How to plan internal audits. A summary guide.
Since every company is different, there is no single, right way to run an Internal Audit.
But there are common Internal Audit management pitfalls to avoid, such as:
- Ineffective leadership which leads to unclear documentation, or an ineffective Internal Audit process.
- Too many manual Internal Audit processes, leading to omissions and mistakes.
- Staff that resist Internal Audits, and mistakenly believe they are snapshots rather than ongoing.
- Findings that are presented too mildly and fail to fully trigger the corrective actions needed.
To run a successful Internal Audit, there are certain fundamentals to consider:
- Are Internal Audits necessary at your organization?
- What is the best way to plan Internal Audits?
- What issues may you experience when running Internal Audits?
- Do you need Internal Audit software?
1. Are Internal Audits necessary at your organization?
The three top reasons to conduct Internal Audits are to:
- Prepare for external audits
- Comply with clause 9.2 of ISO 9001 certification which states you must conduct internal audits.
- Asses your business and improve it.
External Audits are generally limited to financial records. On the other hand, Internal Audits may cover the whole business: how the organization is governed, how risks are managed and how processes are run.
Importantly, Internal Audits recommend improvements. If done right, and corrected, Internal Audits add huge amounts of value to the organization.
2. What is the best way to plan Internal Audits?
Since Internal Audits can cover any part of a business, it is important to avoid getting bogged down in endless detail, but instead deliver maximum value.
This means creating, and working to a tight, detailed scope but which is broad enough to provide real value to your organisation.
Here are our recommended steps:
- Set up an Audit Committee if you do not already have one. This is a group of board level leaders that direct and support Internal Auditors throughout the whole process.
- Understand the organization’s objectives and strategy. Some questions to prompt the right type of thinking are:
- How do we ensure compliance with all external (and internal) regulations and codes of conduct?
- What risks do we face?
- Is the way we manage the organization aligned with the organization’s objectives?
- Do our IT systems support our objectives securely and efficiently?
- Do we operate safely and efficiently? What are the hazards, frictions, and inefficiencies?
- How secure is our supply chain? What risks do our suppliers bring to the organization?
- Are we performing as we should environmentally?
- List the activities, functions and departments that are crucial for your organization to its objectives and strategy.
- List the stakeholders that are responsible for the activities, functions, and departments in scope.
- Design the most logical, efficient way for your Internal Auditor to investigate these activities, functions, and departments.
- Agree workflows, key milestones, reporting formats, and frequencies with The Audit Committee.
- Create a resource and time-bound plan to conduct the Internal Audit.
3. What issues may you experience running Internal Audits?
The most common issues are pushback, scope creep and complexity.
Pushback: No one likes being inspected. A common difficulty is the pushback Internal Auditors may get from staff.
This can be solved by senior management clearly communicating the remit that Internal Auditors have so they can carry out their duties.
Scope creep: Another issue may be scope creep where Internal Auditors are tempted to work on issues related, but outside of scope. In these cases, it is important to keep to scheduled tasks, but consider any strong evidence to add newly discovered issues to the scope, while being explicit that the workload will increase.
Complexity: Another difficulty is dealing with complex data. Complexity can mask real risks, and is time consuming to dig through.
There is no shortcut to dealing with complexity but a systematic and robust method to process and interpret large amounts of data is crucial and will preserve your sanity.
4. Do you need Internal Audit software?
If you have one Auditor and the Internal Audit is simple, you can use Excel, or something similar, to manage and track your data and progress.
But Internal Audits become complicated and generate lots of admin very quickly. You may want to consider Internal Audit software if there is more than one Internal Auditor, or the Audit generates a lot of data.
Internal Audit software gives clear structures to design and conduct Audits. There are tools to run Internal Audits such as automations, workflows, communication features, libraries of standards and frameworks, analytical tools, and reporting templates.
All of these help Internal Auditors focus on auditing and spend less time on administrative tasks.
Internal Audit software can also help deal with complexity which, as mentioned, can hide important risks.
You may want to consider other tools such as exploratory, predictive analytics and data visualisation to generate fact-based insights. These mean the leadership team can make conclusions and decisions faster and with more confidence.
You may also want to use technology that allows you to collect and analyse entire data sets rather than data samples. This should lead to more accurate conclusions.
Many companies want to manage all governance, risk, and compliance activities using one integrated platform. In this case you will need to carefully research and select the best GRC software for your organization.
- Internal audits must focus relentlessly on what is important for the business.
- List the key objectives of your organization, and understand what can help or hinder these objectives.
- Be wary of pushback, scope creep and complexity, and consider an Internal Audit software platform if there is more than one Internal Auditor.
If you found this article helpful, you might want to read a detailed Audit software buyer guide here.