Secure & Simple — Podcast for Consultants and vCISOs on Cybersecurity Governance and Compliance

Mastering Internal Audits for ISO Standards | Interview with Carlos Cruz

15 snips

Dec 2, 2025

Carlos Cruz, founder of Metanoia Consulting, shares his 35 years of expertise in ISO management systems. He discusses the critical importance of internal audits for ensuring compliance and effective systems. Key insights include setting clear audit objectives, the necessity of audit checklists, and strategies for preparing audits to gather evidence. He also highlights the role of AI in enhancing audit productivity and encourages consultants to incorporate audits into their services for continued growth and revenue.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Treat Claims As Leads, Not Proof

Verbal answers are not facts; auditors must seek corroborating evidence but interviews remain crucial.
Combine records with interviews to understand whether training and procedures actually change behavior.

ADVICE

Write Reports That Prove Your Due Diligence

Write audit reports that list conformities, nonconformities and opportunities for improvement with supporting evidence.
Include positives to show due diligence when no nonconformities exist.

ADVICE

Keep Independence When Identifying Root Causes

Avoid prescribing root causes or corrective actions as the auditor to maintain independence.
Suggest possible areas to investigate but leave root-cause analysis to the organization.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of the Secure and Simple Podcast, host Dejan Kosutic, CEO at Advisera, welcomes Carlos Cruz, founder of Metanoia Consulting and a seasoned expert in ISO standards. Carlos and Dejan share best practices for performing internal audits across various ISO standards, including ISO 27001, and other cybersecurity frameworks such as NIS2 and DORA. Key topics discussed include the importance of internal audits, how to prepare effective audit checklists, and the role of AI in the future of auditing. The episode also explores the differences between internal audit programs and plans, the significance of audit objectives, and offers practical advice for consultants looking to expand their services into internal auditing. Carlos provides a deep dive into ensuring compliance and effectiveness while offering practical tips on maintaining independence and delivering valuable audit reports.

Links from the episode:
- Conformio software to streamline and scale ISO 27001 implementation and maintenance for your clients: https://advisera.co/Conformio-software
- White label documentation toolkits for NIS2, DORA, ISO 27001, and other ISO standards to create all the required documents for your clients: https://advisera.co/page-all-toolkits
- Accredited Lead Auditor and Lead Implementer courses for various standards and frameworks to show your expertise to potential clients: https://advisera.co/Consultant-Courses
- Company Training Academy with numerous videos for NIS2, DORA, ISO 27001, and other frameworks to organize training and awareness programs for your client’s workforce: https://advisera.co/page-Company-Training-Account
- Beginner's Course for ISO, Cybersecurity, and AI Consultants: https://www.youtube.com/playlist?list=PLHwD3nQun7caKFq80LxNNYKIabATlyA7t
- How to Grow Your Cybersecurity, ISO, or AI Consultancy: Advanced Course:https://advisera.co/GrowYourConsultancyTraining

(00:00) - Interview with Carlos Cruz on internal audits
(01:38) - Importance and Best Practices for Internal Audits
(04:55) - Audit Objectives and Their Importance
(09:38) - Creating an Internal Audit Program
(13:31) - Audit Plans and Internal Audit Checklists
(27:06) - Conducting the Main Audit
(30:10) - The Importance of Evidence in Auditing
(36:43) - Preparing the Audit Report
(42:13) - Consultants and Internal Audits
(49:29) - Remote Auditing: Challenges and Opportunities
(57:17) - AI in Internal Auditing
(01:04:34) - Resources for Consultants