If you are doing an internal audit just to please IANZ, or avoid a Corrective Action Request (CAR) at your next assessment, it's likely there is something amiss. In fact, IANZ assessors are often left confused when a business is running an audit programme that lacks value and provides no focus on risk or assurance. Audits are about more than just IANZ, CARs, compliance and conformance. Internal audits can drive real change and add value for businesses and organisations. But many internal audit programmes lack power, objectivity, rigour and capability. So how can we change this?
Grow and Improve
An audit programme that does the same thing over and over again, is unlikely to be the value-adding process that it ought to be. Businesses can use standards and IANZ accreditation to drive quality, innovation and ensure services are delivered consistently and competently. Adapting and continually improving internal audit processes is key to this. You should consider:
- Enhancing the planning and scoping phase of your internal audit programme to identify areas of key risk and how these areas will be included in the audit.
- Assess your business goals and objectives. Ensure that the internal audit process is used to monitor and report on these.
- Customers, regulators, suppliers, employees, boards, councils, accreditation bodies and more. Businesses have many stakeholders and they all want insight and assurance on risks and controls. Make sure you are continually identifying stakeholder concerns and utilise the internal audit process as part of this too.
- Consider the tools you are using. If you are pulling the same audit checklist out year after year, ask yourself, "is this really adding value?".
Training
Auditors need to be equipped with the right skills and competencies in order to ask insightful questions and to understand business risks and controls.
- What training do you provide to internal auditors? How do you ensure auditors are undertaking effective audits with credible outcomes and recommendations?
- Consider developing training modules for internal auditors. Seek external training if necessary. Audit training can benefit everyone - auditors and non-auditors alike.
- Is there an opportunity to introduce guest auditors or to involve different people and teams in the internal audit programme?
- How are you ensuring independence? This can be an issue for smaller organisations. If you are an internal auditor, have a long hard think about your relationship to the area you are auditing.
- It can be useful for different business functions to get involved in internal audits. Even if someone is not a trained auditor, they could be a technical expert and provide greater depth, knowledge and insight to the audit process.
Risks
Internal audit has a critical role in helping your company manage risks, challenges and threats. Leading businesses and organisations use internal audits to identify, consider and manage these. You may wish to seriously consider the following as part of the internal audit process:
- What emerging risks are happening in your industry? Are you identifying and managing these? CERT NZ's 2021 Q4 Report on cyber security incidents reported more than $6 million in direct financial loss to New Zealanders. Has your business considered your cyber and data security practices as part of the internal audit programme?
- COVID-19 unfortunately had a big impact on businesses across Aotearoa. This highlights the importance of business continuity management as a tool to ensure survival of your business. Internal audits can assess and evaluate your systems for recovering from disaster and crisis.
- Suppliers, contractors and vendors present different risks and opportunities that should be evaluated and assessed during internal audits.
- Accreditation places importance on systems for ensuring integrity, impartiality and independence. Use internal audits to verify and evaluate these systems.
- We are seeing increasing volumes of mergers, acquisitions and divestitures in the past few years. Audits can prove valuable in assessing legal, financial and system compliance for such changes.
Data
Auditors need to look for objective evidence. Data can be used as evidence and can provide valuable business insight. Areas to consider include:
- Key Performance Indicators (KPIs) - defining KPIs and their thresholds can give insight and warning signals. Examples could include changes to operational efficiency, quality, profit, loss, logistics, overdue work, customer service and turnaround time.
- Social media can be used to review customer service and to monitor feedback and complaints. Data related to retention and attrition of staff can provide meaningful insights.
- A review of data on non-conformance management is essential. Not only is it important to IANZ that you are following up on corrective actions after the assessment. It also makes good business sense to ensure that action taken has been effective and recurrence has been prevented.
Tips
- Internal audits should be driven by evidence, not assumptions. This is not a test of the internal auditor's knowledge.
- Systems for ensuring competent personnel and service delivery are critical. Think hard about how you will verify and assess these during internal audits.
- Fail to prepare, prepare to fail - develop a robust and well thought out audit plan.
- While you may undertake a document review as part of an internal audit, reviewing a procedure or document alone is unlikely to be appropriate. Supplement this with other activities including review of data, records, reports, interviews, witnessing, analysis, verification and sampling.
- Senior management and leadership need to be actively engaged in, and supportive of, the internal audit process and its outcomes in order for there to be effect.
- Continue to use ISO standards to raise the bar.
Written by Jennifer Foley, Programme Manager Inspection Bodies at IANZ.