ISO 19011:2018 - Improving the Value of Internal Audits
Dave White April 2021
The ISO 19011:2018 Standard provides excellent guidelines for the risk-based management of internal audit programmes and internal auditors when auditing management systems.
The standard will help you synchronise your internal audits with the principles and overall intent of all ISO management system standards whilst also promoting positive culture and behaviours.
ISO 19011 standard contains seven key auditing principles worthy of careful consideration. Together they represent the fundamental internal auditor approaches and behaviours for internal audits to be respected, trusted and valued in an organisation.
1. Integrity – honesty, trust, respect and diligence.
2. Fair presentation – balanced and accurate reporting.
3. Due professional care – well planned, organised and committed to the cause.
4. Confidentiality – discretion, sensitivity and respect for interested parties.
5. Independence – Impartiality (unbiased) and objectivity (factual and pragmatic).
6. Evidence-based approach – making decisions based on verified information and/or data.
7. Risk-based approach – focus on areas of significance and criticality.
These 7 principles, when embedded into the internal audit culture and represented by the behaviours of internal auditors, will definitely enhance how the value of internal audits is perceived in organisations and deliver results through a systematic determination of good practice, non-conformance, risk and opportunity with improved current and future organisational performance and resilience as the main outcome.
To help understand how added value through applying these 7 key principles can be attained, below are 5 practical ideas when deciding how your internal audit programmes will be managed and what auditing methodologies to be used.
1. Align your internal audit programme with the business strategy and objectives
Section 5 in ISO 19011 concerns managing an audit programme, recognising there is more involved than simply creating a schedule of audits. The audit programme should be prioritised after careful consideration of the following;
· the context of the organisation, (i.e., internal/external issues)
· strategic direction including any planned changes to the organisation and its management system
· the intended functionality of the management system, the importance of certain key processes and perhaps, key functions, departments, customer contracts, projects, etc.
· current performance and previous internal audit results
· key risks, opportunities and any existing known areas of measured underperformance
The aim is to deploy your internal auditors to the areas of the business where they can add most value rather than taking the easier option of creating an annual audit programme covering each department or function once a year, (which in all honesty most probably wouldn’t conform to the requirements of ISO management system standards for managing internal audits).
2. Adopt a risk-based approach when planning each internal audit
Clause 6.3.2 of ISO 19011:2018 guides audit planning. By adopting a risk-based approach to their audit planning, auditors can consider the risks in the area to be audited, risks to completing the audit activities and risks to not achieving the audit objectives.
A common problem is not allocating sufficient time and resources to internal audits. Many leaders do not understand the amount of time required to complete an effective audit; they see auditors interviewing a few employees and believe this, plus some time to compile a report, is all that auditing involves.
3. Select and develop the right people to do the job
For the audit programme to be effective in achieving its objectives, you need to have competent and qualified auditors to conduct the audit activities. Clause 7 in ISO 19011: 2018 discusses the evaluation of auditor competence and performance against a range of suggested defined criteria. If the audit team lacks knowledge or expertise, a technical expert should be used to close the knowledge gap. Auditors do not have to be experts in every single process, but they should understand the overall purpose and structure of the organisation;
· The organisation's context and strategic direction, key organisational goals and issues such as key risks, opportunities and any existing failures.
· Management systems and requirements (and how they might interact).
· Key internal and external stakeholder requirements and expectations.
· Core business processes and how they impact each other.
· Risk-based approach to management at all levels.
· Regulatory frameworks.
4. Audit the audit programme and audit management process to drive improvement
The audit process itself must be audited, and like all other processes, opportunities to improve it should be identified and implemented. The audit process ideally then becomes an opportunity to confirm the current and likely future capability of the processes under audit, and to identify and share best practices across the business.
5. Don’t just treat the symptom(s) of the problem
When audits detect problematic issues (often referred to as non-conformances), management response must include the effective;
· Containment and correction of the problem
· Corrective action, (root cause analyses to drive process change to prevent the recurrence of non-conformances)
· Mitigation of any emerging risks related to these actions taken
All of the above actions are important but conducting an effective corrective action process, including thorough root cause analysis, is absolutely vital to drive continual improvement. Businesses are often too quick to react to the non-conformance by treating the symptoms of the problem and are therefore likely to experience the problem again at some future point in time. Instead, responsible management should take a step back, allow time for their competent staff to fully investigate and analyse understand the problem and work to resolve the root cause(s) and change process(es) thereby preventing the non-conformance from reoccurring.
Summary
Audits are not simply a process to ensure your business management functions and processes are operational and effective, they also allow your organisation to assess the condition of other management programmes and risk management processes, as well as assist in compliance with applicable regulations, standards and other key requirements.
Similar to how an internal audit reviews the condition of your organisation, the audit programme itself and the performance of internal auditors must be frequently re-evaluated and treated as an opportunity for enhancement and optimisation.
ISO 19011: 2018 is a catalyst for these objectives and also identifies and distinguishes the potential impact that advancements in technology can have on the audit process, such as virtual or remote technology-enabled audits.
David White
Company Director & Senior Consultant
iqms Learning Ltd