Blog What Makes a Good Internal Audit?

Auditor skills

• It’s important the internal audit is conducted by a trained and competent auditor who is independent of the area being audited – this allows impartiality and a balance judgement on evidence shown in the audit
• If you cannot afford to operate your own internal audit function, consider using an independent third-party auditor who can work with you to support your auditing requirements
• Always use accredited and credible training providers for your auditor pool so that your auditors are confident about what the standards require and the approach they take – this way you will get the most out of the time spent

Audit planning

• Ensure you work with the auditor to define the scope, so it is clear what will be examined and the types of questions that will be asked
• Ensure adequate time is planned for conducting the audit – a rushed audit will be ineffective and waste both yours and the auditors time as it will most likely not fully examine the scope
• The auditor will likely want to speak to several relevant staff members. Ensure this is organised at appropriate intervals so the audit can be conducted thoroughly
• Your auditor will also need to plan sufficient time for report writing and corrective actions. An inadequate report that is hastily put together will not convey the health, wealth, and strength of the areas of the Management System

The audit day(s)

• Your auditor will likely use a checklist or an outlined schedule of topics and areas to be covered from the planning stage. Have a copy of this too to guarantee everything is covered
• For a time-efficient audit, and to ensure everything planned gets covered, allow the auditor to have access to all appropriate evidence required. This is particularly useful to assess issues and nonconformities, and for recalling when writing the audit report. Allowing you to get the most out of the internal audit

Audit reporting

When receiving the audit report, ensure your chosen auditor follows best practise:

• The audit report should always include an executive summary at the beginning. This will outline the strengths and weaknesses of the processes in the scope of the audit, and a balanced view of the health of the Management System
• Your auditor should provide you with a concise, factual, and easy to read report which includes numbers and details of any audit findings on the first page so that Senior Management have this information immediately in front of them
• An auditor should always confirm any audit findings or nonconformities observed before distributing the audit report and final findings list
• The report should always categorize between nonconformities and auditor observations so it is clear where the problems lie that need fixing immediately vs things that can be improved later on
• Nonconformance statements need to be concise and directly refer to the standard requirement and/or the internal process or procedural requirement that was found deficient, so you can easily resolve. Make sure hard evidence findings are attached or referenced too.

Even if your audit report has some nonconformances and/or observations, it’s important to take note of the reported positive aspects too and share them among the wider team.

Collecting data

Collecting data on audits and outcomes of audits doesn’t have to be complicated. Simple measures should help your organization understand the progress of audits within the annual audit schedule as well as any audit findings and this all becomes useful data for the Management Review to make effective decisions about the health of the management system.

• Collecting data allows your organization to look at trends that may be happening within a process or across the business (systemic issues)
• Data allows comparisons of before and after implementing improvements to see if things are improving
• Only collect data on what you need and don’t overburden staff or create systems to collect masses of data that will never be analysed

Some examples of useful audit data

Schedule adherence

• Audits planned vs actual – a measure that audits are being performed
• Planned hours vs actual hours – a measure that can help plan future audit time more accurately
• Overdue audits – a simple count of audits that have slipped beyond an acceptable deadline

Examples: 

The overall gain/loss line shows under planning the time for audits

Audit Trends

• Overdue trend – a measure of increase or decrease in overdue audits that indicates a lack of audit resource or auditee support
• Nonconformance trends – you can dice the nonconformance data in any way that helps you determine where you are going wrong. The most common NC trends are:
  • By process
  • By ISO clause or area
  • By severity (Major, Minor, Observation)

Internal audits also delve deeper into the implementation and compliance of processes than those performed in certification audits so can be a far more accurate indicator of how well your processes are adopted within the organization.

It is important that Senior Management recognise the need to assign time and resources to internal audits, but it is equally important that auditors perform efficient, clear and effective audits so that Senior Management get a true and accurate picture of the performance of its business operations.

Written by CertiKit’s Lead Auditor Jerry Lawrence who works with our clients to implement their management systems and perform internal audits to ensure they’re ready for their certification audit. Jerry is a qualified ISO27001 Lead Auditor and has gained a varied degree of experience over the last 25 years, holding positions as QA Manager and more recently covered both QA and Information Security Management.

CertiKit offer both full pre-certification audits and ongoing internal audits performed by our team of qualified lead auditors.

We offer internal audit services in the following ISO standards:

• ISO27001
• ISO9001
• ISO14001
• ISO45001
• ISO22301

Find out more