4 Key Steps on how to Conduct a Good Internal Audit
Are you looking at how to become an Internal Auditor? Check out our other post here: https://auditortraining.pwc.com.au/blog/become-internal-auditor/
Many companies have their own internal auditors to help identify issues within their business – mainly whether the business is compliant or not. But is the business making the most of the internal audit process? Does the internal auditor know how to conduct a good internal audit?
We have compiled 4 key steps that we think an auditor should go through in order to conduct a good audit.
Is your system compliant?
The first thing with any system, with any policy, process, or procedure is – does it comply? Does what is written in your system actually say what it is required to say? This doesn’t mean that lots need to be written, it just means that what is written needs to be right.
- ISO standards often require things to be done at “planned intervals”, e.g. the sections on internal audits and management reviews. In these instances, organizations need to state when these planned intervals are; such as weekly, monthly or possibly quarterly, or through the use of a schedule or programme. What is not compliant however, is using terms like regular, or as required.
- There is a legal requirement that states that “no work is to commence before 7am”, however the system states that “work starts at 6:30am”.
What is not compliant however, is using terms like regular, or as required.
Is your system effective?
Once your system is compliant, the next is to check is whether it is effective – does it happen all of the time? …and all of the time means always, all the time, and everywhere. Every applicable place that it is required to occur.
- If your system states that ‘all products past their use-by date will be removed from sale,’ then there must be no products on the shelf past their use-by date.
- If your safety procedures state that ‘all personnel must wear protective eyewear,’ then everybody must wear protective eyewear; no excuses, no exemptions. Everyone.
‘all personnel must wear protective eyewear,’ then everybody must wear protective eyewear; no excuses, no exemptions. Everyone.
Is your system efficient?
Now that your system is compliant, and you know it’s happening all the time (it’s effective), you can check whether it is efficient. Efficient means being done as quickly as possible for the least cost. A word of warning here – many internal auditors and people in general want to jump straight to this efficient step. However, if you’re not compliant and you’re not effective, meaning things are incorrect – it just means that by becoming more efficient your organization will be doing more incorrect things, both faster and cheaper!
- You are in the customer service section and there is a requirement that all emails are to be answered within 48 hours. Upon checking you find that whilst that does occur, 90% are answered within the final 4 hours.
- You are reviewing some paper folders and whilst all the information that is required is in every folder, in each case it is filed differently.
Now, can you improve?
The final step is to report what you have found, and there is not much point writing up loads of possible “improvements” in efficiency, telling people how it could all be done better, if it’s not compliant in the first place. So report what you found in the correct order.
Firstly, report where your organization is not compliant.
Secondly, report where they are not effective – it’s only happening some of the time.
Finally, report where inefficiencies exist – where the bottlenecks are, where wastage occurs.