If you are part of a company which has ISO Standards implemented, you are only too aware of the need for Internal audits as part of your “System”. Your System might be quality, environmental, OHAS or Information Security or a combination of these. The requirements in the ISO9001:2105 Standard are clear;
“a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
e) take appropriate correction and corrective actions without undue delay”
But internal audits are and should be implemented in a range of circumstances in business, regardless of any ISO requirements. Scenarios such as financial governance, product specification and quality control are all areas where Internal Audit might be applied. Its overall purpose is to assess the effectiveness of the internal controls of the business.
Internal audit programmes should look to cover all areas of the business covered by any “System” in a given timescale. It’s also important that there is a framework for the audit so that the scope of the audit are clear (department, activity etc) and the criteria used in the audit are consistent.
An internal audit plan helps give structure to inward looking scrutiny. But, that is not to say that it has to be rigid. It is perfectly acceptable to audit more frequently and in greater depth those areas which represent risk to the system or organisation.
The programme should be built to scrutinise those areas of most risk to the business (quality, operation, data protection, emissions, customer satisfaction etc). If specific areas of the business show up issues when audited, it is right and proper to devote more time and energy to them by increasing frequency. This adds value by maintaining scrutiny and by helping demonstrate and bring about continuous improvement.
The audit itself will be dependent on a combination of techniques, appropriate but consistent across the business. Desktop review, interviews, audit trails, mass balance, the list goes on. Whatever technique produces information that has value is important.
Internal audits should be conducted by those not directly involved in the activity. In this way, their findings are impartial, and they are under no peer pressure to avoid finding problems. This can be challenging in a small company with limited numbers of people to conduct Internal Audits, so some investment in training can widen the resource.
Of course, Internal Auditors should be competent, through a combination of training and experience. If not available internally, there is a wealth of public training available. We can point you in the right direction on this.
To maximise the value of the audit, it is important the report is accurate and complete. But most of all, reports should be communicated, considered, and the findings identified and for any improvements required, acted upon. That’s where the real value of the audit lies.
In the world of ISO, the Management Review meetings are an obvious vehicle for this dissemination of information and objective setting, but any forum that brings together decision makers in the business will contribute to continuous improvement.
Internal audits – not just a tick box exercise and burden, but a valuable contributor to improvement.
Check out our blog "Value of the Internal Audit" where Adam and Chris discuss this.