Iso27k Isms Internal Audit Procedure

0100090000030661000000008d27000000001610000026060f002220574d46430100000000000100d cfa000000000400000000200000e0510000e0710000010000006c00000002000000020000005c00000 0510000000000000000000000520900002408000020454d4600000100e07100000c00000001000000 000000000000000000000000000500002003000040010000c80000000000000000000000000000000 0e20400400d0300460000002c00000020000000454d462b014001001c000000100000000210c0db01 0000006000000060000000460000000c21000000210000454d462b304002001000000004000000000 0803f1f4004000c000000000000001e4005000c000000000000001d400000140000000800000002000 0005200000025400000100000000400000000000000214007000c00000000000000224004000c0000 00000000002a40000024000000180000000000c04200000000000000000000c0c2a4701d4063c9a14 20840000534200000282000000210c0db010000000000000000000000000000000000000001000000 89504e470d0a1a0a0000000d49484452000000960000008208020000002b24a638000000017352474 200aece1ce90000000467414d410000b18f0bfc6105000000206348524d00007a26000080840000fa00 000080e8000075300000ea6000003a98000017709cba513c00001f8749444154785eed9d2d701b49d 380ef63070f861e141434153434143534143435340c3435340c340d340c0c0d0c0cbcefe9edd9d99eff5 e4971fc5649e54a39d6ee4c4fff774f4fcffffdf7df7f7f5d3effd318808497cf1fc4c08f1f3fbe7efdfaf3e74f60f8 f5eb17ff7dfbf6ede5cb9787c7c7c7cf9ff9f9f2fafafdfb77be6a01f9d71f84fe323518f8f6eddb3f9f3eed0f87 d7d7d7bb8787edf5f55fdbed5f9b8dfc3bfff269bbe5010859c5d885847f9e91ee1f1fffde6ef9b1644b0839 d1f2dfddeef9e5a514c70b09ff3c09519edb9b9b8c7e50f49fab2b7e026927b9fc747585b066105f48f8e7 4908045fbe7c11524d74fa7bb3b9b9bbe32f18483e4f4f4f9bdd2e1278737303c92dd017127e0812a21e 6f0f07e884d8e1c7a877133f481ef217a9888fb38e840c87c9e58339cd86eeac1e4e896f75bca96c8438 57c668fa58eb8f78742fd307ce65d22a54c0c057d5115aab88c0f8579d0d05c600a905980a597c05f03e ed76d0af84271078f671aef67bfbe222854cb6dded14053c81e5c40b12e247ef68b2b7ff6eb7f0cbf324e6 d964cc246fddddc14a9935de5c5ddddedf83637d8b5faeefeee2ebb8d1f70f0f3c13186d9ee8eefe1ef228 07bcbdbd5ded76f1158510ffcd9a0a7dfd9fcd86b9588e651d187051471895ed96e9f8b9deef6f6e6f19bc 441c7f04489eb450311d18d077f90163d7b7b7fbdb5bd45d1c8179211b5f65e60d64b24c9d8b25ff7b75 45c0a06ff10a2b3d3c3c5c5d5febc8573737fc17f9d3553c3f3fc7d1188787e3740b09211e3e0f131391f0 7e54cd5537896fd1d7e0c532d1cde15071ab8c8bfccf760b07b15ac6bf9d48a85467de963306b8ac04e9 e1dfddcd8dae07ee06efcb5c85172e842c1c7170b7d0c3f0259cda9233fece5b50a8051ecc8a3ff9faf5ab 95efc7a727666fbdc2620ff7f7bbfd9e0754607817660daa320d27189fafbefff801d2ec802fc6a95948087 660ba7c62139d9430e14729e880624d6ed3393688bb3b1c541c83c8d6c810451992f318f2ad0be6bf7d ff3b7e8b985a094362b2908ba186da15911220ad369a7f478833f10515f8231e0c20851ab3c38ed5c1e3 f2a13713d9313f1ba14fdc19be88afc1e3480cb2c2bf1dd982a16055414d46ec7919303e946610b8cf8e 834d067789a2aee1c8ae0d41045f707d46863e39a162143241560a273aa0650be3dfd15ab969984165 f9d9eba84a0ffd5802dc230ea7d1904ebee43104bda2484541fdf8a1d841a4b076ca9efcbb2b9877918ff d1e496a695dc80613a004be220b6f6f8c190468b30174e1989261ad38a6a2f9f8fc0c301bcd5f3438260 2667931f22c36327b009b3424a13a1a5550ad0954bb103459b12e5084855b14ec6489580ed6a72e82 5dcc58a734914211eafd9e348fd52de20e950a769e001eef7c6b970df16079461631da6e713704fa8ea2 9ee8c75b4830bf8002a88e4058f7da45cbcd0625a182584a30bc352421eaae62ad27f0b082f67566512 397ad0b21567167f9605f098952416624a85fc3c73a32c25097429d039a010a70b33c268659fe6e5802 e64640a1ba53b34106bc599c208821fe5e5bfd2acd0e8f8fc0c387e7510c501d0f6d61e4feca8d5a56ab 134898320d26b98c79208ccd49828d7fa3e89b4981308b618484b5456df77b2b15e82d581fdd0054090 9ab0e41615f6088ba471abd5bf005d9ac0bde91f4cfcfcfc161ebd8f014325c2ce60aab6d9301dff8a749cf 4372b000152b248ce337ac6924e1d3cb4ba6482594369172f490210f73454e0f244ca1453463ea19ded 23026a896f449e85a7a3dbc9bb8662d87aef83b54b729ef4291a233870ed52422a838880d6430b24ba 1cda0803598579ca0aa031c03d8eb6b2b1faa095bae2f63a26f5b3a1676d435071216da1b2b855a4343 40ec48e30743da5dcd00a333a3a3041f60a4218998db028157b7b7d5fc067f44dc4bbbaeee375a2ad17 ff3b0bc62474b4888e6acaa4446043efc5aa885c785e421c8b09072968d3a85b49375ecc4183cc32bbc 883bd771de80fef3e7cf9ac240e7681cb968aa144d3013e8430156c5055e0929859797321550b702db2 deb8d9812635138501250ce7a421d5142ea879a472ad197c98420af8a013e20b35472f0939ab38a7fb bdd12e458994e48181cdc4c09ecf731b4625c81324d0261db62580ae5a21fbb8432a92a10c764f289c1 78df1923c08213d541405d2bdc3990042d46e562bc4b17297aa4753ddc50bf68ec48a1c06d296630d5 11957793466169217b903e890044d5271906725573720a948aaf943e1f4d1d72120c470cd2aeae2c37 00404242c89b988a09f55042b38bac5fa30b84d2c6cb0001d7445d8a06502a56b1a9afeb8e092f861dc ebe199fa087bb155f2c80348d55dd316bc3b70096ad996fa3ba136fa8e59ad560883b3b8b3498c75012 918415b73c8d8e50d1e2eddfdf6b501449a84c290ad348794cbc01f992c7980604924c272724449eaa9 a8d595105829a9917301b490652b333d3b7702254878fc2b20b1e47d3c67743e2a313e7cdafabddd58f c4da9a939bbe157199d514ce9e5d02905b6e1309c892795d2f2cf24da2eee6655a7fa7e75dd7225d182 b2e6709db66603475c587750593347d25fb856918934b2163c126bdfcd00c0dcf58bf56d0faf65677625 31c41bfcc1127379fdb274bf58942401f4107484690ad1933b20a8464216284337d0b8b585603e9592a

32240a1a848430929f7c7e2e537a6ad123ebe4b144a99c0b3c4422c15858168b0454ab6209a1b2e400 8cd22dcaf70b8109add84a468884ddde6a4e16e3940d07284423d59c1970e068e0ad9505200c02a2d9 c92c09a9b3403ca8a829755e27f3009d403d7f8c193bb84713402800140673f1ae5826accee1400a465 20a28b1dd2ea8d9596ba12af861bd165360900c16d0aa1fd7ca02321473e11930bee61ff82f00677a5eb 5024345a8f82facaca68489203f2f328b854df59ce6012266d45365a54d8f54f982af91305c6aa885b78d 1297bd8feb6b28877953bec3481c6a0539faaeacff70009b8c405a129ec09b87adaa8e75b07030fbcb0b 4ff20a2f022800e8568be886bbbb487b00801eccc2b7c043d68db7783efa78f820ccc503fc45bf05725e8 1c0baadc85b28467e1e9e9e34692272f0fc0c73f030c0431226e51579e099475ef8f7b3bec58c4f4f3ca6 3f8c2c6bdcef412e94502f5df77c3293041e142ab59a3c10156948a47cfd8a9200093a3ecf0300afc4d94 188443ef7f7e0b61917c641232d1583fa51ea5a0d9e3d6fff1b9fef90ad7cbdf5567f9012b672212d50b39 1ab13f147a5b162567f201eb8464368d863952a7305bd6ad4296210b10a8f42f20ef632546738cf80bc1 45ef431295c0bfb07a92a4ca6a8fabbbb92f076cf47dd2e9461349c6acb0713bbbfbe9070802a6298602 64b976776eeac6baac32db1b27147cbe23337997a0f5e483840e3e2d61769b918d264db1dbc4260578 6bc7861b18ee42cc4d3412e241c23130a61fcd43354e730fc8b0b737343241a1529bf60143184950a8f 39b0432d47df623cb7e3890b091d489a1e51a7069da91fdd3929fd261c488254825df6267171efa67fd9 be20dce207ea12db11deacf2f2fa205e48e825e129cf4130755c35222a697fcae017129e82bd0ff1ee858 41f820ca7007121e129d8fb10ef5e48f821c8700a1017129e82bd0ff1ee85841f820ca7007121e129d8fb 10effe0f90d06e957c089c7d302084846472d9b724a7c027a61ed8916a9dcf3fef128876490a93bcd752 4ccd6ef0a1e841531bec9091d7c8ce457a6080f6e424198a4d5d1d8a7ff99d2df278e8cb334eff19b004c ca463c214d32c7cc8b4fd2604b22ea58ea60884844bc98cc90152902329c1e9b8b71e5a63d7978d157 ed83623d1c76e1965e1fc800e3e208b9d523d49aa25e176e55a0cc08e36c946c6613436d075f030519 a7e4cf64b37d4605dfbd3fc4c0d345a5a5039d03357be302fc0b00b781ca2b5c69cb528fc79cdd19c506 5c39c4c5b3fbb0dde4023f804abfcf03c5b518a6a29429890cf0f7957996bc69814f94ff54429091be578d 59a285b7d440a187c416921f6cd0df5e7d9a14b2d89cc0e3785615b55ccb1986adaeff6888bb02767f52 8a4c8cea8b66b9ce4b4ca54d31c37f38613310ba96da9a6e9944ea598a4b003f685bbaba951ca02e05 1e103cf809a2edfedd89254982745fae347f5cc4005c55d7447a2f24b76e447f122bbdbd3e1e1ac80a56 4e1b81838d18f5c24d5d67bf539cf422b8743a69da021fdc01535a555b11b1e2c81b13058d5e5e8be3f3 07808094e2c4f0777466a648bd3d53da618d1b23c7817b1238a2e3dffdf11470ab13d497d958c754b28 585ecf1f75a693d3c5b5b2ee0e0b66b5ce50885d8b96ea869028d5e56c54a1148110e16b165ec0204b 15575fa847f4036e00eda35e8fa8f5abb9a54c282d3b6e49093c91d746acd14b9106822353b06aa7633 99d13dbc385587980481dd32035ab45f1bffec51ec489b02507b597a2ecaa5174502ecad3f000341aa9 55b19f09a53d9e5225a118025319bc4a7f568d05025d4e84bbd193b635c811166f1b083ce64cc947206 321bc052f890b43296d83055002e22669d1633c75dda82889c5ac1deb22c5f32dbfc3600467ac23d07c 658f030c0c920fd118d4ecf42fa096271fea88eebb840600fcfaeaba70c75a260c35694fd92b6ef3d01e58 63697d959df177257e988bf2507489058ee5dedbade7002d6e6af5758b1d1ea83615d10580eb56e1f22 9b63c96c4eb2c84287e77b1a9065206c2bba91e1397b91a52c4dfb5e140530af50b82aaca413dc35c7a ac52833f3e726a773a3c16ce5dcc4192a71301063c9c4668d78709dced4a0539b9e166fc96822ac9030 6220be27d849318cea0cb27eb00539622824f91c2f608a0abe9ce588f11691d9cc39b8e6867ed79582a e48f672441eed047e70139e3520b8d2d5a6377946c40382034a0eb72c071e218bb4a64071e4ed49f96 e1f45469e634258ab4a0253a320b4b9a3952a91b773835d2d826ed93199a0b6c36da26c67eaa2db4e 02964ba135728caaa2e86744f68f4a270e9bdaeb828bff329fb643855e57051f06e5683ca7465739c6cb a8cea4d128ac7d83fb43daf1f5622bb11a59b5ff4a42b7fb7f493016f6fb3e3a5fa00afc466262daf8f64586 9fc494e7aa36ca7981aa262e6b560a97acc6518c80fe9a70f64318c90b00c3d5356cbcea7f5762a96e31 da3f58347c43f0a38d4fa67b3413e2cbfc8689cae6984ea75036c116a0eca46cea88450ce70d061ae70ff 9484e100fec9b17295a8c4c799221dc65a59abbdc16693a45146862aca8d9ec7545941dab2de1a680c 11cdf9e45c6926eb9d84ec2142d3f2485fef44c1c7d9bf4c072c243cd1636abf9e799875294c45c89e100 609e3fd42ac7a2bdf5f2abd4821644e2b9d23a9f4d02f437d69a42287dea93d90dd24a123e3e3f760132 91ca9a2e302ff9284650bc5c481a2b5c0dc0949913026a1b8b965a4d2d62ab1d552e6bc84d4df66d3c9 b62cc17e831299eb24ad13dcd9fd04c50e7a4445ea4a9d5701eec0363f7f9ff68705db34cb6cba4bd380 b6f9424e420e574a43ae22bdb9987407be90b3729b82d8319e9a648fadb37f168e753558240b54920e 166ef903421899e05d0e3fa47d0a2cee38110842069aadcdcaac973d197ecabedb8b54d18b2eed4002 aa435fd636aaf163ad479348a17611a926e2a4674fd67fbfed11207099a90b3b213358200e61259640a ad4718fcf57d4a99988f3d0b98b04540e668f58c3c982c3d4f3824218fb5664a93e309f3c233fb48b6c47 b075357577e375d6a83df04b77468891b64b4fa4b08de17a0f360980e64e4459eb60c56fdef1b0ab8bb 20000e559f5c7e4f0fe7e0f2df56cb44ec49a43b05f4c81728b0d3d144195ad99368a992e9ee78e4c23fe 734d774585bf227499900e4865c05eedc199a944e5aa2a3019f6ac1fbb48612667b8941919e05ca2f5c cb4b65c03bb99e20957914bed08a6bdbdea3ed484a02c29157a4f396c1b9097c8056bc841e9af49826 d76bb2a39a06e4c927567620a28cad644892b7ccb1cc9bf7e79224ea43cb2e04242e9f4631011fb2f5a9 5482951dfd246025b12c2599f7c2806004c08b12313551cb369101eb01926b053e93fd44071b98b5931 10d32c99f71b769a1c1a1b6e28f702259b5fd30d56a3289e594ecfb39d07b1dd161612565aab5c5d613

ISO 27001 Implementers Forum Author: Richard O. Regalado 62c9b2c1da247be835d067ea6072ca7af2fee52ba2bab1167a21e1a1c93995230987b9bd38b12f9a426 4a2c7467bf3ec586f5e620c9d26630854a9ada7cff4e069f91012338a20e8751fd95a8ab0309ebde3c87f ca76e61a8146dfa21fcee98031458c2fb65b749891447d97e2973115d7982579ed12efd7098b69ba9f24 d753f9657a4e594439d68bb5f3ecc15ca610aad000de0122047f9f18cbf5e4b01802ed10f0a24c4f27504 052500f12a66b6e1525b8f3478498e95bbe8378d032459800855cabedb55b994968ed3a9ebd67464a3 5ab52df4a5af67d55325293e1a1be365175a832e5b5b048a100f48e06f2f2b7bbf7340192ad8f46596a7 7d35074aa94b0f18c4ee148aad2a1bda3b5294550f36e2bdac0c868a8bef7e04c74c20c9dd11b5aa8be 810a0905a0d4cea48abad945449ab8e8d50047f6da165dbbb8e691d21214c07f4c8b2e6c3a40f97de02 d10f80ca6fa7bf008185cf6e07267b908dd7c7564ddd8df4c6144531f3120974a2f5ba3b1da3d562eb278 b6e358c013fe11e8f168aba0cdab916234e074510036c64672d310b164a81c5801bee0350b2244b2ffa 2a2d23a0f3b7b25f51f0576c698985908e5a531f01adb10711d214cd0e6ebd922e0349fea1916bd55670 f996759f63a67c8da78e34f20a3e4b531c1b3a40eff3c9a288924bec5fa86c46dfc0afa5e68fad5f8322b5 1b7e9617785fca296c0fcf1a7ce00b67af5a84a92dc7a0998d76590612a3361f8e23fd866d070656c8f3f 017a35164ad7de702f4050dca2a920839834bb7b3c3215449b7386332ab2c509b0af7b1597e0bd8307 a7046ba5e9eb410bcbbb3e98b5573c972dede309f8116b3f0686bc1719a9bb5815ffc37302b8eaf41259 69f8427a88c9731959051f18668ae623dd557ccab7de7a40df2d4c24e5ba0491bc429b169af706a6144 cfaca05df52c87b604d4bb96f88b76eaab9a253f8a354b47aa138e51d8f4473647a71eb29aaf588b812a 00e2e5bebecaad581353aa1e1a93d08e65e1f0c3e47fd283b82346cb5e3962842300fb4db3444d0e67a be6584742cf4a2ecfbc33062e247c67849f7fba0b09cf8fd3771ef142c27746f8f9a7bb90f0fc387de7112f2 47c67849f7fba0b09cf8fd3771ef142c27746f8f9a7bb90f0fc387de7112f247c67849f7fba0b09cf8fd3771 ef142c27746f8f9a7eb9150b737f968c1eef927bf8c780e0cf44848229c0d1a362ad9db64f78ecd2a764fd 8f7d28b44d960fafaed9b12988f9e20391da4d85aac3f946e34b203a77746f3c3768ffe2b8001d6d44d8c c7de81f9c2d618f0bcbd81136657ccf04bec68763a665a230ca470b91db1b1a5c9c6151b6394fac8d5da 7777b75c44c665468f8f6c85b0d5b7769f4c99a67a8c54170097402336e1984ebab8b56b64e4aeb6e98 25f0a1d80e777dcf1013cd0893224a6a00221748e48ab2ed852054ea0e51936fa8febf7d627ffd816b2f8 e598aba30231a9b8996a3221335ba07a1f9a9077eabfa734d66be9a2f822463c6f2f5855e87986a28da 59ca27d18a55e1d336d90824d368dd9263d5d2e81477be82dd3753093ee934351b99c2dbdc0ee1419 1d9350310813f50a35d7578c4157edbc878a4656f442373dd56e2b2a281e81cd97db0d4f2c7d9b26859 3c0a0bd71dd8f41b80d3ec3a6780f8837b80df324172b9e83902e12b2422d885a5d1c362c839bab5a20 1e5a57c757122e2558fd42baa3880a0365e53c1e2a0261b8c3fc08906aaf081887c311653b165a2f09f5 9dfa199f23d663ea91a85092cbff7efd92bafa692855773ded7d14d9ca9a4a84c9d95b167e926e00ed02 e2d5059b6609a8d66af99987ab78661d0961c39314488a7a868207e3e98bc8e05ab8e62fee3ee5497c 906a3b940c7d28cfbc7b50bf30732593513f0de31ee7d2af232122cf644d97618d3852ec654f476208a5 6cd5e914ac99a857153e219a42d6f2845124a11e7bc857dd01a045daa14da198dedd3cf77845ca9b2b 1663ab37cd02b4b36a16b1e1a37aceb59c857b4aa21214b5ba4be237875e7f431a6883e19717dcecf8f 3ca59a2da4dd32dcd8197bbd634ae934248586f08e8d61b58b86a157676c9798ee573895d7b9ceacda ce1f4a12394d246a62d2f1706a5d9f5f8acc184c6558d9057db425ea0003707c54d3fc2ed2a8b6103fa9 c8e8062f3f522f4a367ef7b1c00900962389c9ce9924690306c9a8a383a0f50aa43e70f5e574b6138037 6943127c0af42d67274f120980eeed6440ff6522e2d20a6ae86657d4975c831bd5cad095c4e9e3a3209 b8607d0772df6f87994e21a70fbb07ac4eb285b1a582e7ac68c677653b148dff429fbad4cfc65eb6d2eb4 8ed413b3b38530a0efa319aed1329a9bef24c5d5ba3ca319da9c545f54382a27242af0b152ac7e9a0ae 96c2fe61d23e5aab6daf43e7c4991e927f9a9c9d3e53f34068643af4327cf403729c9a883514c3d874a5 235b21ce80976e300de7ae89313aec150dcbaa38594dc2a545b543bd58b8316355e5104faf61f0b2f6fd 7d2a2e07ff1dee864764891123eb341bddb6e5be630e716b8f30e1d5fe1c254e569310e76a2d7beaf3a d6edd6a5c113e4f1761bb006d7474046a5a91622461e8c4ed71640c1fd3a8a3a5fabcd780a4625d766d 388f142249c725683006555f063b0fcb77ba6fb76451fbf29d31528c2494d66e9d5c5adb0663f3aad0564 8e833e459abcbf39090944ac5b377d89bac05a33301d87a2cb4815f6b60ba528bff8218c167fd06e71dd 15f41429ffed88d1cdd63e2429cfbd810cf1fe8f0a4d3380f490b8a3926197acdf978d9e94ac4686cd8a2b 825fa0056c25fb9e0c2473f6621ac1afaa5ab6de1d22e6925fa3c771e74e8a767bbd1016cfc56f2000e35 d0d3bad3beb47a5b4c14da00af1f93ddf97209cdab431ce3d3e966b8d1bf9a84123069aec8cd4ad20ec 5014a8b7eb2d1f3fa8a881c2d1c1e6d11dba1319d536a4b7bd924e1b1e9fb6a57ca0c51ab49882800e8 5a27028785f28aa192b40f804ae911f0f02079b553f69efac1cff42dbdd962385121a19b5fe5328674990c 7b0af0e886e1c58dab490896a573be7b55fa24cdd7fdf40389e8b4b329ccae0490b62518cdba711c2d8 5bc683b85b264463e7eb4466fd853a590f7b50f89473bc5c7aad7199644d5cdb9b05f7facf2a9b397353 c33f0a463ca462ba74821381993700df7ff2e29a401ca2a29248ef474e5218d2ded386c8f9b35ab75e56 ca701b54b0e1e72b5ca141236db0e0d1d90a9059165cddc9719b27e3a4576cbc079e24246a9df46d04 637bbc4c3ad93a5afa4c374b922fa9ad8c1d4e8e74e971cf548978865250f61b6b59d4ffc106636ed8e4 3cdb03d7e7e8f14e04223de2143cd0ff4e35389f3c8f8741c9621ef8f72a4da0a9c62466771b7b3a962a6 8ad8b2af66e75920ee52d322761d7be2c221f71fe3cee0238d013204ee74da8221c2bd4bad3ccb09f44 30be99dd965b9a666615a1ed6d249dc212891905c83de1a10d7fab8ac2471d4d00d3c868414868c5d0 Internal Audit Procedure Revision 1, 2007 September 25

Page 3 of 26

6b3f8ac8f7fa2677efecca3bd95baabca4cf829badd58f59860414acb3b59f5ac9fbf2702766df9b6f4567b c9bf25479a38ca0e74f70db29cd9386b9e93e9487fb7b61b113d66d4402deb0e9d3156a5216c571fd86 6d955b9915dfb959a46762a1c977c1f238520a85214db2027b8e81864e91befe083320f520d692827c4 4eb734a4e4af395630d14f6ef06c6fb24383b00de2cc40710467948f4e0a2f7c4b265130f46500f518126 2487a59c4143e9cec0e4ea5e4b78f26bf83badd768e44b1b9281a7b9e0b45da7713e22d8c4eeee1b1c e96efaadaa708a4f30ecf2349e8af2b61e3a693fc1ca708dc0e454b63a333e8aa9af5d42efb4267404260 2931714ba148767189b38e49ca4d5292cea16696458b66f1490b8dc7903054e7f57dc5f9db8ed7e04d2 8fbd40e6bcecc9be67a24299fa28fa49a474189b25975d7fa549990ddb0cc2057967ebeb5c010d552b1 b385f6a1e66c148d01471f59de54963bae40bd433339fdcbc9cde7e750465dc059edeb5dc50e0987254 9ed53e9d85ac91ebcbef2c341c9e6adef23e7a87ad9f63949186e7d1eadca161455fdfbdca6bad566cb4 4917f8172f9b50f299cdc37378c97155a1e1b5c54ea96aa555edbb0b0d82273b522d5ddbb500c32c238 fcd8419628e4d1bdb55e6fa2cad435fc7ab28e1641c18f5d190fac06db60129c0c6b308f2761728bc0887 e62e1e9997f3890bc6f1dba5f7145a95b9df61d07d2984e115cf29c541edfdff752804359743f50dea576c eec0cacd1ab0b1a2977725dd4f8665e96f8eead9b4d86cbf6f95381a2f3c3f69a962176e203a2519f9e5c e9f5917169eea84cc165ebe6860ea85e45cad0e186aa23404c5fc16d83152897d66328727a6fa5c3bd2 21499bcc498c3c36b3d0247117d24deeab756f57132d41f9396d6cbacfd5c159f1c931006c4593ffe8c6b 4398c0a6dc7337dd252a4993b3a6d994c6a83eae58002f318d072d57999912a1b01deefed8cf5cc394a c9d5d6ebf0b9a413520e162cc9dfe827d2c12afcd86184ba0d73be0ce238bf35c5a1eae157c52fbaa8d1 8da79063ffb6b5d1610000026060f002220574d4643010000000000010000000000000004000000002 00000e0310000e071000048ef2ebc55f4db6c60e25318ab4742b99c6878b031a3d9140be2d9eb71405 e2731c19e27dbf1a06fea39f344b0c5061355b3da304ab1acbb86e31bbf4606128e26a890ad41538604 82c4e26e36c352223f21f58611fa038caffd69a859699f32f52df14fba3a2eb4396850137eb881879fdd0e 08b8730519a29406db062b49572f963551686a9f95b4051a020a151147e80c5272bd3aa21ce4012a80 91d0be5615cf57c4a0c7f59ae9400ecc9a464028c109bc5bdf8e98195d1a29d1938abd30ae2f3e47d31 960eb4921d370f28f1403d9c28940cf90e71dbaea497b9ee767b903eefa3a68d7866a1299bbbe869701 af9f33d37e8043363ae501c08677819cf43448d31bd1e38fa2114de3c9edad0263d0836d6d08b56aeefe c34c8d0264c10835b20513f10316e497c747fec2dfb5e7de1f04b2b50440e22395015311fa6f8570ec91 9e912a97a17e0706fe1f3663888a5c6ec7750000000049454e44ae4260820000001b40000040000000 34000000ffffffff02000000000000bf000000bf0000164300000243030000000000008000000080535571 3f0000008000000080d127513f2100000008000000620000000c00000001000000150000000c000000 0400000051000000504f000002000000030000005c000000510000000200000051000000000000000 0000000960000008200000050000000d001000020020000304d0000000000002000cc005b000000b1 ffffff28000000960000008200000001000800000000000000000000000000000000006a000000000000 0000000000ffffff00e7e7e700c6c6c600efefef00f7f7f700d6d6ce00b5b5ad008c8c840094948c00bdbdb5 00dedede00d6d6d6001818100073735a00bdbdbd0084846b004a4a310031310000292900003131180 08c8c7b003131080042422100adada500525231003939100039391800b5b5b500292908006b6b5200 9c9c9c004242290052522900737363008c8c8c00adadad00424218005a5a39004242310031312100b 5b5a5006b6b5a00393929007b7b63006b6b4a0084847b007b7b6b00cecece004242390029291000de ded6005a5a4a006363520063634a0063635a0039392100848473004a4a390052523900a5a5a500737 35200313110006b6b630052524200c6c6bd009c9c8c007b7b73005a5a4200e7e7de00bdbdad007373 6b009c9c9400a5a59c0063634200cecec600a5a58c004a4a29005a5a5200393908008c8c73004a4a21 005a5a3100a5a59400f7f7ef00adad9c00949484004a4a4200636339009494940084848400efefe7006 b6b6b00424210007b7b7b00737373009c9c8400adad94008c8c6b00c6c6b50094947b0029291800d6 d6c60084846300cecebd007b7b5a00010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101000001010101010101010105050101010101010101010101010101010101010101010101010 101010101010101010101010101010105020b4118090908092318410b020501010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010105055 405040501010101010101010101010101010101010101010101010101010101010100000101010101 01010101562c5008593c0f300b0501010101010101010101010101010101010101010101010101010 1010101043c22111d12131212131212121316110e590b010101010101010101303001010101010101 01010101010101010101010101010101010101010101010104033c2e500e0e0e0e0e5008070b01010 1010101010101010101010101010101010101010101010100000101010101010101011e1213121616 164f1a5d1b27403f2f0953460f030c0c020401010101010101010101010101050b15171612131212121 3121213121212131212131a4018450101010101014038540101010101010101010101010101010101 010101010101010101053053345d3e12121312121312131212161a3a5630050101010101010101010 101010101010101010101010100000101010101010101013026121213121213121213121312121212 121d3e204d264a2d2a43231f0a03450404040105074d1213121213121213121212131212131212121

ISO 27001 Implementers Forum Author: Richard O. Regalado 312121619595b0101010251130f010101010101010101010101010101010101010101010101540f0e1 71213121213121213121212131212131212131b0e3001010101010101010101010101010101010101 010100000101010101010101010105471613121212131212121312121312131212121213121312121 2131212131214400b431d12121312121213121213121212131212131212121312131212201804010f 1a124301010101010101010101010101010101010101010101051c341212131212131212131212131 2121213121213121212131d0902010101010101010101010101010101010101010000010101010101 010101010105492512131212131212121312121213121213121212131212131212121617360947161 213121213121212131212131212121312121312121213121212134f37304916123b02010101010101 01010101010101010101010101010c221a12131212131212131212131212131212121312121312121 213164006010101010101010101010101010101010101000001010101010101010101010101412012 12131212131212131212121312121312121213121213172f240c01181d12121312121213121213121 2121312121312121213121213121213121212173b1213164101010101010101010101010101010101 0101011c1113121213121212131212131212131212131212121312121312121212124d30010101010 101010101010101010101010105000101010101010101010101010101022f12121312121312121312 121213121213121217352333010101010b51121312121312121213121213121212131212131212121 312121312121312121312131212430101010101010101010101010101010101054812121312121213 121213121212131212131212131212121312121312121312135141010101010101010101010101010 10101070001010101010101010101010101010104561b121312121312121312121213121447290c05 010101010101421612121312121312121213121213121212131212131212121312121312121312121 21312124d0501010101010101010101010101010104434f1212131212131212121312121312121213 121212131212131212121312121213124d0b010101010101010101010101010101010001010101010 101010101010101010101050f511213121213121213121212131e0501010101010101010534121213 121212131212131212121312121312121213121213121212131212121312121312121a03010101010 101010101010101010105471612131212131212131212121312121312121213121213121212131212 131212131212133402010101010101010101010101010100000101010101010101010101010101010 101051012121312121312121312121238020101010101010101053812131212131212131212131212 121312121312121213121213123e191b1213121212131212136405010101010101010101010101055 312121312121213121212131212131212121312121312121213121213121212131212131212125601 0101010101010101010101010100000101010101010101010101010101010101052c1312121312121 312121312121d0b010101010101010105121213121212131212131212131212121312121312121213 121238180b3053191613121213121244040101010101010101010101010a1a1212121312121312121 312121213124f1e4646501a1213121213121213121212131212131212170601010101010101010101 010101000001010101010101010101010101010101010536131212121312121312121312121801010 101010101010512121312121312121213121212131212131212121312121312164901010101051826 13121213121d0b0101010101010101010101041712131212121312121312121312121217060101010 104581312121213121213121212131212131212220501010101010101010101010100000101010101 010101010101010101010101043b121213121213121213121213122f0101010101010101051213121 21213121213121213121213121213121212131212131a030101010101010209251312121309010101 01010101010101050813121213121212131212131212131225060101010101015b4a1312121312121 213121213121212131216330101010101010101010101010000010101010101010101010101010101 01010438121312121213121212131212134a0501010101010101051b1312121312121213121212131 2121312121312121213121212080101010101010101413b13121234050101010101010101010b1713 121212131212131212121312121256010101010101010168131212121312121312121213121213121 22e010101010101010101010101000001010101010101010101010101010101010214121213121212 13121213121212110b01010101010101011e121312121312121213121213121212131212131212121 31212323c050101010101010105474f121b300101010101010101012e121312121312121213121213 12121351010101010101010101016913121212131212131212121312121312190b010101010101010 1010101040001010101010101010101010101010101010212121213121213121212131212131a0301 010101010101014916121312121312121213121213121212131212131212121312121a2e020101010 101010154491a12490101010101010101041112121312121312121213121213121217010101010101 010101016912121312121312121312121213121213166301010101010101010101010000010101010 101010101010101010101010106121312121312121312121213121213550101010101010101043b12 131212121312121312121213121213121212131212131212131211080b010101010101050f3418010 10101010101011c1a1312121312121312121213121213125101010101010101010101691213121212 131212121312121312121213150101010101010101010101000001010101010101010101010101010 101010f12121312121312121312121213121239010101010101010101032512121312121312121312 1212131212131212121312121312121312121a3549300501010101040501010101010101015612121 312121312121312121213121213124c01010101010101014b16121213121212131212131212121312 12133b0101010101010101010101000001010101010101010101010101010101013c1212131212121 312121312121213125701010101010101010105074f12121312121312121312121213121213121212 Internal Audit Procedure Revision 1, 2007 September 25

Page 5 of 26

13121213121213121213121b365902050101010101010101010101351212131212121312121312121 2131212132102010101010101053d1212131212131212131212131212121312122505010101010101 0101010100000101010101010101010101010101010101481312121312121213121213121212134f0 5010101010101010101010a2012121312121312121312121213121213121212131212131212131212 121213123e1e07040101010101010101052b1212121312121312121213121213121212134d3301010 101542d121312121312121312121312121312121213121b0b01010101010101010101000001010101 010101010101010101010101014312131212131212121312121312121216030101010101010101010 101332a1a131212121312121312121213121213121212131212131212131212131212121316264802 0501010101010516121312121312121312121213121213121212124a0101010160121312121213121 21213121213121213121212131a030101010101010101010100000101010101010101010101010101 0101013f121312121213121213121212131213121f0101010101010101010101010518401213121213 121213121212131212131212121312121312121312121312121212131211180501010101051212131 212121312121312121213121213121213290101010102121213121212131212131212121312121312 12123e0f01010101010101010101000001010101010101010101010101010101012d1213121213121 2121312121312121213100101010101010101010101010101051c1e1a121213121213121212131212 13121212131212131212131212131212131212121d2a0201010105121213121213121212131212131 212121312121229010101010212121312121312121213121213121212131212131a0f010101010101 01010101000001010101010101010101010101010101044a121312121213121213121212131212133 65b010101010101010101010101010101054b394d1a12121312121312121213121213121212131212 1213121213121213121212133d0201010512121312121213121213121212131212131212195b01010 101021a121213121213121212131212131212121312123e0f01010101010101010101000001010101 010101010101010101010101022612131212131212121312121312121213200b01010101010101010 1010101010101010101050f393b121312121312121213121213121212131212131212121312121312 1212133f050105121213121213121212131212131212121312124a010101010101601312121312121 31212121312121312121213121a0f0101010101010101010100000101010101010101010101010101 01010c4d12121312121312121213121213121212134b0101010101010101010101010101010101010 10105040f1e1a1212131212131212121312121312121213121213121212131212123e1c0105381213 121212131212131212121312121312124a01010101010160121312121312121312121213121213121 212135d0b010101010101010101010000010101010101010101010101010101010c17121213121212 131212131212121312121348010101010101010101010101010101010101010101010105462b12121 31212131212121312121312121213121213121212131212133905013b121312121312121213121213 121212131212460101010101014212121312121312121312121213121213121212250401010101010 1010101010000010101010101010101010101010101010f3e12121312121312121213121213121212 133f01010101010101010101010101010101010101010101010101302012121312121312121213121 213121212131212131212121312123b04052f12121312121312121213121213121212131245010101 010101015112121312121312121312121213121213121257010101010101010101010100000101010 10101010101010101010101011c161212131212121312121312121213121213190501010101010169 3630010101010101010101010101010101012e1212131212121312121312121213121213121212131 212131212380201491212121312121312121213121213121212134501010101010101511212131212 121312121312121213121213121501010101010101010101010000010101010101010101010101010 1010129121213121213121213121213121212131212170c0101010101013512201801010101010101 010101010101010141131212131212121312121312121213121213121212131212131238020130171 21213121212131212131212121312122d040101010101010151121213121213121212131212131212 1213160a0101010101010101010101000001010101010101010101010101010101421212121312121 312121312121312121213123e1c010101010101181212162a0c010101010101010101010101011f121 213121213121213121213121212131212131212121312121338020101361213121213121213121213 121212131256010101010101010163121213121212131212131212121312121344020101010101010 101010101000001010101010101010101010101010101081212131212121312121213121213121212 1312530101010101010b1712131220230201010101010101010101023612121312121213121213121 213121212131212131212121312121104010124121213121213121213121213121212136001010101 010101014112121312121312121213121213121212124801010101010101010101010100000101010 101010101010101010101010122121213121213121213121213121213121212132205010101010105 2c121213121220080b05010101010101045f121312121312121213121213121213121212131212131 21212131236050101023b12121312121312121312121312121a680101010101010101451912121312 12131212121312121312124d040101010101010101010101010000010101010101010101010101010 1010135121312121213121212131212131212131212122b0501010101010124161212131212132535 53030c0b03533b1612121312121312121213121213121213121212131212131212121360010101051 c12121213121213121213121213125101010101010101010101691312121312121312121213121213 1a1c01010101010101010101010101000001010101010101010101010101010101311212131212121 31212131212121312121312121d02010101010101041a12121312121213121216204d3e1212131212

ISO 27001 Implementers Forum Author: Richard O. Regalado 1213121213121212131212131212131212121312121312121a0c01010101053612121312121213121 213121213560101010101010101010168131212121312121312121213121239050101010101010101 010101010100000101010101010101010101010101010117131212131212121312121312121213121 213121240410101010101012213121213121212131213121212131212131212121312121312121213 1212131212131212121312121312220101010101010c4d1312121312121312121312121a535401010 1010101012952121213121213121213121212132a0401010101010101010101010101010000010101 010101010101010101010101014f1213121213121212131212131212121312121312121b080205010 101291612121312121312121213121213121212131212131212121312121312121213121213121212 131212110c01010101010101631a12121312121213121213121212215506060606681916121312121 312121312121312123a02010101010101010101010101010101000001010101010101010101010101 0101024f1213121212131212131212121312121312121213121213440f0101010b4d13121213121213 1212121312121312121213121213121212131212131212121312121312121213320a0101010101010 10105184f121312121312121213121213121312121213121212121312121213121213121213360c01 01010101010101010101010101010100000101010101010101010101010101010c161212131212121 3121213121212131212131212121312121316220c01010e1213511b12121312121312121213121213 121212131212131212121312121312121213121213380701010101010101010101011825121312121 3121212131212121312121312121312121213121213121212134f3904010101010101010101010101 010101010100000101010101010101010101010101012416121213121213121212131212131212121 31212131212121213124d3c541c131239414012121312121312121213121213121212131212131212 12131212131212121312190f050101010101010101010101054114121213121213121213121212131 212131212131212121312121312122049050101010101010101010101010101010101010000010101 0101010101010101010105481b1212131212121312121312121213121213121212131212131212121 2132c0c1b12390105484d131212121312121312121213121213121212131212131212121312123e2c 020101010101010101010101010101010c0e121312121213121213121212131212131212131212121 312123e22020101010101010101010101010101010101010101000001010101010101010101010102 0e16121213121213121213121213121212131212131212121312123e1b172126220b2c12390101014 559211612121312121312121213121213121212131212131212121b2a305401010101010101010101 010101010101010418191612121312121213121213121212131212131212132522300501010101010 101010101010101010101010101010100000101010101010101010101034012121312121312121312 121312121312121212163e2b342a1542291c0306020401011816500101010101023c1e16121213121 213121213121213121212131212121439410501010101010101010101010101010101010101010102 493a12131213121213121213121212131212122042300501010101010101010101010101010101010 10101010101000001010101010101010105494f1213121213121213123e38114a1e675e231c030c050 101010101010101010101010101023a08010101010101010104242f4a201d12121312121213121d38 260e23030501010101010101010101010101010101010101010101010101010130590e3b381612131 2121314204a0e1f0b0101010101010101010101010101010101010101010101010101010000010101 010101010101023a25172119343f2e530766300b0b040401010101010101010101010101010101010 1010101010b020101010101010101010101020b064b1818551855074b060c02050101010101010101 01010101010101010101010101010101010101010101010105023330664b66304b0c0b02010101010 10101010101010101010101010101010101010101010101010100000101010101010101010530300b 050101010101010101010101010101010101010101010101010101010101010101010101010101161 0000026060f002220574d464301000000000001000000000000000400000000200000e0110000e071 000001010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010000010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101000001010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010100 000101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010000010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101000001010101010101010101010101010101010101 Internal Audit Procedure Revision 1, 2007 September 25

Page 7 of 26

010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010100000101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 000010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101000001010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010100000101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010000010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 000001010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010100000101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010000010101010101010101010101010101050101 010501010101010101010101010101050101010101010101010101010101010101010101010101010 105010101010101010101010101010101010501010101050101010101010101010101010101010101 010101010101010101010105010101010501010101010101010101010101010101010101010101010 1010101010101041c020100000101010101010101010101020a2e362813121212143a390704010101 01010101372f0501010101010101010101010101010105020c031c18533935442b123101010101010 101010101010b2456353a382b2b2735560f040101010101010101010101010101010101010101540f5 522442b2b2b38342f490c050101010101010101010101010101010101010101010102462a3e124101 00000102490501010101010b09191a131212131212131212121626180501010101013f122c0201010 1050402020b330a49233f362621511b3e121312121213123901010101010101010403224d16121213 1213121212123e194902010101010101010101010101010101013348441b131212131212131212135 13f06050101010101010101010101010101010101044b43191a121312330100000133161c01010105 484d121213121212131212121312131212162f04010101011812121e3c23152c1e3b20321212121212 1312131212121312121312121a4101010101010101301e161213121213121212131213121212124a0 301010101010101010101010101041f17121312121312121312121312121213252305010101010101 01010101010101014509443e12121312122002010000010b131b07013035161312121213121213121 213121212131213122204010101033e12121612131213121212131213121212131212131212131212 13124404010101010104561b121213121212131212131212121312131212141c01010101010101010 10105303b161213121212131212121312121312121213120e04010101010101010101010b18341b12 121312121213123604010000010219134d094d12131212131212131212131212131212121312124f1 801010102191212131212121312121312121213121213121212131212131212130901010101010415 161213121213121212131212131212121312121213381c01010101010101010103171213121213121 212131212131212121312121312122f04010101010101044b22191312131212121312121312390101 00000101081212131212121312121d113e12121312121213121213121213440101010522131212131 21212131212131212121312121312121213121213123e0b0101010104351212131212121312121312 124d363e1212131212131212140b01010101010101462513121213121213121212131636111212131 212121312124301010105300819131212121312121312121312121d59010100000101301a12121312 12134f3f03023011131212131212131212131212160501010159121213121213121213121213121212 13121213121212131212121e0401010105391612121312121312121213121607040c2e25131212121 312121e0401010101010c5d1312121312121213121213121e02020744161213121213121a0a051844 1b1213121213121213121213121213124f0f010100000101013b12121312124f1f050101011f1212121

ISO 27001 Implementers Forum Author: Richard O. Regalado 31212121312121312120c010101301212131212121312121312121312121213121213121212131216 49010101011c1212131212131212131212121326020101010a20121312121312160a0101010104341 21213121213121212131212121f010101024712121312121312360b43342028121312121312121312 12131212131a020101000001010118131212131a18010101010159121213121213121213121213120 c010101546512121312121213121213121213172d5927121213121213121704010101021112121312 1212131212131212123d05010101010c4d12131212131240050101014212131212131212131212121 312160c01010101012e1d1212121312120a0101010101021212131212121312121312121701010100 000101010c4d121312080501010101042a121312121213121212131212130c0101010536131212131 212121312121b3b490c0442161212131212121322010101013c121312121312121213121213121244 0201010101010f1612121312121b03010104191213121212131212131212121312240101010101021 e1312121213123f0501010101541312121312121213121213124e0101010000010101052212122604 010101010107161312121312121312121213121205010101015612121213121213163409060501010 b3e121312121312121d0a01010105441212131212131212121312121312163c0101010101023e1212 131212135601012416121213121212131212131212121344020101010105151312121312124d0b010 10101543e12121312121312121213121501010100000101010141131a0f01010101010c4d12131212 1213121213121212134401010101011c1a1312121b36090b050501010104361213121212131212260 20101010c51131212131212131212121312121312251f0401540f19121312121312123505051512131 2121312121213121213121212124e4b01050b15161212121312123e0f010101010528121212131212 1312121213290101010000010101015411220501010101044012131212131212131212131212161f0 101010101331712123a030501010101010101481212131212131212132e010101011c3e1212121312 1212131212131212121312164a474a1b12121312121213122b5405341212131212131212121312121 312121312170e0e191212131212121312135501010101042b121312121312121312123e4101010100 000101010101010101010101052f12121312121213121213121213123604010c02010101441213560 101010101010101301a1212131212121312120b010101014913121213121213121213121213121212 13121312121312121213121213121d040420121312121213121213121212131212121312131212131 21213121212131264010101010528121213121213121213124d0b0101010000010101010101010101 0101421612121312121312121213121212200c010c40070101012e121663010101010101010436121 312121312121213400501010101531212131212121312121213121213121212131212121312121312 121213121204043812131212131212121312121312121312121213121212131212131212121339010 101010527121213121212131212124a040101010000010101010101010101010f1412121312121213 1212131212134d300501081a030101011c12200c01010101010101481312121312121312121348010 101010153121213121213121213121213121213121212131212131212121312121312120404381312 121213121213121212131212121312121312121312121213121213123901010101053412121312121 3121213123f0101010100000101010101010101010c17121312121312121213121213161004010102 3225020101010c382d05010101010101411b121213121212131212510b01010101015312121312121 21312121312121312121312121213121213121212131212131d040438121213121213121213121212 131212131212121312121312121213121213150101010105341212121312121312121223010101010 0000101010101010101022d1312121312121312121213124d49050101055a124d0101010102360801 0101010101053b1213121213121212131235050101010101241612121312121213121213121213121 213121212131212131212121312123804044012121213121213121213121212131212131212121312 121312121213121253010101010534121213121212131212134101010101000001010101010101013 f1312121213121212131212132f0b010101010b17132a01010101010c0201010101010509121212131 212131212121307010101010101032513121213121212131212131212131212131212121312121312 121213123605052c12131212131212131212131212121312121312121213121213121212133e1c010 101010536131212131212121312120201010101000001010101010105481612131212121312121313 4a1c050101010b412c13122e010101010101010101010101033e12121312121213121213190201010 1010101041912131212131212121312121312121312121312121213121213121212134201011f1612 1312121312121312121312121213121213121212131212131212124d0201010101051013121212131 21213122004010101010000010101010101411b1212131212131212121a09020505331f3f193e12121 2180101010101010101010101043612131212131212121312124305010101010101012e1312121213 12121312121213121212131212131212121312121312121b4b01010b2512131212121312121312121 312121213121213121212131212131212220101010101051012131212131212121336050101010100 000101010101302013121212131212131222033049393816131212121312164b01010101010101010 101012e16131212121312121312121630010101010101010106251312121312121213121213121213 1212121312121312121213121247010101012f1312121312121312121312121312121213121213121 212131212131b060101010101012f1212131212131212123901010101010000010101010244121213 1212131212162a37192516121312121312121213170c01010101010101010101301a1213121213121 212131212270501010101010101010539121212131212131212121312121213121213121212131212 1312200601010101301713121213121213121213121213121212131212131212121312125a0501010 10101011013121213121213121d480101010101000001010105391212131212121312121213121213 Internal Audit Procedure Revision 1, 2007 September 25

Page 9 of 26

121212131212131212123b02010101010101010101023412121213121213121212131256010101010 101010101010217121312121213121213121213121213121213121212131212120701010101010142 121213121212131212121312121312121213121213121212131e04010101010101016012131212131 212121a0f01010101010000010101081d121212131212131212131212121312121312121213121213 3d0501010101010101010115121312121213121213121212383001010101010101010101010f17121 312121213121213121213121213121213121212131a53010101010101010537121213121213121213 1212121312121312121213121213440c0101010101010101531212131212131212170b01010101010 00001011c1a1213121212131212131212131212121312121312121213121243010101010101010105 0f1b1212131212121312121312122d05010101010101010101010105071a121312121213121213121 21312121312121312121a180501010101010101010b4e121213121213121213121212131212131212 1213163d0b0101010101010104064412121312121213121a480501010101000001025112121312121 312121213121212131212131212121312121312121f01010101010104180e3e121212131212131212 121312122a04010101010101010101010101010f20121312121213121213121213121213121213440 3010101010101010101010102431612121312121213121213121212131212131b0804010101010101 043c441613121213121213121213122a0c01010100000133121213121212131212131212131212131 21213123e3e1b171719523001010101042e171612121312121213121213121212131216360c010101 0101010101010101010545101b1213121213121213121213121216214904010101010101010101010 1010105073b131212131212131212131212121325373305010101010101184d161312121312121312 12131212131225480401000001331212121612164f164f1a17273a2a2a39564229290f0f03060c0b020 501010101043937353a27204f1a4f16161612161212121312134d0f010101010101010101010101010 5412f1b1612121312121312164f35490b010101010101010101010101010101010102493a4f1612121 31212121616381503050101010101010101062942565615222a2a34272727144f4f4f161a3c0100000 15b0859591c1c300b0b01010101010101010101010101010101010101010101010101010101010101 010104330c0f1c2459595a62102c1e09010101010101010101010101010101010503592e6210622e1f 0f0501010101010101010101010101010101010101010101010b242362101062233c0b01010101010 101010101010101010101010101010101010101010101050b0b020100000101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010505050101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010000010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101000001010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010100000 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010000010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101000001010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010100000101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010000 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101000001010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010504040402020101010101010 101010101010101010101010101010101010100000101010101010101010101010101010101010101

ISO 27001 Implementers Forum Author: Richard O. Regalado 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010530 1c1c1c3002010101010105245923151062103d1e1e4a3b5e050101010101010101010101010101010 101010101010101010000010101010101010101010101010101010101010101010101010101010101 0101010101010609000026060f000212574d4643010000000000010000000000000004000000e0110 00000000000e071000001010101010101010101010101010101010101010101010101010101010101 0101010101010101010101010101010101010101010101010101010101014b353e16161216124f400 7050101053c4a14121213121213121b56050501010101010101010101010101010101010101010101 010100000101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 0101010101010101010101010101010101010104201212121312121213123e4b01010101040a11121 213121244030501010101010101010101010101010101010101010101010101010000010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 0101010101010101015b1d121312121312121213121c0101010101331b12121312120f01010101010 101010101010101010101010101010101010101010101000001010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010105 5617121312121312121b2a050101010101481213121213160401010c2201010101010101010101010 101010101010101010101010100000101010101010101010505050505010501010105010101010101 010101050105050101010101010101010101010101050105050101010105010101010101010101050 1050101010101010101050101010101010101050101010105010101010101053049393535352f4241 04043c040101014a12131212122b010105341a0101010101010101010105010101010101050105010 101010000010101010101050356362b382b3a2f1804010f5f0b01010101010503422234363539550c0 5010101010101010102553936342a560f05055c0b01010402030f184c392a3c0101540c033c4c392f02 3024241853536018013049103942060502603c243c615361423939392f364e1a4a45010c1712121312 12350c033f1217010101040b031c55423935020c243c6156392c220b01010100000101010101043925 1312121312121216362f1b370501010101301e1b1312121312121d512c0b010101010105242116121 31212131b37413e33010b10444d3e161212204b303419511b161b2206025e203e121212132e2e251d 12121317422c1a4d1b131212131212123e19080626131937401212121312121a511b16123a0105424 a191b3e1212122205093e1612131a2a4b05010101000001010101052f1d1212131212131212121312 1d03010101014b2012121213121213121213123a0c0101010123161213121213121212123e1241010 1050c2213121213590102441312131224050101011c1b121312124d1213121213121213123645493b 1212131212163c0401014a1212131213121212131213121213123a010104301f16121312170c01331 d1212133b05010101010100000101010133121213121213124d193e13121222050101010c20131216 34032e121312121213123a050101241a12121213121213121213121249010101035d1213123e04010 107121213124d30010101302512121312131212131212131212125a0101531312121312161c010101 3612121312121312121213121212131240010101053f1213121247010104201213121b41010101010 100000101010124121312121213340c021c4a131a3001010105391212122a02011812121312121213 1a0f010511121213121213121213121213125a01015b401212121340050101303e121312124004010 10f1a13121212131212121312121312120f01012e121212131212590101013f1212131212121312121 2384e2f4d123f010101494f121213120a0101043b121212132e0501010101000001010101491213121 213124430010105080801010101331b1213200201023412121213121213161f014113121212131212 1312121d36441237010149121312121227540101181212131212124801011c3e12121312121312121 2131212133e54010143121312121312500101015c1216141213121213124d0b0101301b3f01010517 1312121312030101453e121312121b5b010101010000010101014b131212131212121a4d34472e530 34501013c121213163a3f201212131212131212163c01431212131212131212134f590404483f01044 a121312121312490241511213121213122d0401241612131212121312121312121212340501014e12 12131212130e5401012e12085a121213121213195b0101011c3c0101531312121213123905042e121 2131212122401010101000001010101051e131212131212131212131213163b490147121212131212 1312121213121213121a0c042d1212131212121312123a0501010104010c201212131212131a261b1 2121312121213200b0155121212131212122b39223812131256010101571212121312124404010109 4d022c1312121312125805010101010101050e1212131212131a2a364f1312121312120e050101010 000010101010105491e2012121213121212131212131253371213121213121213121212131212132f 01044a131212131212121312275401010130021c3e12121312121213121312121213121213380b015 512131212131a09010101051817161c01010151121312121312170b01010f1c053d1213121213124a0 1010101010c0b023b12121213121213121212121312121312190b010101000001010101010205040b 4b181e4f13121212131212134a4e13121213121212131212131212162233493036121213121213121 2131650020249201c0f3e12121312121312121213121213121212380b011512121312124705010101 0101410e0b01010451121213121213160c01010101044a12121312121352020101010711480b19131 Internal Audit Procedure Revision 1, 2007 September 25

Page 11 of 26

212121312121312121312121213121a03010101000001010101054e1002010101053f121213121213 1212113f1212131212131212131212133b180215121c3d12121312121213121212133b26131649031 b121213121212131212131212121312133604011513121213124b01010101010101010101010b1712 121312121213410101010104441212121312121a180102093e1239451913121213121212131212121 312121312122901010100000101010145131220290201024a13121213121213122607161312121213 1212173f1f4b30293b121349481312121312121213121212131212134c024d12121213121213121212 1312121312164801012c12131212130601010101010101010101010c25131212131212121f0101010 1052d12131212131212162b3e1212121e023d13121212131212131212131212121312120901010100 00010101014812131216263f261612121312121213124304361212131212131212141926171612121 309021b13121213121212131212131212123901151312121312121213121213121212131104010135 1212131212180101010101010101010101031a121312121312124301010101012e121213121213121 213121212133b04491212131212131212131212121312121312420101010000010101052d12121312 12121213121212131212131902010c201212131212131212131212131212124701071a12121312121 312121213123b1a2a01023b1212131212131212121312121311300101013613121213123b02010101 01010101010101241a131212121312123401010101010c1d121213121213121213121212380b05351 31212121312121213124434121213124801010100000101010c1727083b1613121212131212131216 1e330101010c3d161212131212121312123e261f3b3f0105181712121312121312121b390239400501 0b35161212121312121312123e0e0b01010130141212131212120e040101010101010104303712121 312121312121a154102010101423e1212131212131212174344120c01022f1b1213121213121a2f451 f121213124601010100000101011c270c0104180e1b131212121228222904010101010105182a1a121 31212122b2c070401072d010101062e2b12121212282f0305013031010101041811161213121212322 c1c050101013320121212142b2b343530010101010101302d141212121216282b2b2b2736371f0101 0105242712121312121b2e300106380a01010503393a2b2b3b390f05013c1212131b0301010100000 101010101010101010101040c0c0b0401010101010101010101010101020c0c0b0501010101010101 010101010101040c0c0201010101010102010101010101020324241c0c01010101010101050c02010 1010101010101010101010101040c0c040101010101010101010101010101010101010b1c241c0c01 0101010104040101010c2523010101010101052213121226040101010000010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010522 121a2304010101010f1b1212130901010101000001010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 1010101010101010101010101010101010101010101010101010101011c1613121d1e1c04041f20121 213210201010101000001010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010102191212131212161a1a161213121b0f010101010100000 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101011516161212131212131212121317180501010101010000010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 10101010101010101010101010101010101010101010101010101010101010101010101010c0d0e0f 1011121312121312140e0b01010101010101000001010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 1010101010101010101010101010101010101010101010101010102030401050206070809090a0b05 010101010101010100000101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010000 460000002c00000020000000454d462b2b4000000c000000000000002640000010000000040000000 00000004c0000006400000002000000020000005c0000005000000002000000020000005b0000004f 0000002900aa0000000000000000000000803f00000000000000000000803f00000000000000000000 00000000000000000000000000000000000000000000220000000c000000ffffffff460000001c0000001 0000000454d462b024000000c000000000000000e0000001400000000000000100000001400000004 00000003010800050000000b0200000000050000000c024f005b00030000001e00040000000701040 08d270000410b2000cc008200960000000000b5ff56004d00020028000000960000008200000001000

ISO 27001 Implementers Forum Author: Richard O. Regalado 800000000000000000000000000000000006a0000000000000000000000ffffff00e7e7e700c6c6c600ef efef00f7f7f700d6d6ce00b5b5ad008c8c840094948c00bdbdb500dedede00d6d6d6001818100073735a 00bdbdbd0084846b004a4a31003131000029290000313118008c8c7b003131080042422100adada50 0525231003939100039391800b5b5b500292908006b6b52009c9c9c00424229005252290073736300 8c8c8c00adadad00424218005a5a39004242310031312100b5b5a5006b6b5a00393929007b7b63006 b6b4a0084847b007b7b6b00cecece004242390029291000deded6005a5a4a006363520063634a0063 635a0039392100848473004a4a390052523900a5a5a50073735200313110006b6b630052524200c6c 6bd009c9c8c007b7b73005a5a4200e7e7de00bdbdad0073736b009c9c9400a5a59c0063634200cecec 600a5a58c004a4a29005a5a5200393908008c8c73004a4a21005a5a3100a5a59400f7f7ef00adad9c00 949484004a4a4200636339009494940084848400efefe7006b6b6b00424210007b7b7b00737373009c 9c8400adad94008c8c6b00c6c6b50094947b0029291800d6d6c60084846300cecebd007b7b5a000101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101010101010101010101010 101010101010101010101010101010101010101010101010101010000010101010101010101050501 010101010101010101010101010101010101010101010101010101010101010101010101010101050 20b4118090908092318410b0205010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101050554050405010101010101010101010101010 1010101010101010101010101010101010000010101010101010101562c5008593c0f300b05010101 010101010101010101010101010101010101010101010101010101043c22111d12131212131212121 316110e590b0101010101010101013030010101010101010101010101010101010101010101010101 0101010101010104033c2e500e0e0e0e0e5008070b010101010101010101010101010101010101010 101010101010100000101010101010101011e1213121616164f1a5d1b27403f2f0953460f030c0c0204 01010101010101010101010101050b151716121312121213121213121212131212131a40184501010 10101014038540101010101010101010101010101010101010101010101010101053053345d3e1212 1312121312131212161a3a56300501010101010101010101010101010101010101010101000001010 10101010101013026121213121213121213121312121212121d3e204d264a2d2a43231f0a03450404 040105074d1213121213121213121212131212131212121312121619595b0101010251130f0101010 10101010101010101010101010101010101010101540f0e1712131212131212131212121312121312 12131b0e3001010101010101010101010101010101010101010100000101010101010101010105471 6131212121312121213121213121312121212131213121212131212131214400b431d121213121212 13121213121212131212131212121312131212201804010f1a1243010101010101010101010101010 10101010101010101051c3412121312121312121312121312121213121213121212131d0902010101 010101010101010101010101010101010000010101010101010101010105492512131212131212121 312121213121213121212131212131212121617360947161213121213121212131212131212121312 121312121213121212134f37304916123b0201010101010101010101010101010101010101010c221 a12131212131212131212131212131212121312121312121213164006010101010101010101010101 010101010101000001010101010101010101010101412012121312121312121312121213121213121 21213121213172f240c01181d12121312121213121213121212131212131212121312121312121312 1212173b12131641010101010101010101010101010101010101011c1113121213121212131212131 212131212131212121312121312121212124d30010101010101010101010101010101010105000101 010101010101010101010101022f12121312121312121312121213121213121217352333010101010 b51121312121312121213121213121212131212131212121312121312121312121312131212430101 010101010101010101010101010101054812121312121213121213121212131212131212131212121 312121312121312135141010101010101010101010101010101010700010101010101010101010101 01010104561b121312121312121312121213121447290c05010101010101421612121312121312121 21312121312121213121213121212131212131212131212121312124d050101010101010101010101 0101010104434f1212131212131212121312121312121213121212131212131212121312121213124 d0b010101010101010101010101010101010001010101010101010101010101010101050f51121312 1213121213121212131e0501010101010101010534121213121212131212131212121312121312121 213121213121212131212121312121312121a03010101010101010101010101010105471612131212 131212131212121312121312121213121213121212131212131212131212133402010101010101010 101010101010100000101010101010101010101010101010101051012121312121312121312121238 020101010101010101053812131212131212131212131212121312121312121213121213123e191b1 213121212131212136405010101010101010101010101055312121312121213121212131212131212 121312121312121213121213121212131212131212125601010101010101010101010101010000010 1010101010101010101010101010101052c1312121312121312121312121d0b010101010101010105 121213121212131212131212131212121312121312121213121238180b30531916131212131212440 40101010101010101010101010a1a1212121312121312121312121213124f1e4646501a1213121213 121213121212131212131212170601010101010101010101010101000001010101010101010101010 Internal Audit Procedure Revision 1, 2007 September 25

Page 13 of 26

101010101010536131212121312121312121312121801010101010101010512121312121312121213 12121213121213121212131212131216490101010105182613121213121d0b0101010101010101010 101041712131212121312121312121312121217060101010104581312121213121213121212131212 131212220501010101010101010101010100000101010101010101010101010101010101043b12121 3121213121213121213122f0101010101010101051213121212131212131212131212131212131212 12131212131a030101010101010209251312121309010101010101010101010508131212131212121 31212131212131225060101010101015b4a1312121312121213121213121212131216330101010101 010101010101010000010101010101010101010101010101010104381213121212131212121312121 34a0501010101010101051b1312121312121213121212131212131212131212121312121208010101 0101010101413b13121234050101010101010101010b1713121212131212131212121312121256010 10101010101016813121212131212131212121312121312122e010101010101010101010101000001 01010101010101010101010101010101021412121312121213121213121212110b010101010101010 11e12131212131212121312121312121213121213121212131212323c050101010101010105474f12 1b300101010101010101012e121312121312121213121213121213510101010101010101010169131 21212131212131212121312121312190b010101010101010101010104000101010101010101010101 0101010101010212121213121213121212131212131a0301010101010101014916121312121312121 213121213121212131212131212121312121a2e020101010101010154491a12490101010101010101 041112121312121312121213121213121217010101010101010101016912121312121312121312121 213121213166301010101010101010101010000010101010101010101010101010101010106121312 121312121312121213121213550101010101010101043b12131212121312121312121213121213121 212131212131212131211080b010101010101050f341801010101010101011c1a13121213121213121 212131212131251010101010101010101016912131212121312121213121213121212131501010101 010101010101010000010 ISO 27001 Implementer’s Forum

Internal ISMS Audit Procedure

Document Number:

I27KIForum-ROR-Procedure-Internal Audit

ISO 27001 Implementers Forum Author: Richard O. Regalado Version Number: Release Date: Document Owner:

Version 1 2007 09 25 Richard O. Regalado

Documentation Administration This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).

0100090000038908000000007507000000000400000003010800050000000b0200000000050000000 c0220005900030000001e0004000000070104000800000026060f000600544e50500601df000000410 b8600ee001f005800000000001f0058000000000028000000580000001f00000001000100000000000 00000000000000000000000000000000000000000000000ffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffff ffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffff ffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ff ffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff0 0ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffff ff007ffffffffffffffffffffe0075070000410bc60088001f005800000000001f005800000000002800000058000 0001f0000000100080000000000000000000000000000000000000000000000000000000000ffffff00a 9b0aa00aab1ab00abb1ac00acb3ad00aeb5af00b0b6b100b3b9b400b7bcb700bbbfbb00bec3bf00c3c8 c400c7ccc800cbcfcc00555655001f1f1f003f3f3f007b7b7b0095969500fefefe00eeeeee00d4d6d400000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000121210000f120f0012100f0f1012001212121100001210001210121010120f0f10 0f11101200101200001212100000101200101210121212100012121011121212101200101200111200 10121212101212121000000010131414160f1514150f14110a0e1114001414141100001411111400141 1131414141114121114001114001314141600001114001214111414141013141416121414141114001 214000b140011141414101414141200000011141211141214001412141114141114001411000000001 41111140014111412001411141211140011140014121114000011140012141114000000141211141214 0000111400121400151411111400000014111114000000101110131612140014121412161612140014 11000000001412121600141114121414111412111400111400101113150000111411141311140000001 11013161214000011141114130014160f11140000001411111400000000101414111214001412141314 1413140014141411000014141404001411141212121014141414001114001114141000001114141512 11141414001014141112141414111414141211140215111414140014111114000000101314101112140 01412140a12120a1400141100000000141111140014111412001210141211140011140013141011000 01114001214111400000013141011121400001114001214121512151114000000141111140000001114 Internal Audit Procedure Revision 1, 2007 September 25

Page 15 of 26

130f14121400141214140f0f14140014110000000014110f140014111413001411141211140011140014 130f1400001114001314111400000014130f1412140000111400131407150f15111400000014110f1400 00000013141412100e14161014141111141400141414120000141414040014110f14140a1014121114 121414141314141200001114141412111414141113141412121414141114141412161211140f1414141 114141412000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000202020202020202020203030303030304040505050607070808 09090a0a0b0b0c0c0d0d0e0e0e0e0e0e0e16160e0e0e0e0e0e0e0d0d0c0c0b0b0a0a0909080807070 605050504050303030303020202020202020202000002020202020202020203020303030304040405 0506060707080809090a0b0b0c0c0d0d0e0e0e0e0e0e02130f1302160e160e0e0e0e0d0d0c0c0b0b0a 090909080707060605050404040303030303020202020202020200000202020202020202020203030 303030304050505060707080809090a0a0b0b0c0c0d0d0e0e0e16121000000000001012160e0e0e0e 0d0d0c0c0b0b0a0a09090808070706050505040403030303030202020202020202000002020202020 20202020203030303030404050505060707080809090a0b0b0c0c0d0d0e0e160d1000000f130a120f0 000110c160e0e0e0d0c0c0c0b0b0a0909080807070605050504040303030303020202020202020200 0002020202020202020202030303030304040505050607070808090a0a0b0b0c0c0d0d0e0e0c10001 1161414141414161100100d160e0e0e0d0c0c0b0b0a0a090808070706050505040503030303030202 020202020202000002020202020202020203030303030305040505060607070808090a0a0b0b0c0c0 d0e0e160f000f1414141414141414140f000f0e160e0e0d0c0c0c0b0a0a090908070706060505040404 030303030302020202020202000002020202020202020202030303030404040505060707080809090 a0a0b0c0c0d0d0e0e08001015141414141414141414151000080e0e0e0d0d0c0b0b0a0a0908080807 060605050404030303030303020202020202020000020202020202020202020303030303040505050 60707080808090a0b0b0c0c0d0d0e0d12001314090f1112141211110414130012160e0e0d0d0c0c0b0 a0a090908080707060505050403030303030302020202020202000002020202020202020203030303 030304040505060707080809090a0a0b0c0c0d0d0e0e11001615100012001100111100151600110e0e 0e0e0d0c0c0b0b0a09080808070706050504040303030303020202020202020200000202020202020 2020203020303030305040505060707080808090a0b0b0b0c0d0d0e0d1100140b0012141612000a14 1614140011160e0e0d0d0c0c0b0a0a090908080707060505040403030303030302020202020202000 002020202020202020202030303030404040505060707080809090a0a0b0c0c0d0d0e0e1100140b00 1214131200020d0a141400110e0e0e0d0d0c0c0b0b0a0908080807070605050504040303030203020 20202020202000002020202020202020203030303030304040505060707080808090a0b0b0c0c0d0d 0e1611000e14100000001210001010160c000f160e0e0d0d0c0c0b0a0a090908080707060505040403 030303030202020202020202000002020202020202020202020303030304040505060607070809090 a0a0b0b0c0c0d0e0e120012141513120a1416121216140f0012160e0e0d0c0c0b0b0a0a09090807070 606050504040303030303020202020202020200000202020202020202020303030303030404050505 060707080909090a0b0b0c0c0d0d0e0c00000c1414141414141414141600000c0e0e0d0d0c0c0b0b0 a0a090808070706050505040403030303030202020202020202000002020202020202020202030303 030304040505050607070808090a0a0b0b0c0c0d0d0e0e1200111514141414141414161000120e0e0 e0d0d0c0c0b0b0a090908080707060505050404030303030302020202020202020000020202020202 0202020203030303030404050505060707080808090a0a0b0b0c0c0d0d0e0e0f00101314141414140 200000f0e0e0e0e0d0c0c0b0b0a0a0909080807070605050504030303030303020202020202020200 00020202020202020202020203030303040404050506060707080909090a0b0b0c0c0c0d0e0e0e0f00 0010111211000000120d0e0e0e0d0c0c0c0b0b0a09090908070706060505050404030303030302020 202020202020000020202020202020202020303030303030404050505060707080809090a0a0b0b0c 0c0d0d0e0e0e080f00000000100f080e0e0e0e0d0d0c0c0b0b0a0a0909080807070605050504040303 030303030202020202020202000002020202020202020202020303030303040405050506060708080 909090a0b0b0b0c0c0d0d0d0e0e0e0e0e0e0e0e0e0e0e0e0d0d0d0c0c0b0b0b0a0909090808070706 050505040403030303020302020202020202020000000202020202020202020202030303030304040 50505060707080809090a0a0b0b0b0c0c0c0d0d0d0e0e0e0e0e0e0e0e0d0d0d0d0c0c0b0b0b0a0a09 090808070706060505040404030303030302020202020202020000010000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000010800000026060 f000600544e50500701040000002701ffff030000000000

ISO 27001 Implementers Forum Author: Richard O. Regalado

Document History Version

Date

Author

Update Description

0

2006 08 31

Richard O. Regalado

Initial issue.

1

2007 09 25

Richard O. Regalado

Updated Documentation Administration portion on Page 1

Internal Audit Procedure Revision 1, 2007 September 25

Page 17 of 26

1.0 Purpose

1.1 1.2

2.0 Scope

3.0 Responsibility

To ensure that the company continually operates in accordance with the specified policies, procedures and external requirements in meeting company goals and objectives in relation to information security. To ensure that improvements to the ISMS are identified, implemented and suitable to achieve objectives.

This procedure includes planning, execution, reporting and follow–up of an internal ISMS audit and applies to all departments that form part of the company information security management system. 3.1

Information Security Management Representative (ISMR)  

 3.2

Lead Auditor        

3.3

Prepares an Audit Plan/Notification (F-IA-001) as basis for planning the audit and for disseminating information about the audit. Chairs the internal audit activities Co-ordinates the audit schedule with concerned department/section heads Plans the audit, prepares the working documents and briefs the audit team. Consolidates all audit findings and observations and prepares internal audit report. Reports critical non-conformities to the auditee immediately. Report to the auditee the audit results clearly and without delay. Conducts the opening and closing meeting.

Audit Team     

3.4

Appoints the Lead Auditor and the Audit Team. The Lead Auditor can also be the ISMR. Together with the Lead Auditor, reviews the corrective and preventive actions and the follow-up audits done based on the internal audit report submitted. Maintains the confidentiality of the audit results.

Supports the Lead Auditor’s activities. Performs the audit using the consolidated audit checklist. Reports the non-conformities and recommends suggestions for improvement Retains the confidentiality of audit findings. Acts in an ethical manner at all times.

Auditees 

Receive the audit report and determine, initiate and follow-up the corrective action.

ISO 27001 Implementers Forum Author: Richard O. Regalado

4.0 Procedure 4.1 General

4.2 Planning and Preparing the Audit

4.1.1

An audit programme (F-IA-002) shall be created that contains all scheduled and potential audits for the whole calendar year. This shall include schedule of internal audits, audits done on suppliers, audit to be performed by clients and 3rd-party audits, where appropriate.

4.1.2

Internal audit shall be scheduled twice a year or as the need arises.

4.1.3

Personnel who are independent of the current work or project shall perform the internal audit.

4.1.4

All members of the Internal Audit Team shall be appointed by the ISMR

4.1.5

The Lead Auditor shall supervise the activity of the Audit Team.

4.1.6

An Audit Notification Memo is sent to the department/section to be audited at least three (3) working days in advance of the audit.

4.2.1

An annual audit programme (F-IA-002) shall be prepared by the Lead Auditor and approved by the President/CEO and is subject for revision in accordance with changes in schedule.

4.2.2

From this audit programme, the Lead Auditor shall prepare the respective audit plans.

4.2.3

The Audit Plan/Notification (F-IA-002) shall be prepared by the Lead Auditor, reviewed and approved by the ISMR. It shall be communicated to the auditors and the auditees. It shall be designed to be flexible in order to permit changes based on the information gathered during the audit. The plan shall include:

Audit objective and scope Department/Section and responsible individuals in charge. Audit team members. The number of auditors depends on the audit area size.  Type of management system to be audited Date, place, time of the audit and distribution date of the audit report   

4.3 Pre-audit meeting

Pre-Audit meeting between the ISMR, Lead Auditor and auditors shall be carriedout not later than one day prior to the audit proper. Objectives are as follows:  

4.4 Opening meeting

To ensure the availability of all the resources needed and other logistics that may be required by the auditor. The scope of the audit is verified from the Audit Plan

Opening meeting, where deemed appropriate by the ISMR and Lead Auditor, shall be held on the day of the audit but before the audit proper. The following may be discussed during the opening meeting:  The purpose and scope of the audit.  Confirmation of the audit plan Clarification of other matters must be settled before the audit takes place.

Internal Audit Procedure Revision 1, 2007 September 25

Page 19 of 26

4.5 Audit Execution

The auditors will perform the internal audit using several checklists that are described herewith: -

Internal Audit Checklist/Observation Form (F-IA-03) – contains specific items that are particular to the organizational unit to be audited. The assigned auditors are responsible for generating questions using this form.

-

Systemic Requirements Checklist (F-IA-04) – contain items relating to the requirements of ISO 27001:2005

-

Control Requirements Checklist (F-IA-05) – contain items pertaining to controls found in the Appendix A of ISO 27001:2005

Audit findings are collected through interviews, examination of documents and observation of activities and conditions in the areas of concern and will be written on the above-mentioned checklists. Evidences suggesting non-conformities should be noted if they seem significant, even though not covered by the checklist. Other objective evidence and/or observations that may reflect positively or negatively on the information security management system shall also be listed on the space provided for on the abovementioned checklists. 4.6 Audit Reporting

4.6.1

The auditors shall have a wash-up meeting after the audit. Agenda includes:      

Review and analysis of findings Consolidation of all findings including grouping and tabulation. Classification of findings. Preparation of recommendation and audit report Classification of findings (see below 4.6.4) Preparation of recommendation and audit report

4.6.2

The audit team shall review all of their findings whether they are to be reported as non-conformities or as observations. Audit finding should likewise be supported by objective evidence.

4.6.3

The Lead Auditor consolidates all the audit findings for of the audit report.

4.6.4

Classification of findings shall be:

the preparation



Major non-conformity – This pertains to a major deficiency in the ISMS. A non-conformity also pertains to one or more element of the ISO 27001 is not implemented. Non-conformities have a direct affect on information security specifically on the preservation of confidentiality, integrity and availability of information assets.



Minor non-conformity – A minor deficiency. One or more elements of the ISMS is/are only partially complied. Minor non- conformity has an indirect affect on information security. Note: Both major and minor non-conformities shall require appropriate corrective actions to be documented on the NCPAR form.

ISO 27001 Implementers Forum Author: Richard O. Regalado

4.6 Audit Reporting (continued)



Improvement potential – A hint for improvement which may or not be implemented by the auditee.

may

Note: Improvement potentials which pertain to an information security weakness shall required appropriate preventive actions to be documented on the NCPAR form. 

4.6.5

The Lead Auditor shall prepare a standard internal audit Report (F-IA-06) containing the following information.         

4.6.6

Audit Reference Number Date of Audit Department/Section Audited/Process Name Name of Auditee and auditors Statement of findings (all non conformities found) Reference to the information security management system and standard Corrective and Preventive Actions with completion date Follow-up actions for non conformities Verification of follow-up actions

The auditors shall follow a code of conduct in the manner of reporting as stated in this document.   

4.7 Closing Meeting

Positive findings – Findings that pertains to processes and/or systems that goes beyond what is being required of the standard.

The report should be concise but factual and presented in a constructive manner. The findings should be within the scope of audit and shows the relationship of the standard used. The report should not show bias by the individual auditor.

4.6.7

The Lead Auditor shall issue a formal Audit Report to the ISMR (if the ISMR is not the Lead Auditor).

4.6.8

The internal audit report shall be maintained and controlled by the ISMR in accordance with the Control of Records Procedure.



The Lead Auditor shall preside over the closing meeting attended by the audit team and the auditees. The auditors shall report their findings, observations and recommendations. The auditors summarise the good points before saying non-conformities. Both parties shall safeguard the confidentiality of the internal audit report All queries and clarifications are resolved.

   

Internal Audit Procedure Revision 1, 2007 September 25

Page 21 of 26

4.8 Corrective Action Followup

4.9 Audit Follow-up

4.10 Auditors’ Qualifications

4.8.1

The auditor is only responsible for identifying the non-conformities.

4.8.2

The auditees are responsible for correcting the reported non-conformities.

4.8.3

Approved corrective actions shall be based on the agreed time scale.

4.8.4

The Lead Auditor shall make a follow-up audit to check the implementation of corrective action as stated on the Nonconformity/Corrective and Preventive Action report or NCPAR. Normally, the audit procedure is followed. The frequency of follow-up depends on the results of audits.

4.8.5

The Lead Auditor shall make a second follow-up to verify the effectiveness of the established corrective or preventive actions. Second follow-up shall be performed not earlier than three (3) months and not later than four (4) months after the date of implementation verification (see 4,8.4)

4.8.6

Lead auditor shall issue a new NCPAR if corrective actions are: not implemented on the committed date (see 4.8.4) not effective (see 4.8.5)

4.8.7

“Re-issue” shall be noted on the remarks column of the NCPAR log if any of the situations in 4.86 become apparent.

The ISMR will meet with the auditors and take overall responsibility for follow-up activities of audit results with the auditees. Follow-up action will not be considered complete until all corrective actions or measures have been implemented and the status has been reported to the Lead Auditor. 4.10.1 Personal attributes Auditors shall possess personal attributes to enable them to act in accordance with the principles of auditing. An auditor should be: a) b) c) d) e) f) g) h) i)

ethical, i.e. fair, truthful, sincere, honest and discreet; open-minded, i.e. willing to consider alternative ideas or points of view; diplomatic, i.e. tactful in dealing with people; observant, i.e. actively aware of physical surroundings and activities; perceptive, i.e. instinctively aware of and able to understand situations; versatile, i.e. adjusts readily to different situations; tenacious, i.e. persistent, focused on achieving objectives; decisive, i.e. reaches timely conclusions based on logical reasoning and analysis; and self-reliant, i.e. acts and functions independently while interacting effectively with others.

ISO 27001 Implementers Forum Author: Richard O. Regalado

4.10 Auditors’ Qualifications (continued)

4.10.2 General knowledge and skills of an ISMS auditor Auditors should have knowledge and skills in the following areas. a)

Audit principles, procedures and techniques: to enable the auditor to apply those appropriate to different audits and ensure that audits are conducted in a consistent and systematic manner. An auditor should be able  to apply audit principles, procedures and techniques,  to plan and organize the work effectively,  to conduct the audit within the agreed time schedule,  to prioritize and focus on matters of significance,  to collect information through effective interviewing, listening, observing and reviewing documents, records and data,  to understand the appropriateness and consequences of using sampling techniques for auditing,  to verify the accuracy of collected information,  to confirm the sufficiency and appropriateness of audit evidence to support audit findings and conclusions,  to assess those factors that can affect the reliability of the audit findings and conclusions,  to use work documents to record audit activities,  to prepare audit reports,  to maintain the confidentiality and security of information, and  to communicate effectively, either through personal linguistic skills or through an interpreter.

b)

Management system and reference documents: to enable the auditor to comprehend the scope of the audit and apply audit criteria. Knowledge and skills in this area should cover:  interaction between the parts of the management system,  ISMS standards, applicable procedures or other documents used as audit criteria,  recognizing differences between and priority of the reference documents,  application of the reference documents to different audit situations, and  information systems and technology for, authorization, security, distribution and control of documents, data and records.

d)

Organizational situations: to enable the auditor to comprehend the organization’s operational context. Knowledge and skills in this area should cover:  organizational size, structure, functions and relationships,  general business processes and related terminology, and  cultural and social customs of the auditee.

e)

Applicable laws, regulations and other requirements relevant to the organization: to enable the auditor to work within, and be aware of, the requirements that apply to the organization being audited. Knowledge and skills in this area should cover  local, regional and national codes, laws and regulations,  contracts and agreements,  international treaties and conventions, and  other requirements to which the organization subscribes.

Internal Audit Procedure Revision 1, 2007 September 25

Page 23 of 26

4.11 Lead Auditors’ Qualifications

4.11.1 Generic Knowledge and Skills of a ISMS Lead Auditor Audit team leaders should have additional knowledge and skills in audit leadership to facilitate the efficient and effective conduct of the audit. An audit team leader should be able:       

to plan the audit and make effective use of resources during the audit, to represent the audit team in communications with the audit client and auditee, to organize and direct audit team members, to provide direction and guidance to auditors-in-training, to lead the audit team to reach the audit conclusions, to prevent and resolve conflicts, and to prepare and complete the audit report.

4.11.2 Specific Knowledge and Skills of ISMS Auditors Information security management system auditors should have knowledge and skills in the following areas. Information security-related methods and techniques: to enable the auditor to examine information security management systems and to generate appropriate audit findings and conclusions. Knowledge and skills in this area should cover   

Information security terminology, Information security management principles and their application, and Information security management tools and their application

Processes and products, including services: to enable the auditor to comprehend the technological context in which the audit is being conducted. Knowledge and skills in this area should cover:  industry-specific terminology, technical characteristics of processes and products, including services, and industry-specific processes and practices. 5.0 Records

Audit programme Audit plan/Notification Audit checklist/Observation sheet Systemic requirements checklist Control requirements checklist Internal audit Report Non-conformity/Corrective and Preventive Action report or NCPAR

F-IA-01 F-IA-02 F-IA-03 F-IA-04 F-IA-05 F-IA-06 F-IA-07

Documentation Administration This work is copyright © 2007, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.).

0100090000038908000000007507000000000400000003010800050000000b0200000000050000000 c0220005900030000001e0004000000070104000800000026060f000600544e50500601df000000410 b8600ee001f005800000000001f0058000000000028000000580000001f00000001000100000000000 00000000000000000000000000000000000000000000000ffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffff ffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffff

ISO 27001 Implementers Forum Author: Richard O. Regalado ffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ff ffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff0 0ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffffff00ffffffffffffffffffffffffffffffffffffffffffff ff007ffffffffffffffffffffe0075070000410bc60088001f005800000000001f005800000000002800000058000 0001f0000000100080000000000000000000000000000000000000000000000000000000000ffffff00a 9b0aa00aab1ab00abb1ac00acb3ad00aeb5af00b0b6b100b3b9b400b7bcb700bbbfbb00bec3bf00c3c8 c400c7ccc800cbcfcc00555655001f1f1f003f3f3f007b7b7b0095969500fefefe00eeeeee00d4d6d400000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000121210000f120f0012100f0f1012001212121100001210001210121010120f0f10 0f11101200101200001212100000101200101210121212100012121011121212101200101200111200 10121212101212121000000010131414160f1514150f14110a0e1114001414141100001411111400141 1131414141114121114001114001314141600001114001214111414141013141416121414141114001 214000b140011141414101414141200000011141211141214001412141114141114001411000000001 41111140014111412001411141211140011140014121114000011140012141114000000141211141214 0000111400121400151411111400000014111114000000101110131612140014121412161612140014 11000000001412121600141114121414111412111400111400101113150000111411141311140000001 11013161214000011141114130014160f11140000001411111400000000101414111214001412141314 1413140014141411000014141404001411141212121014141414001114001114141000001114141512 11141414001014141112141414111414141211140215111414140014111114000000101314101112140 01412140a12120a1400141100000000141111140014111412001210141211140011140013141011000 01114001214111400000013141011121400001114001214121512151114000000141111140000001114 130f14121400141214140f0f14140014110000000014110f140014111413001411141211140011140014 130f1400001114001314111400000014130f1412140000111400131407150f15111400000014110f1400 00000013141412100e14161014141111141400141414120000141414040014110f14140a1014121114 121414141314141200001114141412111414141113141412121414141114141412161211140f1414141 114141412000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000202020202020202020203030303030304040505050607070808 09090a0a0b0b0c0c0d0d0e0e0e0e0e0e0e16160e0e0e0e0e0e0e0d0d0c0c0b0b0a0a0909080807070 605050504050303030303020202020202020202000002020202020202020203020303030304040405 0506060707080809090a0b0b0c0c0d0d0e0e0e0e0e0e02130f1302160e160e0e0e0e0d0d0c0c0b0b0a 090909080707060605050404040303030303020202020202020200000202020202020202020203030 303030304050505060707080809090a0a0b0b0c0c0d0d0e0e0e16121000000000001012160e0e0e0e 0d0d0c0c0b0b0a0a09090808070706050505040403030303030202020202020202000002020202020 20202020203030303030404050505060707080809090a0b0b0c0c0d0d0e0e160d1000000f130a120f0 000110c160e0e0e0d0c0c0c0b0b0a0909080807070605050504040303030303020202020202020200 Internal Audit Procedure Revision 1, 2007 September 25

Page 25 of 26

0002020202020202020202030303030304040505050607070808090a0a0b0b0c0c0d0d0e0e0c10001 1161414141414161100100d160e0e0e0d0c0c0b0b0a0a090808070706050505040503030303030202 020202020202000002020202020202020203030303030305040505060607070808090a0a0b0b0c0c0 d0e0e160f000f1414141414141414140f000f0e160e0e0d0c0c0c0b0a0a090908070706060505040404 030303030302020202020202000002020202020202020202030303030404040505060707080809090 a0a0b0c0c0d0d0e0e08001015141414141414141414151000080e0e0e0d0d0c0b0b0a0a0908080807 060605050404030303030303020202020202020000020202020202020202020303030303040505050 60707080808090a0b0b0c0c0d0d0e0d12001314090f1112141211110414130012160e0e0d0d0c0c0b0 a0a090908080707060505050403030303030302020202020202000002020202020202020203030303 030304040505060707080809090a0a0b0c0c0d0d0e0e11001615100012001100111100151600110e0e 0e0e0d0c0c0b0b0a09080808070706050504040303030303020202020202020200000202020202020 2020203020303030305040505060707080808090a0b0b0b0c0d0d0e0d1100140b0012141612000a14 1614140011160e0e0d0d0c0c0b0a0a090908080707060505040403030303030302020202020202000 002020202020202020202030303030404040505060707080809090a0a0b0c0c0d0d0e0e1100140b00 1214131200020d0a141400110e0e0e0d0d0c0c0b0b0a0908080807070605050504040303030203020 20202020202000002020202020202020203030303030304040505060707080808090a0b0b0c0c0d0d 0e1611000e14100000001210001010160c000f160e0e0d0d0c0c0b0a0a090908080707060505040403 030303030202020202020202000002020202020202020202020303030304040505060607070809090 a0a0b0b0c0c0d0e0e120012141513120a1416121216140f0012160e0e0d0c0c0b0b0a0a09090807070 606050504040303030303020202020202020200000202020202020202020303030303030404050505 060707080909090a0b0b0c0c0d0d0e0c00000c1414141414141414141600000c0e0e0d0d0c0c0b0b0 a0a090808070706050505040403030303030202020202020202000002020202020202020202030303 030304040505050607070808090a0a0b0b0c0c0d0d0e0e1200111514141414141414161000120e0e0 e0d0d0c0c0b0b0a090908080707060505050404030303030302020202020202020000020202020202 0202020203030303030404050505060707080808090a0a0b0b0c0c0d0d0e0e0f00101314141414140 200000f0e0e0e0e0d0c0c0b0b0a0a0909080807070605050504030303030303020202020202020200 00020202020202020202020203030303040404050506060707080909090a0b0b0c0c0c0d0e0e0e0f00 0010111211000000120d0e0e0e0d0c0c0c0b0b0a09090908070706060505050404030303030302020 202020202020000020202020202020202020303030303030404050505060707080809090a0a0b0b0c 0c0d0d0e0e0e080f00000000100f080e0e0e0e0d0d0c0c0b0b0a0a0909080807070605050504040303 030303030202020202020202000002020202020202020202020303030303040405050506060708080 909090a0b0b0b0c0c0d0d0d0e0e0e0e0e0e0e0e0e0e0e0e0d0d0d0c0c0b0b0b0a0909090808070706 050505040403030303020302020202020202020000000202020202020202020202030303030304040 50505060707080809090a0a0b0b0b0c0c0c0d0d0d0e0e0e0e0e0e0e0e0d0d0d0d0c0c0b0b0b0a0a09 090808070706060505040404030303030302020202020202020000010000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000010800000026060 f000600544e50500701040000002701ffff030000000000