Speed up your first internal audit
Welcome. The first thing an internal auditor does is map the current state: your systems, processes, people, and an agreed scope. This short, free course walks you through those first steps, so your internal audit starts faster, from a clear picture of your organization. It does not replace an audit; it does the groundwork an auditor does first.
In about 15 minutes, with no account needed, you will finish with your organization mapped and a scope statement you can hand to an auditor, the current-state foundation your internal audit and gap analysis build on.
Your data stays in your browser as you work. At the end you can download your report with all your data, or transfer it into BrickGRC, where it becomes the current state of your gap analysis.
Where your internal audit starts
This is your starting point. Over the next few steps we will explain each piece, one at a time. Then we will guide you through mapping your own organization.
The first thing an internal auditor does is map what you have: your tools, processes, people, and who is responsible for what. That current-state map is where the audit starts.
Why it matters: an auditor cannot assess, and you cannot improve, what is not written down. Doing this mapping yourself speeds up the internal audit; it is the groundwork the auditor does first, and exactly what each control is assessed against.
Meet Acme, our example
Acme runs a software platform, and its customers trust it with sensitive data. A large enterprise customer will not sign until Acme can prove that data is protected.
The standard for that proof is SOC 2, an independent report that shows you handle customer data safely. To earn it, Acme first has to understand its own organization, exactly the mapping you are about to do.
We follow Acme through every step, so each idea has a concrete example you can map onto your own organization.
Tools: your asset inventory
A list of the software and systems your company runs on, focused on the ones inside your scope. These are what store, process, or protect the information an audit looks at.
Example: to build, host, and support the Acme SaaS platform, the team uses AWS for hosting, GitHub for the code, Zendesk for support, and SharePoint for documents. Note what each one is for.
Why it matters: if an asset is not written down, you cannot protect it or prove to an auditor that you do. Auditors start here.
Processes: how work gets done
How work actually happens, and where each process is written down.
Example: to run the Acme SaaS platform, the team deploys releases, documented in the runbook, and answers support tickets, documented in Zendesk. Their access review is not written down yet, which is a gap.
Why it matters: undocumented processes are the most common audit gap. If it is not written, it does not count.
People and responsibilities
The people involved, and who is responsible for what. A simple responsibility map.
Example: on the Acme SaaS platform, Ana is responsible for the AWS infrastructure, Carla for customer support, and Eva, the founder, is accountable for security overall.
Why it matters: auditors ask who is responsible for each process. A process with no one responsible is a gap.
Scope: what your audit covers
The boundary of your certification: which parts of your organization are covered, and just as important, which are not. A good scope names the product or service, the teams behind it, and the locations, so an auditor knows exactly what they are assessing.
Example: for Acme, the scope is developing the platform, the hosting where customer data lives, and the support team that accesses it to help customers. Marketing and HR never touch customer data, so they stay out of scope.
The rule of thumb: the scope follows the data. The parts that store, process, or protect customer data are in; the parts that never touch it stay out. An auditor agrees this boundary first, before reviewing a single process. Too broad and it is impossible to finish, too narrow and it is not credible.
Frameworks: pick one, often get two
The standards you assess against, such as ISO 27001, SOC 2, GDPR. Many of them ask for the same things.
Example: Acme is aiming for SOC 2, and ISO 27001 asks for many of the same things. So if selling in Europe matters to them, they can pursue ISO 27001 as well and reuse most of the work. It is a choice, not a requirement.
Why it matters: choose the one you need, and you may already be most of the way to a second. Do the work once, cover two.
Choose your frameworks
Tick the frameworks you want to assess. BrickGRC supports each of these. Not sure which apply to you? Answer the questions below and we will tick the ones that fit.
Not sure? Answer these and we will tick the ones that fit
Do you collect or process personal data of EU residents?
Do you need an enterprise security certification to close deals or meet customer requirements?
Do you build or deploy automated decision-making or machine learning systems?
Do you process card payments or store cardholder data?
Do you operate critical infrastructure or provide essential services (energy, water, transport, health, finance, digital)?
Do you want a structured security baseline even if no specific regulation applies yet?
Tools and systems
Now your turn. List the software and systems inside your scope: cloud platforms, SaaS tools, document storage, and on-premise systems.
| Name | Category | Purpose |
|---|
Processes and procedures
Now your turn. List the key processes that run your in-scope service, and note where each is documented, or that it is not written down yet.
| Name | Documented in |
|---|
People
Now your turn. Add the people involved in your in-scope work, then say who is responsible for each system and process.
| Name | Department | Title |
|---|
Who is responsible for what?
For each system and process you listed, choose the person responsible. Add the people above first.
Set your scope
Now your turn. In the In scope box, list the product or service and anything else your certification covers. Add your locations, and note what is out. The greyed text is an example you can replace.
Final report
You reached the end of the course. You can download your final report and share it with your auditor, or continue into BrickGRC, where everything you mapped becomes the current state of your gap analysis. All the data you entered here will be transferred into the software automatically.
What you mapped
Gaps to close before your audit
Check your email
We sent an activation link to your email. Click it to activate your account, then you will land in BrickGRC with your workspace and engagements set up automatically.
Get your report
Would you like a heads up when we publish new free resources like this one? Leave your email and we will add you to the list. It is optional, and your report downloads either way.