Steps to Performing an Internal Audit
When effectively implemented, an internal audit can be considered as the most important tool to achieve corporate objectives by keeping a pulse on business processes and on the consistency of business practices. The goal of an internal audit is to ensure whether policies and procedures are followed or not and to alert top management of any compliance or requirement gaps.
Internal audit is the primary continual monitoring process, output from which is critical to the growth of the company – identification of system ineffectiveness, corrective and preventive actions and continual improvement. However, when the internal audits are deployed poorly, it leads to increased non value-added costs, wasted resources hours, and business process breakdown.
The internal audit process can be done with internal resources or can be done through an independent third-party vendor. In both the cases, it requires time, money and resources that have to be dedicated to the process.
The frequency of the internal audit can be determined by many factors such as the risk of the system or process, the complexity of the system or method and availability of resources for internal audit. An audit can be done daily, weekly, monthly, quarterly, semi-annually, or annually. It varies from department to department; some departments need to be audited more often than others. Like the delivery departments need to be audited very frequently as they deal with the clients directly so there is no chance for an error. Frequency of the internal audit can be determined by many factors like the risks of the process/system, the complexity of the system and availability of the resources for internal audit.
So, what makes an internal audit process more effective? Here are some questions one should ask before creating or improving your process.
- What standards (ISO9000, ISO2700 or GDPR) am I auditing to?
- How often should I conduct audits?
- How do I communicate with the auditees and the audit team?
- Have I created the standard operating procedure to support the audit process?
- How effective is my audit plan?
- Do I have trained auditors in my team?
- How I record and maintain audit results?
- Is the follow-up process effective?
- How can I integrate my audit findings with the framework I have implemented?
- What I can do to increase management’s support for the internal audit process and in the continuous improvement process?
Once you are done with the answers to these questions, you can start to define your internal audit schedule. Here are the main steps to explain how to conduct an internal audit, and how they can best be used to focus on the improvement of business processes.
1. Know what and when to audit
Before conducting an audit, you must identify which department or business function are going to be audited. The clear understanding of the scope and the objectives will help you to create an audit schedule. An audit can be initialized based on the risks of the processes, top management or customer may demand to perform an audit to check the process. The higher the risk in a specific business function more frequent will be the audits.
For example: In a software development company, a team of 10 developers working full time on a project. The client escalated an issue related to poor delivery and quality control. Now, the scope of the audit would be the delivery and the quality control process followed by the team, and the objective would be to identify the issue and prevent that by implementing relevant controls.
2. Create an audit schedule
Advance notice of the upcoming notice is necessary. This will help the auditee(s) to be prepared for the audit and have the necessary documents and records available for the audit. Audit schedule is also the business planning for the resources required for the internal audit. Random or surprise audits are not recommended as these audits may cause a disengaged situation and stakeholder may feel threatened.
Audit schedule should be communicated at least 15 days in advance, and approval and confirmation should be obtained.
3. Pre-planning the scheduled audit
Pre-planning for any audit is essential for any scheduled audit to make it effective. During the pre-planning phase, lead auditor or team leader needs to share the audit plan with the department providing information about the audit scope, objective, criteria, location, and possible policies and procedures needed for the audit.
The lead auditor or team leader may also request for any special arrangements to be made like access to companies’ premises, requirements related to IT, share policies and procedures through email in advance to understand and know what kind of evidence or records he/she may look for. To have a clear understanding of the policies, procedures and other related documents in necessary before the audit. This will increase the efficiency of the audit significantly and avoid the time wastage.
4. Conducting the Audit
Documentation review, site visit, interviewing, discussion are the different ways to conduct the audit. The audit team can choose any methodology or combination of these to perform the audit. The auditor must be a good listener and communicator and must ensure that the audit is conducted in a fair and unbiased manner.
The auditor can use the international standard requirements and/or internal process as a reference to conduct the audit, and shall examine sufficient records to verify; compliance with the framework implemented; and effective implementation of policies, procedures, and controls.
5. Record the findings
Identification of the gaps and opportunity for improvement is the main aim of documenting the audit finding. The finding can be of any type: Major Non-conformance, Minor non-conformance, Observation, or Suggestion. It is recommended that the auditor perform a quick closing meeting with a quick snapshot of the findings at the end of the audit, to ensure auditee is aware of all the findings and has a chance to clear any queries/concerns (if any).
6. Report the findings
The audit report should be easy to read which serve evidence that the internal audit was conducted. The audit report must be reviewed and approved by the team lead or lead auditor before sharing it with the auditee(s). The report should include audit scope, objective, auditee(s), date and time, location, findings, root cause analysis (RCA) (to be filled by auditee), corrective and preventive actions planned (CAPA) (to be filled by auditee), closure date and the audit score.
7. Follow-up audit
Follow-up is a critical step. If findings have been found and corrective actions are taken, making sure that the problem is actually fixed is a key part of fixing it. No audit is complete unless followed by the follow-up audit to close the findings within a specific time interval. The auditor should schedule the follow-up audit to examine and verify the Root Cause Analysis (RCA) and Corrective and Preventive Actions Planned (CAPA). Once verified, the audit report can be considered as closed.
8. Continuous improvement
It is recommended to use the Deming cycle i.e. Plan Do Check Act (PDCA) for the continuous improvement of processes and products.