Top five questions asked by new Internal Auditors
This week I have been running a health & safety internal auditor course and it struck me that whatever the standard or organisation the primary concerns of newly trained internal auditors are consistent. During the course I made a note of some of these common questions, and have added answers below.
Q1a: How long will the internal audits take me?
This is probably the number one question asked by newly trained internal auditors.
The time to carry out an internal can be divided into three parts; pre-audit, audit, and post audit. The actual time required depends entirely on the audit scope and this can vary widely between organisations and audit programmes. Some audits may be of one procedure or process at a single site, while other audits may follow a process across departments, sites and contractors. Nevertheless for a ‘typical’ internal audit programme the average may be half a day to prepare (develop a checklist and make arrangements), one day to carry out the audit, and between half a day and a day to evaluate findings and write the report.
It is vital that top management give support in the form of time for trained staff to carry out their internal audit duties as well as releasing staff to act as auditees.
Q1b: How many audits will I have to do each year?
This is dependent upon the number of planned audits each year listed on the internal audit programme, and the number of trained auditors. I recommend that each trained auditor conducts at least 3-4 audits per year so they keep their skills finely tuned. I also recommend that newly trained internal auditors have the opportunity to conduct their first audit within weeks on completing the training course, ideally accompanied by an experienced auditor.
I ask audit programme managers to supply updated copies of the organisation’s internal audit programme for distribution during the training course so that delegates can visualise the time commitment involved and plan accordingly.
Q2: How will I remember all of the requirements?
As trainee auditors gain an appreciation of the audit criteria including standards (ISO 14001, ISO 9001, and OHSAS 18001), legislation, and company policy and procedures they can be overwhelmed by the amount of information.
My advice to auditors is to carry out careful planning before each audit. Generally internal auditors will only be auditing one topic at a time (eg: training, manual handling, waste management) so there is opportunity prior to each audit to review organisational procedures in that area, best practice and applicable legislation. It is therefore important that the organisation provides internal auditors with accurate and up to date information such as registers of applicable legislation and access to regulatory websites such as www.hse.gov.uk , www.environment-agency.gov.uk , and www.businesslink.gov.uk. Service providers who distil and provide updates on regulatory information can also be very useful sources of information such as www.cedrec.co.uk and professional institutes such as IEMA, IOSH, and CQI. Organisations should provide ongoing professional development plans for their internal auditors including auditor refresher training.
The process of compiling a checklist against the various audit criteria is helpful as the auditor internalises and sets out the requirements in a structured way and anticipates the likely responses, it also saves the inconvenience of having to go back to the auditees following the audit to ask additional questions.
Some organisations provide pre-prepared checklists for internal auditors to use, but these have advantages and disadvantages. They may save time and improve consistency, but can lead to unimaginative tick-box style audits, and must be reviewed and updated each time the procedure changes.
Q3: Can I audit my own work?
The simple answer to this question is no, auditors should be independent of the area that they are auditing. This is not normally a problem where an organisation has an audit team who can audit each other’s departments or processes. It does sometimes cause a problem in very small organisations, or where there is only one trained auditor who is also the person responsible for the management system(s).
Solutions include training additional auditors, sharing audits with like-minded organisations in the area who also have trained auditors, or subcontracting all or some of the audits to an independent third party such as The Internal Audit Service.
Q4: Is this audit finding a Nonconformance or Observation?
The evaluation of audit findings is an art as well as a science.
An audit course will explain that a nonconformance is a ‘deviation from a specified requirement’, while an observation is a ‘minor weakness or opportunity for improvement’. Some organisations have very elaborate classification systems for audit findings using scoring systems while other stick to simple terms. No matter how well the classification system is defined there will always be an element of auditor judgement and auditors don’t want to be seen as heavy-handed police, rather agents of business improvement. The level of engagement shown by the auditee can make a difference by giving the auditor confidence that findings will be addressed.
As a rule of thumb I always say that if you can’t find the requirement in the standard, legislation or company policy or procedure then it is probably an observation rather than a nonconformance. When writing nonconformances I recommend following a strict rule “State the requirement, then state the finding”. In this way the person on the receiving end will understanding precisely how current practice differs from the minimum specified requirements.
Internal auditors should ensure that their audits are risk-based, focussing on the highest priority issues first thus adding credibility and value to the whole process as opposed to raising dozens of low-risk findings. If many similar findings are found they can be grouped under one common finding that targets the cause of the issues.
Q5: Exactly what should my audit report look like?
Generally internal audit reports have a front sheet containing essential information such as audit scope, date, auditor details, auditee details, locations visited, and a summary of the findings. Report forms contain space to identify the clauses of the audit criteria, audit notes, and audit findings. Nonconformance reports normally contain several sections including a summary of the problem completed by the auditor, and sections describing how and when the problem was fixed, more strategic root cause analysis, and a close-out section.
However internal auditors need to know exactly what forms to fill in for their organisation, where to find them, who to send them to, and what will happen afterwards. They also need to gain an understanding of the house style including length or report expected, language style, and terminology. If a computer system is used they require training in how to access the system, complete and submit reports, as well as how to interface with the systems for ongoing actions such as audit follow up.
One of the advantages of an in-house auditor training course is that it can be tailored to the organisation’s particular internal audit procedures so that auditors gain an appreciation of exactly what the organisation expects and thus feel more confident when carrying out their new duties.
For more information of how to improve your internal audit programmes and tailored auditor training contact Marek Bidwell at Bidwell Management Systems.