BIZOPS-41 Quality Internal Assessment

What is this control about?

Internal Assessment control ensures that, as an organization, time is spent evaluating the functioning of internal controls and that the results of these evaluations are shared with senior management. Internal controls can be compliance-related controls or any internal activity such as account reconciliation, vulnerability scanning, segregation of duties, payroll, etc.

Implementing the control of Quality Internal Assessments is important for organizations to ensure the ongoing effectiveness of their quality management systems and to drive continuous improvement.

In a larger organization, this control can be met through the presence of an Internal Audit team. The role of an internal audit team is to gauge the performance of the internal controls. The internal audit results are shared with the organization and contain recommendations for improving the internal processes.

In a smaller organization, this can look like a part-time consultant reviewing your policies and procedures and making recommendations. Or a consultant or internal employee performing a gap assessment against a standard and sharing the results with management or the Board.

Available tools in the marketplace

N/A: No tools required

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• N/A no templates available for this control

Control implementation

To implement this control,

• Identify critical areas of the organization that need evaluation. For quality,  regular quality inspections are ideal. 
• A dedicated team must be assigned to review the process.
• Time must be allocated to properly conduct the review.
• The review results must be shared with senior management or the board.

You can use Trust Ops in TrustCloud to address the requirements for controls that can serve as a continual internal assessment.

What evidence is the auditor looking for?

Most auditors, at a minimum, are looking for:

• Most recent internal assessment (use Trust Ops in TrustCloud)
• Evidence that the last internal assessment was shared with senior management or the Board

Evidence example

For the suggested action, an example is provided below:

1. Most recent internal assessment (using Trust Ops in TrustCloud)

Note: this example below is for ‘security internal assessment’. Use this as an inspiration for what to give to your auditor to showcase internal assessments for Quality.

A Quality inspections review would suffice as well

1. Evidence that the last internal assessment was shared with senior management or the Board.
   The following screenshot is of one slide from the Board meeting presentation showing that compliance and security control results are shared with senior management.