Internal Audit Procedure (SEC-PROC-002)

1. Purpose

To outline the process for planning, conducting, and reporting on annual internal audits of the Information Security Management System (ISMS).

2. Scope

This procedure applies to all internal audits of the ISMS, including all systems, processes, and controls that fall under its scope.

3. Overview

This procedure details the end-to-end process for the annual internal audit of the ISMS. It covers the creation of an audit plan, the execution of audit fieldwork, the documentation of findings, the generation of a formal report, and the tracking of corrective actions through to resolution.

4. Procedure

Step	Who	What
1	Head of Internal Audit	Develops and documents an annual internal audit plan, including scope, objectives, and resources.
2	Internal Auditor(s)	Conducts audit fieldwork by gathering and analyzing evidence to assess control effectiveness.
3	Internal Auditor(s)	Documents all findings, including non-conformities, observations, and opportunities for improvement.
4	Head of Internal Audit	Creates and distributes a formal audit report detailing the scope, findings, and recommendations.
5	Management/Process Owners	Develops and implements corrective action plans for identified findings.
6	Head of Internal Audit	Tracks the status of all corrective actions to completion in a tracking log.

5. Standards Compliance

Procedure Step(s)	Standard/Framework	Control Reference
1-6	HIPAA/HITECH	45 CFR § 164.308(a)(8)

6. Artifact(s)

A final internal audit report and a corrective action tracking log.

7. Definitions

ISMS: Information Security Management System.

8. Responsibilities

Role	Responsibility
Head of Internal Audit	Oversees the entire audit process, from planning to reporting and tracking.
Internal Auditor(s)	Executes the audit plan, documents findings, and assists in report creation.
Management/Process Owners	Responsible for implementing corrective actions to address audit findings.