Internal Audit Program

VDA ISA 10.1.1 requires you to run a formal internal audit program that regularly checks whether your information security controls and ISMS processes are effective, implemented as designed, and followed in practice (VDA ISA Catalog v6.0). To operationalize it, define an audit plan and scope, perform independent audits, document evidence, track findings, and drive corrective actions to closure.

Key takeaways:

• Your internal audit program must test both control effectiveness and ISMS process compliance, not just policy presence (VDA ISA Catalog v6.0).
• Audits need a repeatable method: plan, execute, record evidence, issue findings, and track corrective action plans to closure (VDA ISA Catalog v6.0).
• Auditors must be competent and sufficiently independent from the area being audited to avoid “self-audit” outcomes.

An “internal audit program” under TISAX expectations is a management system discipline, not a one-time control check. VDA ISA 10.1.1 asks you to regularly assess whether your information security controls work and whether your ISMS processes run the way you claim they do (VDA ISA Catalog v6.0). Assessors commonly look for two things: (1) a planned, systematic audit approach, and (2) proof that audit results lead to corrective actions that actually get implemented.

If you’re a CCO, GRC lead, or compliance owner, your fastest path is to treat internal audit as a closed-loop workflow: schedule audits across the ISMS, test design and operating effectiveness, capture objective evidence, issue findings with owners and due dates, and track remediation to verification. “We have policies” is not an audit program. A real program produces workpapers, findings, corrective action plans, and retest results.

This page gives requirement-level implementation guidance you can hand to an operator: who must comply, what to build, how to run it, what evidence to keep, and where teams usually fail in audits.

Regulatory text

Requirement (excerpt): “Establish an internal audit program to regularly assess the effectiveness of information security controls and ISMS processes.” (VDA ISA Catalog v6.0)

What the operator must do

You need a formal internal audit program that:

• Covers the ISMS and information security controls, including whether controls are implemented and effective in practice, and whether ISMS processes are followed (VDA ISA Catalog v6.0).
• Runs regularly (the framework does not prescribe a fixed frequency; your program must define and justify cadence based on risk and scope).
• Produces findings that are tracked and remediated using corrective action plans, with accountability and closure (VDA ISA Catalog v6.0).

Plain-English interpretation

An internal audit program is your internal proof mechanism. You are committing to:

1. Plan audits across your ISMS and control environment (not ad hoc spot checks).
2. Check reality vs. documentation: do teams follow the process, and do controls work?
3. Write down what you tested and what you found with objective evidence.
4. Fix what’s broken through corrective actions, then confirm the fix.

If your audit outputs do not create remediation work (or if remediation is not tracked to closure), you will struggle to show “effectiveness” as required by VDA ISA 10.1.1 (VDA ISA Catalog v6.0).

Who it applies to

Entity types: Automotive suppliers and OEMs seeking to meet TISAX assessment expectations under the VDA ISA catalog (VDA ISA Catalog v6.0).

Operational context where it matters most:

• Organizations with an established ISMS (even if still maturing) where you need repeatable assurance across sites, business units, engineering, manufacturing IT/OT touchpoints, and shared services.
• Environments with material third-party dependencies (cloud, MSPs, SaaS, logistics, engineering partners). Internal audit should verify how your ISMS governs third party controls and oversight in practice, because assessor questions often follow the chain of responsibility.

What you actually need to do (step-by-step)

1) Define the audit program charter and ownership

Create a short charter that answers:

• Purpose: assess effectiveness of information security controls and ISMS processes (VDA ISA Catalog v6.0).
• Authority: auditors can access people, systems, and evidence.
• Independence: auditors cannot audit their own work; define how you avoid self-review.
• Reporting line: who receives results (security leadership, risk committee, management).

Practical tip: if you don’t have a dedicated internal audit function, assign audits to a GRC role plus trained reviewers from adjacent teams, and document how independence is maintained (for example, cross-audits between departments).

2) Build an audit universe and scope map

List what can be audited (your “audit universe”), then map it to your ISMS:

• ISMS processes (risk assessment, incident handling, access governance, change management, asset management, supplier/third party oversight).
• Control domains (technical, administrative, physical).
• Sites and environments (corp IT, engineering networks, OT segments, cloud subscriptions).

Output artifact: Audit universe register with scope boundaries and rationale.

3) Create a risk-based audit plan

Document:

• Which audits you will run (topics, sites, processes).
• Rationale (risk, criticality, changes, incident history, customer requirements).
• Estimated effort and who will audit.

Even though VDA ISA 10.1.1 does not dictate a specific schedule, you must show your plan results in audits that are “regular” and meaningful (VDA ISA Catalog v6.0). “Regular” should be defendable: tie cadence to risk and operational change.

Output artifact: Internal audit plan approved by management.

4) Standardize your audit method (so results are consistent)

Define a lightweight methodology and templates:

• Audit notification and kickoff checklist.
• Control/process test steps (interviews, observation, configuration review, sampling approach).
• Evidence rules (what counts as objective evidence; how to store it).
• Finding severity criteria (keep it simple and consistent).
• Report format and distribution.

Output artifacts: Audit procedure, workpaper template, finding template, severity rubric.

5) Execute audits and collect objective evidence

For each audit:

• Confirm scope and control objectives.
• Perform fieldwork:
  • Interview process owners.
  • Walk through the process end-to-end.
  • Validate operating evidence (tickets, logs, access reviews, change records, incident records, training completion, exceptions).
• Record what you tested, what you saw, and how it supports your conclusion.

Examples of control-effectiveness tests (adapt to your environment):

• Access control: trace a joiner/mover/leaver event from HR trigger to account changes; confirm approvals and timely removal.
• Change management: sample a production change; confirm approvals, testing evidence, rollback plan, and emergency change governance.
• Incident process: review an incident record; confirm classification, containment, lessons learned, and follow-up tasks.

6) Report findings with owners, deadlines, and required actions

Each finding should include:

• Condition (what you observed).
• Criteria (what policy/standard/process expected; reference your ISMS documentation).
• Cause (why it happened).
• Risk (what could happen).
• Corrective action recommendation.
• Owner and target completion date.

Avoid “drive-by findings” with no owner or no action. VDA ISA 10.1.1 expects findings to be tracked and remediated through corrective action plans (VDA ISA Catalog v6.0).

Output artifacts: Audit report, finding log.

7) Run corrective action plans (CAPAs) to closure, then retest

Operationalize CAPA like a control:

• Log each corrective action with owner, milestones, and evidence required for closure.
• Require updates and escalations for overdue actions.
• Close only after validation (retest or verify new evidence).

Output artifacts: CAPA tracker, retest notes, closure approvals.

8) Management review and program improvement

Periodically summarize:

• Audits performed vs. plan.
• Themes and repeat findings.
• Systemic issues and resourcing constraints.
• Program improvements to audit scope/method.

This is where internal audit becomes an ISMS feedback loop, supporting “effectiveness” rather than checkbox compliance (VDA ISA Catalog v6.0).

Required evidence and artifacts to retain

Keep these in a controlled repository with access controls and retention rules:

Program-level

• Internal audit program charter and independence statement
• Audit universe and scope map
• Risk-based audit plan and approval records
• Audit methodology/procedure and templates
• Auditor competency records (training, experience, qualifications)

Engagement-level ¹

• Audit agenda, scope confirmation, and stakeholder list
• Workpapers: test steps performed, evidence reviewed, interview notes
• Evidence files or links (tickets, screenshots, configuration exports, logs) with integrity preserved
• Audit report and distribution list
• Findings log entries

Remediation

• CAPA plans with owners, dates, and milestones
• Evidence of remediation
• Retest/verification results
• Closure sign-off and escalation records for delays

Common exam/audit questions and hangups

Expect assessors and internal stakeholders to press on:

1. “Show me your audit plan and what you actually completed.”
   Hangup: a plan exists, but execution is informal or undocumented.

2. “How do you ensure auditor independence?”
   Hangup: the same person who runs the process audits it.

3. “Prove effectiveness, not existence.”
   Hangup: policies are current, but operating evidence is missing or inconsistent.

4. “What happens to findings?”
   Hangup: findings are tracked, but corrective actions have no verification step.

5. “How do you decide what to audit?”
   Hangup: no risk rationale; audits follow convenience, not exposure.

Frequent implementation mistakes (and how to avoid them)

Mistake: Treating internal audit as a document review

Avoid it: require operating evidence in every audit. If you can’t test operation, narrow scope and plan a follow-up audit once telemetry exists.

Mistake: No consistent workpapers

Avoid it: standardize a workpaper template. If it’s not written down, it didn’t happen from an assessor’s point of view.

Mistake: Findings without CAPA discipline

Avoid it: define closure criteria up front. Close only after verification and evidence is attached.

Mistake: Auditing only IT and ignoring engineering/operations realities

Avoid it: include audits that touch product engineering environments, manufacturing IT/OT boundaries, and third party-delivered services where your ISMS depends on them.

Mistake: “Independence by title”

Avoid it: document concrete independence controls (cross-audit rotations, second reviewer sign-off, management oversight) rather than relying on job labels.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific enforcement outcomes. Practically, weak internal audit programs increase the chance that control failures persist undetected, and they reduce your ability to demonstrate that the ISMS is effective under VDA ISA 10.1.1 (VDA ISA Catalog v6.0). That shows up as repeat findings, stalled remediation, and credibility gaps during assessments and customer due diligence.

Practical 30/60/90-day execution plan

The framework does not prescribe timeframes; the goal here is an operator-friendly rollout sequence you can adapt.

First 30 days (stand up the program backbone)

• Name the audit program owner and define independence rules.
• Draft and approve the audit charter.
• Build the audit universe and initial scope map.
• Publish standard templates (workpapers, finding write-ups, CAPA tracker).
• Select initial audits based on obvious risk (critical systems, recent changes, recurring incidents, key third parties).

By 60 days (run audits and prove the loop works)

• Execute initial audits using the standard method.
• Issue audit reports with clear findings, owners, and corrective actions.
• Start CAPA tracking with weekly status updates.
• Perform at least one remediation verification (retest) to prove closure discipline.

By 90 days (normalize and scale)

• Expand scope to remaining ISMS processes and additional sites.
• Add management reporting (themes, systemic issues, overdue actions).
• Improve audit test procedures based on lessons learned.
• If you use a GRC platform, centralize evidence linking and CAPA workflows to reduce manual follow-up.

Where Daydream fits naturally: teams often struggle with evidence sprawl (tickets, screenshots, shared drives) and CAPA follow-through. Daydream can centralize audit workpapers, evidence requests, finding tracking, and corrective actions so your internal audit program produces consistent artifacts without rebuilding the workflow each cycle.

Frequently Asked Questions

Do we need a separate internal audit team to meet VDA ISA 10.1.1?

No specific org structure is required in the provided text, but you must show independence and competence. If you don’t have internal audit, use cross-functional auditors and document how you prevent self-audits.

How often is “regularly” for internal audits?

VDA ISA 10.1.1 requires audits to be regular but does not provide a fixed frequency in the excerpt (VDA ISA Catalog v6.0). Define cadence based on risk, change, and scope, then show you execute to the plan.

What’s the minimum evidence an assessor will expect?

An audit plan, completed audit workpapers with objective evidence, issued reports, a findings register, and corrective action plans with closure proof (VDA ISA Catalog v6.0). If any one of those is missing, “program” credibility drops fast.

Can internal audit be combined with other assurance activities like control testing or compliance reviews?

Yes, if the method is systematic and produces auditable artifacts. Make sure combined activities still result in formal findings and CAPAs when gaps exist (VDA ISA Catalog v6.0).

How do we show “effectiveness” rather than policy compliance?

Test operating evidence: tickets, logs, access review outputs, change records, and incident follow-ups. Write conclusions tied to what you tested, not what documents claim.

What if remediation takes longer than planned?

Track it, document the rationale, and escalate. Auditors and assessors care less about perfection than whether you control the process: ownership, progress evidence, risk acceptance where justified, and eventual verification.

Footnotes

1. VDA ISA Catalog v6.0