The 7 Key Principles of Internal Auditing
Updated: Jun 13, 2019
In this blog we’ll learn about the 7 key principles of effective management system auditing. Knowledge of these principles will help make sure you deliver an audit program that meets the needs of internal and external stakeholders and produces reliable, valid audit findings.
Number 1, Integrity. Integrity is absolutely fundamental to our audit process and our wider audit program is really saying that we approach all stages of any audit we do honestly, professionally, ethically, free from any bias or conflict of interest. One thing you will start to realise when you get involved when you get involved in audits is that there is a range of stakeholders around the audit process. Internal stakeholders, such as management, the auditees, and even external stakeholders such as regulators or insurers, would expect that we have taken an approach with integrity and our audit findings are valid and factual, and can be supported.
Number 2, Fair Presentation. This really means that we report based on the objective evidence, and the facts that we’ve seen during the audit. We don’t put any of our own opinion or bias in there. We’ll let the evidence we site on the day dictate what our findings are. Auditors have an obligation to report fairly and accurately and based on the evidence. Due professional care is treating all stages of the audit process as a professional exercise. Be appropriately planned and prepared, as I have mentioned in an earlier blog, and understand the process we’re auditing. Your stakeholders would expect that you do. The auditees will get a perception of your approach, for example if you’re doing a safety audit and you are not wearing the correct PPE. Auditees will notice these things, if you’re not wearing the correct PPE, it could give them the perception that you don’t understand what the correct PPE is, while you’re auditing them on whether they use the correct PPE.
Number 3, Communication. In my experience it is important for auditors to be careful in their remarks. For example, I’ve seen an auditor, on occasions where there’s an operational procedure or safety procedure saying “a particular requirement in the procedure… it’s not that valuable, do we really need to do it?” It’s important to avoid making judgement calls about their procedures. How do we audit the auditees on theirs if we’ve just said it doesn’t seem that important? If it is or it isn’t, that’s not up to you as an auditor. That’s up to the responsible manager of that team to make that decision. It may be required for reasons that we don’t quite fully understand.
Number 4, Confidentiality. Confidentiality really relates back to the fact that we get to see information in the audit that is provided to us for the purpose of the audit, especially considering a lot of this information may be private. It also might be part of the intellectual property of the company. Particularly if you’ve audited a supplier whose very competitive with other suppliers you might interact with. Auditees are very concerned about how you treat information. If they feel that perhaps you’re not treating it confidentially enough, they might be quite circumspect and careful about what they say. I have seen a situation where an auditor starts an audit with a supplier by saying “oh your competitors up the road, they’re doing X, Y and Z. isn’t that great?” if I was that supplier I’d be thinking ‘I’m going to keep my mouth shut’ because this person is obviously not respecting the confidentiality of the audit.
Number 5, Independence. We should be independent of the work activity or the process we are auditing. In a small business, that can be quite hard to achieve. Where everyone does a little bit of everything. But to the extent we can, general rule of thumb for a management system audit is if the evidence we’re looking at (their records, the observation, the interview) is of our own work (work I’ve actually conducted myself) or work conducted by team members in a team that I manage, that’s inappropriate for me to be auditing it. We need to seek opportunities to get a more independent internal auditor in that case.
Number 6, Evidence-Based. Audits should be evidence-based. Th purpose of audits is to audit against established requirements, and gather objective verifiable evidence. Basically, we want to gather facts to determine whether that requirement has been conformed with or not conformed with. My role as an auditor is to find proof that they have conformed, and this should be based on objective evidence, and not my opinion on whether they have conformed or not. There’s either evidence of conformance or evidence of non-conformance.
Number 7, Risk-Based. Whether it’s for an individual audit or across the whole audit program. If there’s not endless resources in time for auditing, it is appropriate to target high-risk areas more frequently, more often. And even look at a bigger sample size. For example, if we’re auditing a higher risk step in an operational process.
In our next blog, we’re going to look at ‘how we can develop an internal audit schedule’ that is risk focussed and gets our best return on investment for us as a business.