Insights
Understanding, experience and technology for success

Best Practices in Internal Audit

Internal auditing is a mechanism by which an organization examines a business process to evaluate its ability to comply with internal and external requirements. It is also a very effective tool to implement a discipline of continuous improvement. Internal audits enable management to:

  • Discover what's really going on within the organization, which enables objective decision making and enables managers to direct the resources towards the right issues
  • Learn about potential problems before they become burning issues
  • Identify failure points within a process, so relevant stakeholders can implement corrective actions in a timely manner
  • Determine the effectiveness of controls within a process

Attributes of a successful internal audit program
To be effective, the internal audit and the corrective and preventive action (CAPA) processes must be fully integrated in a closed-loop manner. Internal audit of a process/organization takes a snapshot of the current environment, maps it to defined requirements or specifications and then identifies nonconformities or opportunities for improvement. These nonconformities are then fed into a corrective action process, which recommends specific actions and solutions. The lead auditor should then verify that the corrective action has been implemented and the root cause of the original nonconformity has been eliminated.

An internal-audit program within an organization is less likely to be successful when it does not have the right management support and commitment. In organizations where the audit program consistently delivers good results, the closed loop audit/corrective action process is likely to be institutionalized as a result of the management support. A key attribute of such an organization is any process-owner's ability to answer the following questions very clearly:

  • Are the processes and metrics clearly defined, so internal audit process can discover unambiguous non-conformance?
  • How does the audit process incorporate the results of previous audits to track progress against previously discovered nonconformities?
  • What is the process to identify potential root causes in a timely manner for the non-conformities that are discovered by the audit process? Are corrective actions always taken to eliminate such root causes or potential root causes?
  • How is the data on corrective and preventive actions reported and analyzed?
  • How do employees receive feedback on their respective non-conformities?

Five key activities in an internal audit
An internal audit is almost always successful when an internal auditor is able to carry out the following five linked activities:

  • Audit schedule: The purpose of the audit schedule is to communicate when the organization can expect to be audited, who will lead the effort, which high level processes will be included in the audit and what type of resources may be needed from the process owner. Audits scheduled far in advance always produce better results.
  • Audit plan: An audit plan should detail a single audit's scope, objectives and agenda. The plan provides a chronology of the audit from start to finish: which specific processes and sub-processes will be audited, exactly when they'll be audited, who will do it and which requirements will be audited in each segment.
  • Audit management: Lead auditor manages the overall process including managing and communicating any changes to the audit plan, communicating the audit progress to the stakeholders, ensuring that the audit process stays on track, reviewing all nonconformities to ensure that they're logical, valid and clear, resolving all conflicts constructively and ensuring that the entire audit is conducted professionally and positively.
  • Audit reporting: Stakeholders are presented with the written audit observations and a list of non-conformities, and these form the basis for discussion of the audit results.
  • Audit Verification: The manager of the process being audited is usually asked to respond to audit nonconformities by an agreed-upon date. The response should include investigation into the root cause, proposed corrective action and a date when the action should be completed. The lead auditor reviews the responses to determine whether the investigation and proposed corrective actions are adequate. If a response doesn't identify a plausible root cause or propose a corrective action related to it, the lead auditor can reject the response and explain to the manager-of-the-process why it's inadequate. The second stage of verification occurs when the manager-of-the-process notifies the lead auditor that corrective action has been implemented. At this stage, the lead auditor or a team member will verify that the corrective action has been fully implemented and the root cause of the original nonconformity has been eliminated.

System Requirements for a Successful internal Audit Program
A specific audit is likely to be more successful if the detailed steps listed above are automated using software to make them repeatable. Leading industry analysts have identified the following core requirements of a software solution for a closed-loop internal audit program - an end-to-end process from audit management through corrective actions to change control.

  • Audit Management: The software should allow definition and management of various elements of the audit process including creation of different checklists by audit type, tracking audit schedule details, managing role differentiation between lead auditors, approvers and managers for all audit components and enabling workload distribution by sharing components of the audit. The software should also allow auditors to track progress, attach various documents as supporting evidence of the non-conformities, review non-conformities identified by audit team members, ensure all exit criteria in the checklist have been met before the step is completed and report audit results (pass/fail).
  • Non conformance tracking and management: The software should track and manage all non-conformances arising out of the audit process and provide an ability to either close-out the non-conformance (based on severity level and authorization) or trigger a corrective action process. In some regulated industries such as medical devices, closing out the certain non-conformities may not be an option and a corrective-action is automatically triggered.
  • Corrective Action: The software should provide a collaborative mechanism for automatically routing a corrective action request to a hierarchy of users with built-in notification and escalation procedures, enabling them to review all relevant non-conformance records to analyze the root cause and document corrective actions to correct or prevent the recurrence of the problem. The system should support configurable industry-specific report formats such as 8-D, 5-Phase and PIAR.
  • Change Control: The software should support multiple change control mechanisms identified in corrective action such as document change (change to a standard operating procedure or process instructions etc.) or employee training or equipment recalibration.
  • The system should be developed from the ground up using web architecture, so it can be easily accessed by any user within the company or by key suppliers or customers outside the organization and it can easily integrate with other systems or corporate portals.
  • The system should allow Enterprise-wide reporting on any non-conformance and corrective action at a department/plant/division/company hierarchy and provide an Executive Dashboard to report on key process indicators.

A successful internal audit program is critical to implementing an organizational discipline of continuous improvement. By ensuring that the best practices are implemented and by using software to automate the closed-loop process, an organization will be well on its way towards realizing impressive results from its internal audit program.