Internal Audit

Internal Audit and Readiness Assessment

Independent verification through evidence and criteria

Behaviour’s internal audit independently assesses whether processes, controls and evidence are implemented and operating as expected, based on defined criteria (standards, internal requirements, regulatory obligations or client expectations).

The focus is to produce a clear and verifiable picture: traceable findings, supported evidence and objective conclusions, reducing surprise and ambiguity in relation to external audits, clients and supervisory scrutiny.

Audit is not “opinion”. It is evidence, method and rigour, to strengthen confidence and support continuous improvement.

When does it make sense to use audit?

Audit makes sense when it is necessary to confirm maturity and compliance through evidence, especially before external audits, certifications, client assessments, contract renewals or critical governance moments.

Internal audit (first-party)

Independent assessment to support the improvement cycle, confirm the effectiveness of controls and the robustness of evidence, with clear and traceable findings.

Readiness assessment (preparedness assessment)

Preparation assessment before external audits or certification: identifies gaps, risks and insufficient evidence, reducing surprise and rework.

Thematic audits

Assessments focused on a critical topic (for example, evidence, third parties, continuity, incidents, critical controls) with defined scope, criteria and sampling.

Audit scope and criteria

Audit is always performed with defined scope and criteria. It may be based on standards and management system requirements, internal criteria, regulatory obligations or contractual requirements from clients and partners.

Management systems

  • Information Security (e.g. ISO/IEC 27001)
  • Business Continuity (e.g. ISO 22301)
  • Service Management (e.g. ISO/IEC 20000-1)
  • Quality (e.g. ISO 9001)
  • Compliance and anti-bribery (e.g. ISO 37301 / ISO 37001)

Regulation and external requirements

  • Client and partner requirements
  • Regulatory obligations and expectations
  • Supplier and supply chain audits
  • Security requirements and contractual evidence

Gap analysis and evidence

  • Gap analysis by requirement/criterion
  • Supported evidence (records, logs, reports, minutes)
  • Traceability between process, control and evidence
  • Verifiable conclusions and findings

How an internal audit is conducted

The audit follows a structured approach, with planning, execution, evidence and conclusion. No improvisation and no ambiguity.

1) Planning

  • Definition of scope, criteria and objectives
  • Audit plan and sampling
  • Preparation of interviews and evidence gathering

2) Execution

  • Interviews and evidence-based validation
  • Collection and verification of records and traceability
  • Confirmation of implementation and effectiveness (where applicable)

3) Findings and conclusion

  • Clear and supported findings
  • Classification and impact (where applicable)
  • Closing meeting and factual alignment

4) Report

  • Objective report with associated evidence
  • Nonconformities / observations / opportunities for improvement (where applicable)
  • Recommendations arising from findings

What we deliver

The central deliverable is a clear and verifiable report, supported by evidence and structured to support internal governance and continuous improvement.

Audit report

  • Supported and traceable findings
  • Conclusions by criterion/requirement (where applicable)
  • Executive summary for management

Evidence and traceability

  • Identification of analysed evidence
  • Traceability between process, control and record
  • Points of evidence weakness (where applicable)

Actions and improvement

  • Nonconformities / observations (where applicable)
  • Recommendations arising from findings
  • Support for a corrective action plan (where applicable)

Boundary with advisory

To choose the right service, the difference is straightforward:

Internal audit

  • Verify independently
  • Determine based on analysed evidence
  • Report traceable conclusions
  • Assess compliance/maturity against defined criteria

Advisory

  • Clarify options and criteria
  • Decide priorities and sequence
  • Structure an executable roadmap
  • Define minimum “sufficient” evidence for consistent execution

If the objective is to confirm maturity and evidence, internal audit / readiness assessment is the starting point. If the objective is to clarify options and priorities, advisory is more appropriate.

Frequently asked questions

Do you provide internal audit services?

Yes. We carry out internal audits (first-party) with a plan, sampling and findings supported by evidence, to support continuous improvement and preparation for external audits.

What is a readiness assessment?

It is a preparation assessment before an external audit/certification: it identifies evidence gaps, uncovered requirements and risks of failure, allowing action before “audit day”.

What evidence is normally analysed?

It depends on the criterion, but typically includes policies and procedures, records, logs, reports, minutes, evidence of execution, test results and traceability between process, control and evidence.

What do you deliver at the end?

An objective audit report with evidence-supported findings, conclusions and recommendations arising from the findings (where applicable).

How do you ensure independence?

We define scope and criteria, collect verifiable evidence and maintain a clear separation of roles. Conclusions are supported by evidence and traceability.

Next step

Choose the most direct path: if you are looking for an independent, evidence-based assessment for internal audits, readiness assessments or thematic audits, we are available to help.