For SMBs & Enterprises Worldwide
audit

Don't guess your audit readiness. Validate it internally first.

Your team says you’re ready—but auditors think differently. Validate your readiness first to avoid costly failures and enter certification with confidence.

You'll Receive:

  • Audit scope and plan
  • Documentation gap analysis
  • Control effectiveness assessment
  • Findings prioritization
  • Audit report and corrective action plan
Get my free consultation
Response within 2 hoursFree 30-min consultationNo commitment required
Pre-Certification Audit Findings Dashboard
Access Control EvidenceCriticalInsufficient logs
Disaster Recovery TestingCriticalNo test evidence
Vendor Due DiligenceMajorIncomplete for 3 vendors
Security Awareness TrainingMajorRecords incomplete
Management ReviewMinorDocumentation format
28 Controls Audited|2 Critical Findings|Certification Ready
HOW IT WORKS

The Internal Audit Process

From scope definition to certification readiness in 5 structured steps

01

Scope Definition

We define the perimeter of the audit and the criteria (the standard or regulation). This includes identifying the audit scope (geographical, operational, system boundaries), determining applicable standards or regulations (ISO, SOC 2, NIS2, DORA, etc.), and establishing audit objectives aligned with your certification goals.

  • Audit scope and plan
02

Documentation Review

We analyze your documentation against the criteria and best practices. This comprehensive review examines policies, procedures, records, and evidence to assess completeness, accuracy, and alignment with the selected standard or regulation. We identify missing documents, outdated content, and gaps in documentation coverage.

  • Documentation gap analysis
03

Control and Process Assessment

We assess the existing measures for efficiency and effectiveness. This includes testing control design, verifying implementation, and validating operating effectiveness. We conduct interviews, observe processes, examine evidence, and test technical controls to ensure they meet the standard's requirements.

  • Control effectiveness assessment
04

Situation Appraisal

We rate gaps or nonconformities based on the existing context and objectives. Each finding is classified by severity (Critical, Major, Minor) with root cause analysis, risk scoring, and impact assessment. This contextual evaluation ensures findings are prioritized appropriately for remediation.

  • Findings prioritization
05

Reporting

We provide a comprehensive report with recommendations. The audit report includes an executive summary, detailed findings with evidence, severity classification, root cause analysis, and a prioritized corrective action plan. This actionable report prepares you for certification with clear next steps.

  • Audit report and corrective action plan

Every step is transparent. Every finding is actionable. Every recommendation prepares you for certification success.

Quick Assessment

Audit Readiness Self-Assessment

Answer 6 questions to assess your current audit readiness and internal audit needs.

Find Your Perfect Match
👥 Meet the team

Meet Your Compliance Experts

Swiss-trained professionals with decades of combined experience in regulatory compliance, risk management, and strategic advisory

Henri HAENNI - Expert in Business Continuity, Risk Management and Information Security Governance

Henri HAENNI

Expert in Business Continuity, Risk Management and Information Security Governance

ISO 27001 Lead Implementer & Auditor • ISO 37301 Lead Implementer • ISO 31000 Lead Risk Manager • Sorbonne University Paris 1 Lecturer

Alexis HIRSCHHORN - Expert in Information and Cyber Security, Cloud Security, Risk Management and Governance

Alexis HIRSCHHORN

Expert in Information and Cyber Security, Cloud Security, Risk Management and Governance

ISO 27001 Lead Auditor • CISSP® Certified • ISO 42001 Lead Implementer • PECB MS Certifying Auditor

Laura Menétrey - Data Protection & Information Security Legal Expert

Laura Menétrey

Data Protection & Information Security Legal Expert

LLM in Data Protection Law • Certified GDPR Practitioner • Information Security Laws (NIS2, DORA) • Privacy Law Specialist

Jean MUNYARUGERERO - Information Security & Business Continuity Trainer

Jean MUNYARUGERERO

Information Security & Business Continuity Trainer

ISO 27001 Lead Implementer • CISM® Exam Bootcamp • ISO 27005 Risk Manager • NIST Cybersecurity Professional

All team members are background-checked, bonded, and hold active compliance certifications

Trusted by Leading Organizations

Real results from real clients who transformed their compliance operations

"The internal audit was uncomfortable but invaluable. Found 15 findings, 4 critical. If we'd gone straight to certification audit, we would've failed. Fixed everything in 6 weeks, then passed external audit with zero findings."

15 findings found, all fixed
CISO
at 150-person SaaS company

"We thought we were ready. Internal audit found our evidence was insufficient for SOC 2 Type II—missing documentation for 6 months of the operating period. Would've been a failed audit. Collected proper evidence, passed Type II easily."

Evidence gap prevented failure
IT Director
at Fintech startup

"The interview preparation was crucial. Our team knew the controls but couldn't articulate them clearly to auditor. Internal audit coached them, simulated questions, built confidence. External audit interviews went smoothly."

Team interview readiness
Security Manager
at Healthcare provider
🔗 Related services

Services That Complement This

These complementary services work together to create a comprehensive compliance framework

⚙️
cybersecurity

ISO 27001 implementation

Complete ISO 27001 ISMS implementation & certification in 12-16 weeks | Swiss experts

Achieve ISO 27001 certification in 6-12 months
Explore Service
📋
cybersecurity

SOC2 implementation

Achieve SOC 2 attestation in 3-6 months

Achieve SOC 2 attestation in 3-6 months
Explore Service
📋
business-continuity

ISO 22301 implementation

Achieve ISO 22301 certification in 6-9 months

Achieve ISO 22301 certification in 6-9 months
Explore Service

Frequently Asked Questions

Everything you need to know about this service

Gap analysis (earlier stage): Compares current state to standard requirements, identifies what's missing or incomplete, done before/during implementation, helps plan what to build. Internal audit (later stage): Tests if controls actually work as documented, validates evidence sufficiency for external audit, done after implementation before certification, confirms you're audit-ready. Sequential: gap analysis → implementation → internal audit → external audit.

If you fix all critical findings: ~95% pass rate. Internal audit simulates external audit methodology. If you pass internal audit and address findings, you should pass external audit. Rare reasons for external audit issues after clean internal audit: new issues emerged between audits, remediation not fully effective, external auditor interprets requirements differently (unusual but possible), evidence deteriorates or goes missing. We provide audit readiness verdict: 'ready' vs. 'not ready' vs. 'ready with minor fixes.'

Not recommended. Internal audit validates completed implementation. If still implementing: many controls not yet operational, evidence collection incomplete, team not prepared, findings obvious (everything is a gap). Better to complete implementation, then validate through internal audit. Exception: Phased audits (audit completed sections while others still in progress).

Yes, comprehensive audit reports including: executive summary, detailed findings by control, evidence of findings, severity classification, remediation recommendations. Report format similar to external audit findings reports, so your team understands what external audit findings would look like.

Honest conversation about options: Option 1: Postpone external audit until fixed (typical 6-8 weeks). Option 2: Accept risk and proceed (not recommended for critical issues). Option 3: Reduce certification scope temporarily (if applicable). Internal audit purpose is finding issues early when you have time to fix them, not during external audit when options are limited.

Yes, common and efficient: ISO 27001 + SOC 2 (significant overlap in security controls), ISO 27001 + ISO 27701 (privacy builds on security), ISO 27001 + ISO 22301 (business continuity overlaps with security). Combined audits are more efficient than separate audits. We test overlapping controls once, saving time and cost.

Recommended timing: ISO 27001: 6-8 weeks before engaging certification body. SOC 2 Type I: 4-6 weeks before audit. SOC 2 Type II: At end of operating period (before readiness review). ISO 22301: 6-8 weeks before certification. Regulatory readiness: 2-3 months before expected inspection. Allows time for remediation without rushing.

Yes, several models: Annual internal audit: Single comprehensive audit per year (meets ISO 27001 requirement). Quarterly internal audits: Different focus areas each quarter, rotating through controls. Surveillance audit preparation: Before annual surveillance audits (post-certification). Ad hoc audits: Specific areas or frameworks as needed. Some organizations use us as outsourced internal audit function for compliance frameworks.

We discuss and resolve: present evidence and rationale for finding, hear your perspective and additional context, revise finding if we missed information, document disagreement if perspectives differ. Internal audit purpose is improvement, not punishment. Open dialogue is encouraged. If we have differing interpretations of requirements, we document both perspectives and let you decide how to proceed. External auditor will ultimately be arbiter during certification audit.

Ready to Transform Your Compliance?

Let's discuss your specific needs

Expert Guidance
Swiss Quality Standards
Proven Track Record
Book Your Free Strategy Call

Response within 2 hoursFree 30-min consultationNo commitment required