• Andrew Thornhill

How To Develop an Internal Audit Schedule

In this blog you will learn about how to develop an internal audit schedule that gives your organisation the best return on investment for audit resources invested.



I haven’t been to a business yet that has got an unlimited budget for auditing. Let’s say your boss has been a bit tough this year – he or she has said “no more than 15 audits over the next year”. We are going to look at how to get the best return on investment on that.


There are 2 key considerations here; risk and time.


Risk:

Areas that are higher risk from a food safety, quality or environmental perspective need to be audited more frequently and in greater depth (as encouraged by the ISO standards). This means looking at a bigger sample size of evidence.


Risk is also a great way of prioritizing the use of resources.


In the example from the video, I have just applied a very simple risk-rating, where I have said the activity for contractor management was high risk and activities for dispatch processes were a lower risk. A good way to use the resources here is to schedule 3-4 audits for contractor management processes, and only 1-2 for the dispatch processes, as they are lower risk.


We could keep going with this risk assessment – looking at the different operational activities or sites that we want to cover in our audit schedule. But quite simply, the higher the risk, the more frequently we audit that particular activity.


Time:

When talking about time, let’s use production as an example. There might be certain production or service delivery activities in your business that you could go out and audit at any time.


But there is also activities that can often be quite high risk that happen infrequently or irregularly. So using the production area as an example, if we have bulk chemical storage, they might only get a delivery once or twice a year.


If we can audit it when it is happening, we not only have the benefit of the records, but we can also interview and observe as well.


If we audit something after the event has occurred, 2 of our key sources of evidence (interview and observation) can be difficult to undertake.


I would add to that, looking at projects (if it was a design and construction project by a construction business), each stage is very time dependent. It is going to start and stop at a certain point.


Quite simply, if we want to audit the design activities, they might be happening from January to Match and then finish. So, if we come in September to audit the design stage, all we’ll be able to look at is project records. It will be very difficult to interview anyone and make observations.

The other issue with time is seasonal activity. So if we’re a winery with a certain time of the year where we have a vintage period, and that’s what we want to audit, clearly the best time to do this is when it is happening so that we can observe and interview.

There is a free resource to accompany this blog, which you may find useful when developing your audit schedule, which you can download from our resources page, under the 'resources referred to on our YouTube channel' called Internal Audit Schedule.


In the next blog, we’re going to look at some terms you may hear as you get involved in audits. People start talking about first party audits, second party audits and third party audits. We’re going to give you a bit of background on what that actually means.

  • LinkedIn Social Icon
  • YouTube

© IRM Systems 2019