Let’s talk about a new approach to internal auditing. I call it like to call it Risk Based Auditing.
To give you some background my company, FQM, undertake audits for our customers as well as providing internal auditor training. One of the issues we often come across is organisations that ‘pack-out’ their audit schedule throughout the year with unnecessary audits. What they tend to do is believe that they need to audit every clause of the standard. This is because that is what their auditor told them at the time of certification.
This is not correct. That external certification assessment really undertakes the audit of all the clauses.
What we suggest to companies is that they take a risk-based approach to auditing.
Most organisations will have a suite of either manual or a suite of processes or procedures that demonstrate how they comply with the requirements of the ISO standards. Whether that be a quality management system, environmental management system, a health and safety management system or a combination of those integrated together.
One of the key things we mention when we’re training internal auditors is that they should develop their schedule and their plan of auditing. This should be based on the risks associated with those different sections of the manual, processes or procedures.
What Do We Mean By That?
If a section of the standard or a document within your organisation is not a critical activity, then you don’t need to audit it. Instead, do a high-level risk analysis of your processes and try to understand which ones are critical. A little like what you would do when you do an analysis of your supply chain. You don’t put a lot of effort into checking and evaluating every one of your suppliers, but you do identify which one could potentially bring the greatest harm to your business. You should put more of your focus on them, you class them as your critical suppliers for example and you put the focus on ensuring that you manage them well. You are also likely to build up a relationship and work with them to minimise the potential of harm happening.
Therefore, you look at your processes, identify which ones are critical to your organisation. Often you will find that many of the critical activities are sitting in the key operational areas your production, your service delivery or your design areas.
Many companies, when they do internal auditing, audit the procedure in without reference to other areas. In other words, they audit in a “silo”. They do not consider how that process or procedure interacts with other processes or procedures within an organisation. It is important to recognise that often issues arise when passing from one part of the organisation to another.
When you look at your suite of procedures and processes it is important to recognise how critical they are to your business. Identify the ones which are most critical and start to put a little bit more focus on auditing those areas of the business and the interaction with other processes and procedures. By doing this you put a much more focused coherent approach to your internal audit process, and you can minimise the amount of internal auditing you do.
Risk Based Auditing
Many companies that we have seen just do too many internal audits simply to tick some boxes. They do this simply to be able to tell the external auditor that they have done 40 internal audits.
Personally, I would prefer to see 10 internal risk based auditing processes done on critical processes and identify areas of improvement.
If you use a risk-based approach to your internal auditing process, then you can justify to your external auditor why you audit these processes maybe possibly twice a year. This is in comparison to other processes in your organisation you may just audit once every couple of years.
This will give you far more detailed information, far more data to help improve how your business operates and drive your business forward.