An internal audit is an independent and objective evaluation conducted by an organisation's own audit function (or an outsourced equivalent) to assess the effectiveness of its compliance controls, risk management processes and governance structures. Internal auditors systematically review whether controls are implemented as designed, operating effectively and producing the intended outcomes, documenting their findings, observations and recommendations in a formal audit report.
Internal audits are a mandatory requirement under ISO 27001 (Clause 9.2) and are considered essential by virtually all compliance frameworks as part of the continuous improvement cycle. They provide early warning of control deficiencies before external auditors or regulators discover them, give management assurance that the compliance programme is functioning as intended and create a documented trail of ongoing due diligence that strengthens the organisation's compliance posture over time.