Internal Audit Checklist for Your Manufacturing Company

Written by
Risk Assessment in Manufacturing Industry

The manufacturing industry faces increasing scrutiny from regulatory agencies. As cybercriminals increasing target SCADA system weaknesses, an organization’s cybersecurity posture becomes more important to its ability to protect data and obtain important contracts. Starting with a security-first approach to cybersecurity often protects data, but to meet compliance requirements, the organization need to document the effectiveness of its internal controls.

Internal Audit Checklist for Manufacturing Companies

What are the primary cybersecurity concerns facing the manufacturing industry?

SCADA networks are a combination of hardware and software that control and monitor industrial processes. They allow manufacturers to interact with devices, log data, and control remote and local processes. Many of these devices, however, were not intended for the connectivity now necessary to maintain a modern business model. Therefore, they come with significant cybersecurity risk making the manufacturing industry a primary target for malicious actors.

However, SCADA risks can lead to not only production loss but, more importantly, loss of life. Since SCADA systems control critical infrastructure, cybercriminals increasingly target them more than they do standard business systems.

What are the regulatory compliance requirements for the manufacturing industry?

Regulatory compliance requirements in manufacturing are generally dictated by the federal government.  These requirements specify rules to ensure that national secrets are protected. They allow non-government entities the ability to create items for government use while still existing as private businesses.

International Traffic In Arms Regulation (ITAR)

ITAR covers both goods and technology, combining commercial and research objectives with national security requirements. It regulates items designed for commercial purposes that the military can also adopt, such as computers and software.

Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS Safeguarding rules and clauses establish minimum security standards for information systems that process, store, or transmit Federal contract information. These basic controls must be implemented throughout the supply chain. NIST Special Publication SP 800-171 set for guidelines for compliance.

What are the primary industry standards affecting the manufacturing industry?

The manufacturing industry traditionally needs to implement controls based on the International Organization for Standardization (ISO) standards.

ISO/IEC 27001:2013

This risk-based approach allows a variety of organizations to and industries to apply ISO 27001. This flexibility makes it one of the most utilized information security standards. Moreover, ISO/IEC 27001 lists a series of controls in Annex A that acts more like a menu creating a choose-your-own-adventure style approach to security. These extended control sets offer management the option to avoid, transfer, or accept risks rather than mitigate them through controls.

ISO 9001

ISO 9001 supports specifies the requirements for a quality management system (QMS). Quality management systems document the processes, procedures, and responsibilities over quality and control objectives.

ISO 9001 audits incorporate three types of review: product, process, and system. The lengthy list of documentation required includes both mandatory and non-mandatory information. The list of mandatory documents includes document control procedures, records procedures, internal audit procedures, control of non-conformance procedures, corrective action procedures, and preventive action procedures. While that does not feel overwhelming at first, each of those categories lists additional documents needed to prove the process works in action.

5 Steps to an Internal Audit in Manufacturing

Although internal audits can feel burdensome, they effectively act as a “pretest” before the external auditors arrive. A successful and comprehensive internal audit can act as a “practice run” that allows you to remediate issues before the external audit and prevent official findings.

Identify your Subject Matter Experts (SMEs)

Even though this is an internal audit, you may need to incorporate stakeholders from across the organization. For example, SCADA experts and internal IT experts need to communicate and work together to create a holistic security first compliance approach.

Document your internal control procedures and your reasons for them

Regardless of maturity level, you need to make sure to establish a risk analysis, policies, procedures, and processes. This documentation acts as the roadmap for your compliance program which helps to create the audit scope.

Continuously monitor for control effectiveness

Cybercriminals continuously evolve their threat methodologies which means that a control’s effectiveness can weaken at any time. You need to continuously monitor your controls and remediate any potential weaknesses as soon as possible.

Continuously document your monitoring

Audits rely on documentation. Even if you are continuously monitoring, the auditor may return findings if you do not have the documentation. Documentation proves governance over the program which enables the Board of Directors to oversee the program.

Create an internal audit workflow

Communication before, during, and after the audit helps maintain security and compliance. You need to create a process for preparing, reviewing, and responding to the internal audit to ensure that all tasks are completed in a timely manner.

How ZenGRC Enables Internal Auditing in the Manufacturing Industry

Compliance programs require communication between internal and external stakeholders and an audit system that enables this.

ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your team members know how to plan their activities.

ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness making compliance documentation easier.

Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.

Using ZenGRC’s single source of information platform can speed up internal and external stakeholder communications and provide all documentation necessary thus reducing external auditor follow up requests.

For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.