The five principles of a sound audit

A credible audit isn't about ticking boxes — it's built on principles that make its findings defensible. Whether you're auditing a privacy programme, an information-security management system, or an operational-resilience framework, five principles hold the work up. Get them right and your conclusions withstand scrutiny from regulators, certification bodies, and your own board; neglect any one and the whole audit weakens. This page is the short version — each principle links to a full working guide.

↓ Download the 5 Pillars of Auditing poster (PDF)

1 — Independence & objectivity

The auditor's judgement must be free from influence. An audit whose author has a stake in the answer is worth little, however careful the fieldwork.

Auditors do not assess their own work or areas they are responsible for.
Findings rest on facts — not relationships, pressure, or assumptions.
Conflicts of interest are declared and managed before the audit begins.

2 — Evidence-based findings

Every conclusion must trace back to verifiable proof. "We think it's fine" is not a finding; "here is what we saw, where, and when" is.

Findings supported by records, observation, or interview — never opinion alone.
Evidence that is sufficient, relevant, and reliable enough that someone else would reach the same conclusion.
A clear link from each requirement to the evidence that satisfies it.

3 — Risk-based focus

Audit effort should follow where the consequences are greatest. Treating every area the same wastes scarce effort on the trivial and under-examines the dangerous.

Direct scope and depth toward the highest-risk processes and obligations.
Distinguish minor lapses from failures that threaten security, compliance, or resilience.
Adapt sampling and testing to the criticality of what is being checked.

4 — Competence & due care

A finding is only as good as the auditor behind it. Competence is what separates a verdict that holds from one that collapses under challenge.

Auditors who understand both the requirement and the operation being assessed.
Working knowledge of the applicable legal, regulatory, and standard requirements.
Professional scepticism — verifying claims rather than accepting them.

5 — Clear reporting & follow-up

An audit delivers value only when it drives action. A finding nobody can act on is a finding wasted.

Findings reported clearly, classified by severity, and owned by someone.
Root causes identified — not just symptoms recorded.
Corrective actions tracked to closure and verified as effective.

From principles to practice

These five principles are what separate a meaningful audit from a paperwork exercise. Independence keeps it honest, evidence makes it defensible, a risk focus makes it efficient, competence makes it credible, and disciplined reporting makes it count. The six method guides linked above walk each one in depth; the Audit Guide hub lists them all, alongside regulation-specific evidence guides for GDPR, NIS2 and DORA.

Related guides

This guide explains the method. To apply it across a whole regulation — every obligation scored and traceable — see the audit checklists, each with a free Regulatory Compliance Matrix you can review before buying.