Tips and tricks for an effective internal audit

Though there are several types of audits, the term ‘internal audit’, also referred to as ‘first-party audit’, is the most popular but challenging task in any ISO-certified organisation. As the name indicates, a qualified auditor who is part of the organisation, normally carries this out. 

The expectations from the internal audit or the internal auditors varies between each stakeholder and sometimes it becomes conflicting, making the process challenging. 

So, who are all the interested parties concerned about the internal audit and its outcome?

• Top management of the organisation, who wish the internal audit to be more stringent than the external audit, without any flexibility, so that the certifying body could not find any non-compliances at all.
• Head of department and employees of the department/function/process being audited, who wish that the internal audit should be more flexible compared to external audit. They expect that, in the event of observing a nonconformity, an internal auditor should understand the practical reasons that have resulted in the non-compliance and should consider not reporting the same. They may insist they will rectify the noncompliance, so the internal auditor should not document it in his or her report.
• The certifying body, which expects the internal audit to identify more gaps, because an internal auditor has a deeper understanding of the organisation’s processes and more time to carry out the process, compared with an external audit, and that the auditees may be more open to an internal, rather than external, audit. 

The above shows that expectations vary between interested parties. An internal auditor must therefore carry out his or her duty as effectively, efficiently, professionally and diplomatically as possible, while surviving in such a conflicting scenario. 

The following are a few tips and tricks for an auditor to keep in mind while conducting an effective internal audit to help in preventing misunderstandings and friction. 

Before the audit

Keep the auditees informed about the scheduled audit well in advance. Three to four weeks’ notice would be good. In addition, a reminder the week before will help. Sometimes information may be forgotten if given too early.

• Once the audit team/auditor is finalised, convey that to the auditee.
• Ask, unofficially, whether they are comfortable with the auditor. If not, change the auditor. In practical scenarios, there may be some consistent friction between two departments/two persons. If one such person goes to audit another such person, the purpose of the audit itself could be lost because of rivalry. This issue may seem silly, but it affects the cooperation between the auditee and auditor, which in turn heavily affects, the audit outcome.

Even a certifying body’s external audit has the option to revert if the organisation is not comfortable with the auditor(s) proposed, so why not with an internal audit too? 

• Never organise an audit where X is auditing Y’s department and Y is auditing X’s department; this could result in retaliation.
   

"Expectations vary between interested parties, with one group of people expecting the internal audit to be as strict as possible and another expecting it to be as flexible as possible. An internal auditor must therefore carry out his or her duty as effectively, efficiently, professionally and diplomatically as possible, while surviving in such a conflicting scenario."

Krishnan Lakshminarayanan CQP MCQI, Lead Auditor and Senior Manager at William Hare, India

During the audit

Most of the time, we may have to conduct the audit in large areas, not separate rooms. Ensure that your voice can be clearly heard by the auditee, but not audible to others in the next cubicle. 

• Do not closely question someone who is in charge of a function in front of their team members. Remember that, as an auditor, we are in no way above the auditee and not authorised to play with his or her self-esteem.

The auditor and auditee are simply playing two different roles, both with a common goal of better process controls. The purpose of internal audit is not to prove that internal auditors are influential, but to prove that the process is crucial in identifying gaps, if any.

• If conducting an internal audit of a particular department that has made a recent error resulting in a customer complaint, do not open your audit with that complaint. In fact, do not touch on that point if at all possible; the auditor’s intention should be to identify how effective all the activities of the department are being carried out in a holistic manner. By discussing an issue that already has the attention of the organisation, the auditor loses an opportunity to identify any other potential issues which have not yet surfaced. 

After the audit

• There may be issues identified by the auditor that, after further discussion, are determined to be one-off cases. An auditor may caution the auditee on possible recurrence and there is nothing wrong in ignoring such errors/deviations to focus on other key areas, rather than potentially wasting time in making it an NCR (Nonconformance report).
• After completion, be sure of the findings before briefing the auditee. If there are some observations where you cannot decide if it is an NCR or not, and so requires input from others, tell the auditee. However, ideally, discuss with them and decide on the category before you leave. 
• If an issue is found and the auditee says they have identified the root cause and will address it within a specific period, requesting that it is not to be recorded as an NCR, take an unbiased view on it, with the following considerations:
  • Is the root cause analysis effective?
  • Do all in the team agree with this?  
  • What is the proposed plan of action?
  • What is the extent of damage to the product, process or service? 
  • What is the impact to the customer if there is a delay in addressing the issue?
  • How serious is the team in addressing the issue or are they only committing to it to pass the internal audit? 
• The internal auditor may also give the auditee some tips on preparedness/improvements towards external audits. 

Conclusion

An internal audit is an ever-evolving process, which must adapt to any shifts in the organisation, including cultural changes. 

Though there are many favourable aspects of internal audits when compared with an external audit, one of the key factors is that auditees may be more transparent and willing to share evidences and documents with an internal auditor.

Internal auditors should try to reap the benefit of this, without compromising on the primary focus of audit – “to determine the extent to which audit criteria are fulfilled”.