Seven Things Internal Audit Managers Do Wrong
Do you want to improve your internal audits? Here are seven (7) common areas we see that internal audit managers could do better.
And How You Can Get Them Right...
1. Run a proper risk based audit programme
All management systems now should be risk based and the flow on from that is so should audit programmes. If an organisation audits everything at the same frequency, then they are auditing some areas too frequently and some areas not frequently enough. In a nutshell, it’s just a poor use of resources - the auditors and auditing just for the sake of auditing and ticking some boxes.
All management system standards define clearly that the audit programme should be based on the importance of processes and the results of previous audits. Therefore a process that is not working too well (poor status) and is critical (high importance) should be audited more frequently than a process that works well (high status) and is of low value (not very important).
2. Clearly define the audit objectives
The audit objectives define why the audit is being done, what is its purpose. Normally this is specified as something like “to confirm staff are following the procedures” but what if the procedures are incorrect or nonconforming with the criteria? Do we really want to check whether people are following incorrect requirements? Will this lead to improvement? No!
More time needs to be spent on working out why your auditors are actually conducting audits; what is the point, what are you and them trying to achieve?
Consider using objectives like:
- To check if the procedures and what happens are in alignment and consistent
- To determine whether staff understand their roles and responsibilities
- To identify areas for improvement
- To determine levels of consistency across processes
Communication of these objectives should then be conducted to the auditors. Or even better still, determine the objectives as a team!
3. Clearly define the audit scope
The audit scope ‘official’ definition is the extent and boundaries of an audit which really means:
- How big is the audit?
- How much should it cover?
- What areas, departments, processes, or locations are to be included?
Often the scope is not defined at all, or words are used like “the entire management system”, or “all processes”. This is not helpful and means the audit is simply too big, and the result too vague.
Even when scopes are defined you often get scope creep, where the auditor goes off looking at things they want to look at rather than what is required. They just go off on trails asking questions that are not relevant.
Scope statements should specifically define the boundaries of the audit, and both the auditor and the auditee need to understand this. This helps keep the focus and relevance of the audit and ensures the auditor stays on topic.
4. Clearly define the audit criteria
The audit criteria is what the audit is checking against; it may be an internal document, such as a procedure or process, or it may be an external document, such as an ISO standard or a section of legislation.
Similar to the scope the audit criteria helps keep the auditors on track and is used determine whether work activity complies or does not comply against the audit criteria stated.
Auditors need to be familiar with the requirements of the audit criteria. Audit findings are only relevant when they can be referenced back to the criteria, not auditor’s opinions. All too often auditors write findings, especially negative findings, such as nonconformances that are not related to the actual criteria they were auditing against.
5. Use properly trained auditors
Auditors need to be trained. In the same way that other people need training for their role, auditors need to be trained for theirs. You wouldn’t dream of using an unlicensed electrician, or an unregistered pest controller, so why use auditors who aren’t trained.
Training ensures that the auditors do their job correctly; that they use a consistent approach, and that they know the intricacies of dealing with people. Trained auditors know about audit objectives, scope and criteria, and they know the importance of opening and closing meetings and how to gather and review evidence. They do the job right.
6. Use auditors with the correct knowledge
Even if your auditors are trained they still need to know what they are looking at. The auditor needs to understand the discipline in what they are auditing.
Disciplines may be areas such as:
- Information Security
- Food safety
Auditors also need to know the subject or sector which may be areas such as:
7. Audit different areas of the business rather than continue to do audits that find the same things
If you know what the auditor is going to find, and it’s going to be the same as the audit before, and the same as the audit before that, there is absolutely no point in doing the audit.
As Einstein supposedly said “The definition of Insanity is continuing to do the same thing and expecting a different result”.
You need to follow up previous nonconformances raised in these areas to ensure appropriate corrective action has been taken. This may mean checking that they have involved the trainers, the coaches and the mentors, to get the process working properly, to engage with the people to prevent recurrence.
It’s pointless continuing to audit the same areas and raising another pile of nonconformances, to file yet another audit report with the same findings.