)
Internal Audit Basics: What, Why, and How to Do Them (5 Audit Checklists)
Ben Mulholland — March 24, 2020 
Can you prove your team’s performance?
How do you know for certain that nothing is being missed?
The answer is simple; you perform an internal audit.
We know how difficult it can be to keep track of your internal workings. Short of documenting and tracking everything (which can be a hassle) it’s easy to lose track of the risks posed to your organization.
That’s ignoring how hard it can be to track whether your teams are performing their duties correctly.
That’s why this post will dive into everything you need to know about internal audits. These are practices that let you get an objective assessment of various elements of your company, such as this ISO 9001 process.
What is an internal audit?
An internal audit is an independent assessment of how effective an organization’s risk management, processes, and general governance is.
They’re a team’s way to perform their own quality measurement and management. The evidence gathered and the conclusion reached should be unquestionable and free of outside influence.
To this end, it’s vital that the person or team in charge of carrying out the internal audit is both independent and objective. In other words, the auditing party should be free of any kind of influence from the team or department being assessed.
The goal is to get accurate information about the team’s performance, governance, and risks. Thus if the auditor’s independence or objectivity comes into question at any point, it needs to be reported to management.
To clear up a quick distinction that catches many off guard:
- External audits – performed by external auditors, usually from an outside firm or agency
- Internal audits – performed (typically) by members of the company
Just because the internal auditors need to be “independent” doesn’t mean that you’ll be hiring an auditing firm to take on the job. As long as they can be considered free of influence from the team they’re assessing, using in-house auditors is perfectly valid for internal audits.
If internal auditors are used, they will usually report directly to the board of directors or senior management to avoid the risk of being influenced by other teams or managers.
Unfortunately, that only covers the broad topic of what internal audits are. The truth is that, while all internal audits keep to these rough guidelines, the specifics vary greatly depending on the type of audit being performed.
Speaking of which…
Types of audits
(Source by The Official CTBTO Photostream, used under license CC BY 2.0)
Broadly speaking, there are five types of internal audit:
- Compliance audits
- Management (performance) audits
- IT audits
- Operational audits
- Environmental audits
All of these are examples of internal audits in that they can be performed in-house as long as the person or team carrying it out is trained in the field.
However, each of these takes the view of assessing elements of the company and focuses on a particular area. This makes it easier to handle the auditing procedure, as the scope is evident from the very beginning and not everything has to be considered at once.
Internal audit #1: Compliance audits
Compliance audits are focused on the company’s compliance with applicable laws, guidelines, regulations, policies, and procedures. While assessing this won’t necessarily improve the company’s financial or material performance, it’s necessary to avoid running afoul of devastating breaches of the law.
Sure, you might have to use your internal auditor’s time on assessing whether you meet GDPR compliance regulations. This could be (financially at least) better spent having them perform a risk assessment.
That very attitude towards GDPR checks led to Marriott International being around $ 115 million.
For obvious reasons, I can’t list every law and regulation that could be relevant to you. I don’t have the legal know-how!
However, that’s what internal auditors and legal advisors are for.
Internal audit #2: Management (performance) audits
Management audits (sometimes known as “performance audits”) are much more inwardly-focused than compliance audits. These focus on assessing whether a team or the company as a whole is hitting its targets in relation to the goals set by both management and senior figures.
For example, a team may have met their target in terms of their manager but that doesn’t mean that they’ve been able to meet the objectives of the main shareholders or founders.
Think of this as a high-level dual assessment of the performance of teams and the ability of team managers to meet demands.
Internal audit #3: IT audits
(Source by Torkild Retvedt, used under license CC BY-SA 2.0)
As you might have gathered, IT audits focus on the infrastructure, technology, and systems you have in place.
If it’s related to IT, the IT audit will assess it.
Data security measures, digital processes, the tools you use, and so on, it’s all evaluated in terms of performance, security, related risks, and efficiency via your internal IT audit.
Internal audit #4: Operational audits
Operational audits have the widest focus of any of the internal audit types, as they are concerned with assessing the efficiency and effectiveness of the internal controls of your business.
In other words, it looks at the policies and procedures of your entire organization.
The auditor will typically focus on high-risk areas to tackle that which presents the biggest threat to the company should things go wrong.
Internal audit #5: Environmental audits
Environmental audits are probably the most niche of the internal audit types, as they focus solely on the environmental impact of the company.
The main method of measuring a “reasonable” environmental impact is to compare it to the environmental regulations in place which your company has to meet.
Benefits of internal audits
Have you ever wondered how your team is performing? Do you have any concerns about your managers’ abilities to meet shareholder expectations? Are there laws and regulations which could be crippling to your business if not rigorously met and adhered to?
All of these problems and more are solved by using internal audits to assess your business.
IT audits ensure that your sensitive data is kept under lock and key, operational audits help to check that everything is as efficient as possible and that processes are being followed, and compliance audits make sure that you won’t run afoul of outside regulations.
Not to mention the incidental benefits of performing regular checks on your team, such as:
- Increased productivity
- More chances to collaborate
- Regular tests of your infrastructure and documentation
- Greater unity across departments and positions
- Definitive proof of performance and compliance
- Stakeholder/founder satisfaction through transparency
Productivity will naturally increase both as a result of operational audits and your team knowing that you care about their performance in general. Audits demonstrate that you’re keeping an eye on things and won’t hesitate to address problems where they appear.
Having said that, bear in mind that morale can decrease (later affecting productivity and motivation) if teams think that you don’t trust them. Thus you need to make it clear that the idea of these audits is to work with them and to help them improve their work and to make issues easier for them to deal with.
Collaboration is a natural result of any teams having to work together. This could be as simple as your marketing team working with the auditors to show their performance in meeting targets or something more complex involving multiple teams working towards a common goal.
Your company infrastructure and documentation will be directly assessed through IT and operational audits, while also playing a role in the conclusions drawn in all other audits. For example, a management audit doesn’t just test managers – it inherently tests how well their deployed processes are working.
However, perhaps the most tangible benefit of internal audits is the ability to show results with evidence to back them up.
Whether you’re addressing senior management, your founder, the board of directors or key stakeholders, internal audits allow you to show them precisely what’s going on in your company.
Not only that, but the fact that you’re carrying out internal audits in the first place demonstrates that you’re staying on top of things and monitoring the situation in case action is needed. It inspires confidence because, even if nothing needs to be done, at least you can show them that you know that nothing needs to be done.
Internal auditing examples
As I’ve stated above, the precise auditing process you need to follow will vary depending on the type of internal audit you’re carrying out. The general setup of your organization will also affect how the audit works, so no two audits are truly identical.
However, to get you started, here are a few examples of internal audit processes from the team here at Process Street:
- ISO 19011 Management Systems Audit Checklist
- ISO 14001 Environmental Management Self Audit Checklist
- ISO 9004:2018 Self-Audit Checklist
- ISO 9001 Internal Audit Checklist for Quality Management Systems
- GDPR Checklist for Businesses
As you might have noticed, many of these auditing processes are based on ISO guidelines. In other words, you don’t have to rely on our word for whether these processes are effective or not – the information is based on the recommendations of the International Organization for Standardization (ISO).
All of the checklists above are free and ready-to-use but can also be edited to your needs to adapt them for your organization.
Business & Finance Articles on Business 2 Community
(46)
