What is the Internal Audit?
This is one of the prescribed procedures within the ISO Standards. It requires that periodic reviews of the operation of all procedures take place – in such a way that discrepancies can be identified and appropriate action taken. The logic is that if the ISO Standards require the procedures to be followed and have been certified on that basis, then there needs to be a check to ensure this continues to be the case.
The purpose is to allow the organisation itself to get into the habit of checking what it does on a regular basis. Audits may uncover that the activities being undertaken are not what are written into the procedures. This may or may not be a bad thing – and changes should be made to bring them back in line with each other: either the activities be changed to match the procedures OR the procedures changed to match the activities. This latter case would imply that an improvement has been identified that needs to be brought into official use. This therefore forms part of how the organisation demonstrates continual improvement and advances in efficiency, effectiveness and skill-set.
How does an Internal Audit work?
Typically the Auditor looks at one procedure within the ISO Standard at a time. They review what the procedure requires and determine (in advance) a series of questions that can be asked to ascertain what is going on and whether this is appropriate. Ideally these should be different from the questions asked the previous time the audit was carried out. One exception might be where a non compliance was found and this should be followed up the next time round to check that the changes have been made to correct this anomalie.
The Auditor reviews the records relating to that procedures and matches what they record with what the individuals who operate that procedure are saying trying to see if there are any improvements that can be made. It is important that it is clear to all parties that the questions are NOT trying to find fault, but to find ways to improve things – and, as such, the participation and enthusiasm of the person being questioned should be invited. If they perceive this as a witch-hunt for someone on whom to pin blame, then the purpose and benefits of the audit will evaporate.
Once the answers have been compiled, the non-conformances and explanations are analysed (usually in the first instance by the auditor) to determine the appropriate follow up actions. These, once authorised as appropriate, are then given to the appropriate personnel to complete. Once complete then this particular Internal Audit is finished – while the findings are fed into the Management Review meeting to be followed up there.
Who should carry out an Internal Audit?
An internal auditor can be a member of staff or an external consultant. The key things to ensure are that a) they know what they are doing, b) ideally they have had some form of training in the process (contact us if you want your staff trained in this area), c) they are aware that they are entitled to ask questions and to get honest and correct answers – and not to be put off because the person they are asking is more senior or being difficult. Clearly if they are busy, then it is not the right time to ask – but this does not mean that that section of the audit should be forgotten.
Ideally each procedure should be audited by a different person each year – allowing a fresh pair of eyes and ears to review the situation and try to find issues missed by others.
The auditors should not check their own work as this can cause a conflict of interest and even in the case of the scrupulously honest, it may result in things being missed or no new ideas generated. Where a particular procedure is only carried out by a small number of people, and only they understand it, this can cause a problem.
Sometimes an external consultant is used in combination with trained internal staff auditors – the aim is to provide an alternative viewpoint from someone with the experience of many audits in other operations – which may not the case in the instance of someone who has worked with the organisation for years. This also helps where the procedure is known to so few in the organisation that it is difficult to find unbiased internal auditors. By carrying out a rolling brief, the consultant can do different audits each year – with the staff undertaking the remainder. Alternatively, the consultant can do them all – it just depends on the requirements of the organisation.
What training is needed to perform an Internal Audit?
The training can be divided into three separate areas:
- Awareness Training – aimed at people being audited so they understand what is happening, why, what their role should be and why this is a positive experience not a criticism.
- Audit Training – aimed at the internal auditors to ensure they know what to do, how, why and to ensure they carry this out in a positive manner to best generate useful information. As a result of this training they will be able to compile the questions to be asked, investigate the procedure thoroughly but sensitively, determine whether there are improvements to be made whether ideas generated by themselves or the person be audited and with the appropriate credit attached for the ideas. Finally they need to know how to write this up and devise the list of follow up actions to be carried out. In some instances they may be required to complete the follow up actions themselves as well. When we carry out this sort of training, we allow the trainee to accompany our consultant while they carry out an audit and the trainee watches. Later they will repeat the process on another audit but with the roles reversed – effectively a supervised audit. In both instances the trainee will write up the results. Contact us for more details.
- Accredited Auditor Courses – these are internationally recognised auditor qualifications that are tied to third party courses. They provide comprehensive details of how to undertake an audit, why, what to do and how to follow up. For more information on Accredited Auditor Courses, please contact us.
Why is the Internal Audit important?
The whole ISO Standard approach relies on a constant cycle of improvement. Thus each year the systems should get better – and as a result the organisation should get better. (This can happen faster than each year – the period is up to the organisation concerned). There are several inputs into the process that allow collection of ideas and data supporting what can be changed: feedback from clients, from staff and from external auditors together with new ideas from management and goals set by the Board, changes in legislation and also the feedback from audits where often new approaches are identified by those working on the subject on a daily basis. Thus audit results feed back into the development of the organisation.
For this reason, it is vital that an audit be regarded as a positive opportunity to shine. The person being audited should recognise that this is their opportunity to display their abilities. Either they have done a good job and followed the procedures and have completed the records or, possibly better still, they have developed a better way to do things that the organisation can now adopt and (ideally) recognise the input from that person as well. This has the double benefit of improving the company and raising staff morale as they see that proactive improvement efforts are rewarded.
Alternatively, the staff member being audited has not done a good job which can be for a number of reasons: they do not understand properly what needs to be done; they do not have enough time to do everything that is expected of them to the level required; they do not have the equipment or infrastructure to do it properly; they are lacking the authority to make the required steps happen. In EVERY one of these situations, the person responsible the failure to perform is NOT the person carrying out the actions. Why? Because a staff member that does not understand needs to have more training and this should have been spotted by the manager. If the staff member does not have time or equipment or infrastructure or authority to get the job done, then this too should have been spotted by the manager and it is in their power to get this changed not the individual concerned. So blaming the individual is pointless. NB often if the manager does not have the time, authority, ability to make the changes necessary, that is not their fault either but the Board member that oversees their work. Ultimately ALL blame reverts to the Board – which is a strong tool for getting audits to be carried out efficiently as it ought to result in improved resources.
What results from Internal Audit?
The feedback from an audit consists of a list of areas where the procedures are being followed together with a list of areas where they are not. The latter can be more interesting if, from studying it, it can be determined that there are better ways to go forwards than the way shown in the existing procedures.
In every case, audit results help the organisation define its way forward. It is the best way for staff members to highlight deficiencies in resource. It is a very good way for junior and senior staff taking turns as auditors to get to know other areas of their own organisation and finding out how it works, what the issues are and bringing their own experience to addressing the issues they uncover. It is often the cheapest way of solving a problem – rather than utilise external consultants that may have excellent answers, but, unsurprisingly, will want to be paid.
When should an Internal Audit be carried out? How often should Internal Audits be carried out?
The ISO Standard requires that each procedure be tested in a cycle. For smaller organisations the cycle might last a year and is repeated annually. For organisations wanting to develop and change their procedures faster, they can choose to undertake the cycle more frequently. For more complex organisations, it may be necessary to spread the cycle over a longer period than a year. In this instance, it is not uncommon that the most significant procedures are tested annually, while others only tested once every, say, three years. In other words, it depends on the organisation, its complexity, its scope of activities and its own desires to develop. Whatever cycle length is chosen, the organisation should expect to have to explain this to the assessors at the annual certification renewal assessment. It is likely that a reasonable approach will be acceptable – especially if it is clear that the logic is to optimise the audit programme rather than to avoid it!
Meet a Qualitator