.1.2	Customer focus	Does management ensure customer requirements are understood? Evidence of customer communication?
6.2	Quality objectives	Are quality objectives defined, measured, and tracked?
8.2	Customer requirements	Are customer requirements documented? Reviewed before acceptance?
8.5	Service delivery	Are services delivered per planned arrangements? Records maintained?
8.6	Release of services	Are services verified before release to customer? Acceptance criteria met?
9.1.2	Customer satisfaction	Is customer feedback monitored? Analyzed? Acted upon?
9.3	Management review	Are management reviews conducted? Inputs/outputs documented?
10.2	Nonconformity & corrective action	Are nonconformities identified, addressed, and root causes analyzed?

Example audit questions (ISO 9001):

"How do you capture customer requirements at the start of a project?"
"Can you show me the acceptance criteria for the SaaS onboarding service?"
"What happens if a customer reports an issue with service delivery?"
"Where are customer satisfaction results reported?"

Key evidence:

Customer contracts, requirements documents
Project delivery records
Customer feedback surveys, NPS scores
Nonconformity logs, corrective action records
Management review minutes

ISO 14001 (Environmental Management) - Key Audit Points

Focus: Environmental impact, compliance, pollution prevention

High-priority audit areas:

ISO 14001 Clause	Focus	What to Check
6.1.2	Environmental aspects	Are significant environmental aspects identified?
6.1.3	Compliance obligations	Are environmental legal requirements identified and tracked?
7.2	Competence	Do staff understand their environmental responsibilities?
8.1	Operational control	Are controls in place for significant aspects (travel, energy, waste)?
9.1.1	Monitoring & measurement	Are environmental metrics monitored (energy use, travel emissions, waste)?

Example audit questions (ISO 14001):

"How do you identify the environmental impacts of your operations?"
"What are Swedwise's most significant environmental aspects?" (Answer: Travel, energy use, electronic waste)
"How do you monitor and reduce travel-related emissions?"
"How do you ensure compliance with waste disposal regulations?"

Key evidence:

Environmental aspects register
Travel data, carbon footprint reports
Energy consumption logs
Waste disposal records, recycling logs
Environmental training records

Swedwise-specific context:

As a consultancy, travel is the biggest environmental impact
Office energy use (electricity, heating)
Electronic waste (old hardware, servers)
SaaS operations (data center energy use - but this is Entiros's responsibility, not ours)

ISO 27001 (Information Security) - Key Audit Points

Focus: Protecting information assets, managing security risks

High-priority audit areas:

ISO 27001 Clause	Focus	What to Check
5.1	Information security policies	Are policies established, documented, communicated, and reviewed?
6.1.2	Information security risk assessment	Are information security risks identified and assessed?
6.1.3	Information security risk treatment	Are risk treatment plans implemented?
8.1	Operational planning & control	Are Annex A controls implemented as defined in Statement of Applicability?
9.1	Monitoring, measurement, analysis	Are security controls monitored? Incidents tracked?

Annex A controls (high-priority for Swedwise):

Control	Focus	What to Check
A.5.1	Policies	Information security policy exists and is communicated?
A.5.18	Access rights	User access provisioning, review, removal process working?
A.5.23	Cloud services	SaaS infrastructure security verified? Supplier agreements in place?
A.8.9	Configuration management	Systems configured securely? Baseline configurations documented?
A.8.10	Information deletion	Data deletion process for customer data, backups, archives?
A.8.16	Monitoring	Logging and monitoring implemented? Logs reviewed?

Example audit questions (ISO 27001):

"How do you ensure only authorized personnel have access to customer data?"
"Can you show me evidence of the last access review?"
"What happens when an employee leaves - how is access removed?"
"How do you monitor for security incidents?"
"Where is customer data stored, and how is it protected?"

Key evidence:

Information security policies
Risk register (information security risks)
Statement of Applicability (SoA)
Access logs, access review records
Incident logs
Security monitoring dashboards
Backup and recovery logs

Swedwise-specific context:

Consultants work at client sites (bring-your-own-device, remote access risks)
SaaS operations (OpenText Communications infrastructure, customer data)
Customer data handling (confidentiality, GDPR)

Cross-Referencing Requirements

Some requirements apply across multiple standards:

Requirement	ISO 9001	ISO 14001	ISO 27001	What to Check
Documented information	7.5	7.5	7.5	Document control procedure applies to all three
Competence & training	7.2	7.2	6.2, A.6.3	Training records cover quality, environmental, and security topics
Risk management	6.1	6.1	6.1	Integrated risk register covers all risk types
Internal audit	9.2	9.2	9.2	One audit program covers all three standards
Management review	9.3	9.3	9.3	Single management review covers all three systems
Nonconformity & corrective action	10.2	10.2	10.2	Unified corrective action process

Audit efficiency tip: When auditing document control, competence, or internal audits, verify conformity with all three standards simultaneously.

Practical Exercise: IMS Audit Checklist

Scenario: You're assigned to audit "Risk Management" (covers all three standards).

Relevant requirements:

ISO 9001:2015 Clause 6.1 (Actions to address risks and opportunities)
ISO 14001:2015 Clause 6.1 (Actions to address risks and opportunities)
ISO 27001:2022 Clause 6.1.2 (Information security risk assessment)
SW-IMS-PRO-002 (Risk Assessment Procedure)

Your task: Create an integrated audit checklist with at least 6 check points covering all three standards.

Sample Answer:

Requirement	Audit Question	Evidence Needed	ISO Standard
ISO 9001 6.1	Are risks to quality objectives identified and assessed?	Risk register (quality risks)	ISO 9001
ISO 14001 6.1	Are environmental risks and opportunities identified?	Risk register (environmental risks)	ISO 14001
ISO 27001 6.1.2	Is information security risk assessment conducted?	Risk register (information security risks)	ISO 27001
SW-IMS-PRO-002	Is risk assessment conducted at least annually?	Risk register review dates	All 3
SW-IMS-PRO-002	Are risk treatment plans documented?	Risk treatment actions in register	All 3
ISO 27001 6.1.3	Are information security risk treatment plans implemented?	Evidence of control implementation (SoA, control records)	ISO 27001
ISO 9001 6.1	Are risks reviewed and updated when changes occur?	Risk register change history, management review records	All 3
SW-IMS-PRO-002	Are risk owners assigned?	Risk register shows ownership	All 3

Practical Exercises

Exercise 1: Scenario Analysis - What's the Finding?

Scenario 1:
You're auditing password management (ISO 27001 A.5.17). The password policy requires passwords to be at least 12 characters with complexity (upper, lower, numbers, symbols). You check 5 user accounts:

4 accounts: Passwords meet policy
1 account: Password is 8 characters (does not meet policy)

Question: Is this a nonconformity? If yes, major or minor?

Answer:
Yes, Minor Nonconformity.

Reasoning: One isolated instance (20% non-compliance). The policy and control exist; this is an isolated deviation. Not systemic.

Nonconformity statement:

Requirement: ISO 27001 A.5.17 and SW-ISMS-POL-003 require passwords to be minimum 12 characters.
Evidence: Sampled 5 user accounts. Account "johan.svensson" has 8-character password (verified in system settings, 2024-12-15).
Impact: Weak passwords increase risk of unauthorized access.
Classification: Minor NC (isolated instance).

Scenario 2:
You're auditing environmental aspects (ISO 14001 6.1.2). The procedure requires an Environmental Aspects Register to be maintained and reviewed annually. You ask the Environmental Lead for the register.

Environmental Lead: "We don't have a register. We've just been discussing environmental impacts in management meetings."

Question: Is this a nonconformity? If yes, major or minor?

Answer:
Yes, Major Nonconformity.

Reasoning: Complete absence of a required document. ISO 14001 explicitly requires identification and evaluation of environmental aspects. No register = no evidence of conformity.

Nonconformity statement:

Requirement: ISO 14001:2015 Clause 6.1.2 requires the organization to identify environmental aspects and determine which are significant. SW-EMS-PRO-001 requires an Environmental Aspects Register to be maintained.
Evidence: No Environmental Aspects Register found. Interviewed Environmental Lead (Anna, 2024-12-15) who confirmed no register exists. Environmental aspects discussed informally in management meetings but not documented.
Impact: Without documented environmental aspects, significant impacts may not be adequately controlled or monitored. Non-compliance with ISO 14001 certification requirement.
Classification: Major NC (complete absence of required documented information).

Scenario 3:
You're auditing training records (ISO 9001 7.2). You check the training completion rate for "IMS Awareness Training" (required for all staff annually):

Total staff: 35
Completed training: 33
Not completed: 2 (both hired in the last month)

Question: Is this a nonconformity?

Answer:
No, this is conformity.

Reasoning: The 2 staff members who haven't completed training were hired in the last month. The procedure allows 30 days for new hire training. They are still within the allowable timeframe.

Audit note: "Training completion rate is 94% (33 of 35). Two staff members are new hires (hired within last 30 days) and are scheduled to complete training within the required 30-day period. Conformity confirmed."

Exercise 2: Role-Play - Closing Meeting

Scenario: You've completed an audit of the "Backup and Recovery" process. Your findings:

Positive Findings:

Backup procedure is well-documented and clear
Backups run automatically every night
Backup logs are reviewed weekly

Observations:

Backup restoration testing is done annually, but quarterly testing would provide better assurance
Backup storage is on-site; consider off-site or cloud backup for disaster recovery

Nonconformities:

Minor NC: One server (Stockholm file server) was not included in backup schedule (oversight during setup)

Your task: Write a brief closing meeting statement (3-4 sentences) summarizing the audit.

Sample Answer:

"Thank you for your cooperation during this audit. Overall, the backup and recovery process is well-managed. Backups are running as scheduled, logs are reviewed, and the procedure is clear. I identified one minor nonconformity - the Stockholm file server was not included in the backup schedule, which needs to be corrected. I also noted two observations: consider quarterly restoration testing instead of annual, and explore off-site backup options for disaster recovery. I'll send you the written report within 5 days. You'll have 4 weeks to submit a corrective action plan for the minor nonconformity. Any questions?"

Assessment (30 minutes)

Part 1: Knowledge Check (20 questions)

Instructions: Select the best answer for each question. Passing score: 85% (17 of 20 correct).

Question 1: Which of the following is NOT an audit principle according to ISO 19011?

a) Integrity
b) Independence
c) Efficiency
d) Evidence-based approach

Answer: c) Efficiency

Question 2: Internal auditors at Swedwise must NOT audit:

a) Processes they are not familiar with
b) Their own work or areas of direct responsibility
c) High-risk processes
d) Multiple ISO standards in one audit

Answer: b) Their own work or areas of direct responsibility

Question 3: A minor nonconformity is best described as:

a) A suggestion for improvement
b) An isolated deviation that doesn't compromise overall system effectiveness
c) A systemic failure of a requirement
d) A positive finding worth sharing

Answer: b) An isolated deviation that doesn't compromise overall system effectiveness

Question 4: Audit evidence should be:

a) Based on what people say
b) Collected from as many sources as possible regardless of relevance
c) Verifiable, relevant, sufficient, and current
d) Always documented with photos

Answer: c) Verifiable, relevant, sufficient, and current

Question 5: The opening meeting of an audit should include:

a) Presentation of all audit findings
b) Negotiation of corrective actions
c) Confirmation of audit scope, objectives, and logistics
d) Root cause analysis

Answer: c) Confirmation of audit scope, objectives, and logistics

Question 6: When interviewing during an audit, you should:

a) Ask leading questions to guide the auditee to the right answer
b) Use open-ended questions and listen actively
c) Interrupt if the auditee gives too much detail
d) Only interview managers, not operational staff

Answer: b) Use open-ended questions and listen actively

Question 7: Which of the following is a good nonconformity statement?

a) "The IT department is not following the security policy."
b) "I think the backup process might not be working properly."
c) "ISO 27001 A.8.13 requires backups to be tested regularly. Review of test records showed no evidence of testing in the past 12 months (requirement: annually). This increases the risk of backup failure during recovery."
d) "Someone should really fix the backup testing issue."

Answer: c) ISO 27001 A.8.13 requires backups to be tested regularly. Review of test records showed no evidence of testing in the past 12 months (requirement: annually). This increases the risk of backup failure during recovery.

Question 8: You discover during an audit that a critical security incident occurred yesterday and was not reported. What should you do?

a) Continue the audit as planned and document the finding in your report
b) Immediately inform the auditee and relevant manager, pause if needed
c) Ignore it since it's outside your audit scope
d) Wait until the closing meeting to mention it

Answer: b) Immediately inform the auditee and relevant manager, pause if needed

Question 9: Audit reports at Swedwise are classified as:

a) Public
b) Internal (confidential)
c) Restricted
d) Client-facing

Answer: b) Internal (confidential)

Question 10: The primary purpose of corrective action is to:

a) Punish the person who caused the nonconformity
b) Fix the specific instance of the problem
c) Eliminate the root cause and prevent recurrence
d) Satisfy the auditor

Answer: c) Eliminate the root cause and prevent recurrence

Question 11: How long should the auditee have to submit a corrective action plan for a minor nonconformity?

a) 1 week
b) 2 weeks
c) 4 weeks
d) 6 months

Answer: c) 4 weeks

Question 12: Which of the following is an example of a major nonconformity?

a) One employee's training record is missing a completion date
b) No evidence of any risk assessments conducted in the past 2 years (requirement: annually)
c) A procedure has a typo
d) Backup logs are stored in multiple locations

Answer: b) No evidence of any risk assessments conducted in the past 2 years (requirement: annually)

Question 13: ISO 9001 focuses primarily on:

a) Environmental impact
b) Information security
c) Customer satisfaction and quality
d) Financial performance

Answer: c) Customer satisfaction and quality

Question 14: ISO 14001 requires organizations to identify:

a) Customer requirements
b) Information assets
c) Environmental aspects
d) Financial risks

Answer: c) Environmental aspects

Question 15: ISO 27001 Annex A.5.18 addresses:

a) Physical security
b) Access rights management
c) Backup and recovery
d) Environmental monitoring

Answer: b) Access rights management

Question 16: An observation (OFI) in an audit report:

a) Requires immediate corrective action
b) Is a nonconformity that must be closed within 30 days
c) Is an improvement opportunity that does not require formal corrective action
d) Should be ignored

Answer: c) Is an improvement opportunity that does not require formal corrective action

Question 17: When sampling records during an audit, you should:

a) Only review the most recent records
b) Select records randomly to avoid bias
c) Always review 100% of records
d) Only review records that you suspect have issues

Answer: b) Select records randomly to avoid bias

Question 18: The closing meeting should:

a) Be confrontational to emphasize the seriousness of findings
b) Present findings clearly, balanced with positive observations, and focused on improvement
c) Only highlight nonconformities and skip conformities
d) Negotiate findings until the auditee agrees

Answer: b) Present findings clearly, balanced with positive observations, and focused on improvement

Question 19: At Swedwise, internal auditors are expected to conduct audits approximately:

a) Weekly
b) Monthly
c) 1-2 times per year
d) Every 3 years

Answer: c) 1-2 times per year

Question 20: The annual audit program should prioritize:

a) Easiest processes to audit
b) Areas with no previous findings
c) High-risk areas and critical processes
d) Areas where the auditor has personal interest

Answer: c) High-risk areas and critical processes

Part 2: Practical Exercise (Scenario-Based)

Scenario: You are assigned to audit the "Incident Management" process (ISO 27001 focus). The procedure (SW-IMS-PRO-006) requires:

All security incidents to be logged
Incidents classified by severity (Critical, High, Medium, Low)
Critical incidents reported to CISO within 1 hour
All incidents investigated and closed with root cause
Incident register reviewed monthly

You conduct the audit and find:

Incident register exists and is maintained
12 incidents logged in the past 6 months
10 incidents have documented investigation and root cause
2 incidents (both Low severity) are still open after 4 months with no investigation
1 Critical incident (data breach) was logged and reported to CISO within 30 minutes ✓
Monthly review of incident register is documented for 5 of the past 6 months (May 2024 review is missing - no record found)

Your task:

Identify all findings (conformities, observations, nonconformities)
Write a nonconformity statement for at least one finding (include requirement, evidence, impact, classification)
Suggest corrective actions for the nonconformities

Sample Answer:

Findings:

Conformities:

Incident register exists and is actively maintained
Incident classification is applied consistently
Critical incident (data breach, June 2024) was reported to CISO within 30 minutes, meeting the 1-hour requirement
10 of 12 incidents have documented investigation and root cause (83% compliance)

Nonconformity 1 - Minor NC:

NC-ID: NC-A2025-05-001

Classification: Minor Nonconformity

Requirement:
SW-IMS-PRO-006 Section 4.3 requires all security incidents to be investigated and closed with documented root cause.

Evidence:
Reviewed incident register for Jan-Jun 2024 (12 incidents total):

10 incidents have documented investigation and root cause ✓
2 incidents (INC-2024-03 and INC-2024-07, both Low severity) remain open after 4 months with no investigation documented

Interviewed Security Coordinator (Lars, 2024-12-15) who confirmed low-severity incidents were deprioritized due to workload.

Impact:
Without investigating all incidents, potential systemic issues or recurring problems may go undetected, even if initially classified as low severity.

Classification Rationale:
Minor NC (not Major) because:

83% compliance (10 of 12 incidents investigated)
Affects only low-severity incidents
Not a complete absence of the process
Root cause: workload prioritization, not lack of awareness

Suggested Corrective Actions:

Immediate: Investigate and close INC-2024-03 and INC-2024-07
Root cause: Workload prioritization leads to low-severity incidents being indefinitely delayed
Corrective action: Define maximum time limits for investigating incidents by severity (e.g., Critical: 24h, High: 3 days, Medium: 1 week, Low: 2 weeks). Update procedure and implement tracking.
Verification: Check incident register in 3 months to ensure all incidents are investigated within defined timeframes.

Nonconformity 2 - Minor NC:

NC-ID: NC-A2025-05-002

Classification: Minor Nonconformity

Requirement:
SW-IMS-PRO-006 Section 5.1 requires monthly review of the incident register.

Evidence:
Reviewed incident register monthly review records for Jan-Jun 2024:

Jan, Feb, Mar, Apr, Jun: Reviews documented ✓
May 2024: No review record found

Interviewed Security Coordinator (Lars, 2024-12-15) who confirmed May review was missed (forgot during vacation period).

Impact:
Monthly reviews identify trends and systemic issues. Missing reviews may delay identification of recurring problems.

Classification Rationale:
Minor NC because:

83% compliance (5 of 6 months reviewed)
Single missed instance
Not a systemic failure

Suggested Corrective Actions:

Immediate: Conduct May 2024 review retroactively (document findings)
Root cause: Manual reminder process failed during vacation period
Corrective action: Implement automated monthly calendar reminder; assign backup reviewer for vacation coverage
Verification: Verify next 3 months of reviews are completed on time

Observations: None identified in this scenario.

Check Your Understanding - Answers

Module 1 Quick Check Answers:

Question 1: b) Note it as objective evidence and determine if it violates a requirement
Question 2: b) Ask for evidence

SW-IMS-PRO-003: Internal Audit Procedure (full procedure with templates)
SW-IMS-ROLE-002: Internal Auditor Role Description
Audit report template (Appendix B of SW-IMS-PRO-003)
Audit checklist template (Appendix A of SW-IMS-PRO-003)

External Resources:

ISO 19011:2018 - Guidelines for auditing management systems (available from ISO or library)
Lead Auditor training courses (for those who want advanced training)

Refresher Training:

Annual half-day refresher session (mandatory)
Quarterly auditor pool meetings (knowledge sharing, calibration)

Congratulations!

You've completed the Internal Auditor Training. You now have the knowledge and skills to:

Plan and conduct effective internal audits
Gather objective evidence
Write clear, fact-based findings
Support the continual improvement of Swedwise's IMS

Remember: Auditing is about improving the system, not catching people. Be professional, be objective, be thorough - and most importantly, be curious.

Next Steps:

Complete the assessment (below)
Score 85% or higher to qualify
Shadow an experienced auditor on your first audit
Conduct your first audit under supervision
Join the internal auditor pool!

Welcome to the team!

Document Control

Version	Date	Author	Changes
1.0	[TBD]	IMS Owner	Initial release

Approval

Role	Name	Signature	Date
IMS Owner
Quality Lead