An introduction to internal audits
Today’s blog post is going to be a brief introduction to internal audits, which is a huge area in its own right. If you don’t know what an internal audit is this is hopefully this post is for you and I hope you learn something today. If you already perform internal audits within your business, I’d be interested to know what works for you and what you get out of them.
And with that, lets move on to what an internal audit is and how it benefits your business. An internal audit is a process which is conducted by either a person or team of people (depending upon the size of the business) who evaluate your business internal controls on a regular basis.
This process also helps to check to ensure that your business governance and internal accounting processes are working efficiently and being adhered to as defined in your policies and procedures.
An internal audit will look at all areas of the business and therefore should be broken up throughout the year, an audit for example may look at your processes and polices, the second audit may look at HR functions, the third may be physical security of systems and buildings and so on.
You should look to include all aspects of the business, to paint a full picture, you will no doubt require help from other parts of the business, for example HR, accounting, IT, management to name a few.
For a reasonably sized business performing a proper internal audit against all controls and systems within the business and will take a while, so you should look at planning what you are going to audit, put them down in a list and then schedule them throughout the year. Say for example for one or two audits a month, then you will have time available to perform a proper audit.
For myself, I have an excel document which lists out the sections and then spreads them out throughout the year, making sure I do a few a month as to not overwhelm myself or the business.
Internal audits, you will find, are used heavily within ISO, for example 9001 and 27001. These audits will help to ensure that you have compliance in place with your laws and regulations and helps to provide evidence and to the external audits when the time comes.
Internal audits can also help to provide insight and identify areas which are weak or are not being updated or kept in line. For example, if change control is not being kept up to date, policies are not being adhered to or staff are not being trained according to internal processes.
When performing an internal audit, or looking to start one from scratch, you should make sure that you have sign off from the board or higher management. If you don’t have the sign off from the top, its going to be hard to perform a successful in-depth audit throughout the business, especially if you identify issues.
When you conduct the audits, you should be noting the date and time and what area of the business you are auditing, for example policies and documentation. You should then put a brief note of what was found in the previous audit (if you’ve already performed one), and then check to see if the previous findings were resolved. If they were great, if not, why where they not completed?
You should also look to see if there are any new findings, how are things proceeding, talk to staff in the area of interest being looked at and look at documentation and evidence to back up your findings.
When you have completed everything, you should have a document which details your audit. It doesn’t have to be war and peace, but it’s should make sense to anyone looking at it. Especially yourself when you come back to perform a new audit later in the year or the coming year.
Over time you will build up a lot of information about the business which will be helpful, it will also help you identify areas which are constantly weak or are strong.
The idea of the audits is to help the business identify what is working or failing. To ensure that you are following your own internal processes and control and that staff know what they are going.
And with that I hope this post has been useful and if you find it worthwhile do let us know and we can start to go more in-depth about internal audits, the processes, documentation, note taking and such.