What is an internal audit?
Internal audits are part of the ISMS evaluation phase and play a crucial role in managing quality and compliance with standards within organizations. Within most standards, an internal audit or internal review is a requirement. It is also an opportunity to improve processes and manage risks. In this article, we explore what an internal audit entails, the different types of internal audits, and how to conduct them effectively.
What does an internal audit involve?
An internal audit is a systematic and independent assessment of the activities and processes within an organization. The purpose of these audits is to evaluate whether the processes comply with established standards, guidelines, and legislation. Depending on the standard against which the audit is conducted, this may relate to various areas such as quality management, financial processes, IT security, and regulatory compliance.
Internal audits are conducted by internal auditors, who are typically well acquainted with the processes and objectives of the organization. This ensures an objective assessment of the effectiveness and efficiency of the processes. Impartiality and objectivity must be guaranteed. This is not always easy in practice, especially in small organizations. In such situations, an external party is sometimes contracted to carry out the internal audit. This is permitted.
Impartiality and objectivity
An internal auditor must be impartial. This is important to ensure that the output of their work (the internal audit report) is credible, so that stakeholders can actually act on it. It is therefore wise to compose the internal audit team in such a way that auditors do not evaluate processes in which they have a personal interest. Internal audits are often conducted alongside another primary function. It may not be wise to have a software developer assess compliance with the secure coding guidelines, for example. He or she may have a negative opinion about the relevant guidelines or know that they do not wish to comply with them themselves.
Objectivity means something different from impartiality: it means that the auditor's judgment must not depend on their opinion about the subject. The assessment must be based on the requirements of the standard and not the auditor's own requirements, so to speak. The internal audit team must also obtain objective evidence, for example in the form of interviews, observations, sampling of records, and document reviews.
Combining evidence
One way to better justify findings (conformity, but also non-conformities) is by combining evidence. For example, if multiple auditees explain undocumented processes in the same way during separate interviews, or by combining process output with statements from an auditee.
Why are internal audits important?
Thoroughly conducting internal audits offers many benefits:
Process improvement: By critically analyzing current processes, inefficiencies and bottlenecks can be identified and addressed.
Risk management: Internal audits help identify potential risks and implement measures to manage them.
Compliance with laws and regulations: They ensure that the organization complies with relevant laws and regulations, which is essential for avoiding legal issues.
Building trust: Regular internal audits can increase the confidence of stakeholders, including customers and partners.
Conducting an internal audit
An effective internal audit requires a structured approach. Below are some key steps in the audit process:
1. Mapping the processes within the scope
A successful audit begins with careful planning. This includes determining the scope of the audit and then identifying the processes involved. The level of detail depends on the size of the processes. In small organizations, for example, the entire financial process might be under one auditee. In that case, a process description of "Finance" may suffice. In larger organizations, a distinction is made between accounts receivable management, accounts payable management, payroll, etc. This should be reflected in the audit program.
2. Developing an audit program
After compiling the list of processes, it is necessary to think about how the processes will be assessed. This also depends on the organization. For example, does the organization have many locations? Then it may be useful to conduct audits per location, indicating which processes are performed at which location.
In some organizations, it is useful to split the internal audit process over several months, auditing a small part of the processes each time. This allows for improvements based on the identified non-conformities to be spread more evenly throughout the year.
3. The planning
Once the audit program is ready, it must be scheduled. Most audits begin with a brief opening, in which participants and management are informed about what will be assessed in the audit. Most audits end with a short closing meeting, where the results are discussed. Between these, the various processes are assessed. An average audit conversation lasts, depending on the process, often between 60 and 120 minutes. For large processes, it may be helpful to split these into multiple interviews for better results.
4. The execution
After developing the audit program, you determine who would be a suitable auditor for each process. Care must be taken to ensure the objectivity and independence of the auditor. The auditor considers the relevant normative requirements for the process before the audit begins. It is most helpful to create a list of planned components from the standard, clearly outlining the normative requirements.
The auditor engages in conversation with the auditee. It is important that the conversation takes place in good harmony. The goal of the audit is to establish conformity, not to 'hunt' for non-conformities!
4. Reporting
After the audit is conducted, a detailed report must be prepared. This report includes an overview of the findings, conclusions, and recommendations. It is essential that the report is clear and understandable, so that it can be used by all stakeholders. ISO 17021 provides a set of guidelines that the report must meet.
4. Follow-up
The final step in the audit process is the follow-up on the recommendations. This includes implementing corrective actions for identified non-conformities and monitoring progress. It is important to ensure that these measures are effective and that the improvements are sustainable. Do you want to know how to best follow up on the non-conformities? Then read: Nonconformities, what now?
Tools for internal audits
Today, there are various tools available that can help organizations conduct internal audits. Software such as auditreporter.io can simplify the audit process by integrating planning, execution, and reporting on one platform. This can not only save time but also improve the accuracy and consistency of the audits.