Typically, the Internal audit report includes the following elements:
- The dates when the internal audit was performed
- Who performed the internal audit
- Audit criteria: references used during the internal audit
- Audit scope: elements of the ISMS covered during the audit
- Audit methods: approaches used during the audit to gather information
- Audit trail: the sequence of performed activities and the findings identified through the applied methods during the audit process
- Recommendations for improvement
- Nonconformities

Examples:
- Audit date: November 28, 2022
- Who performed the internal audit: John Smith
- Audit criteria: ISO 27001, internal security policies and procedures, security requirements of interested parties
- Audit scope: the whole ISMS scope
- Audit methods: document and record review, personal observations, sampling, interviews
- Audit trail: first top-level Information Security Policy was reviewed together with security objectives, followed by the interview with top management...
- Recommendations for improvement: improve the communication of top-level objectives to all employees
- Nonconformities: the backup is performed every 24 hours instead of every 6 hours, as specified in the Backup Policy