In this blog you will learn about why a robust internal audit program can offer substantial value to a business. As an outcome of this blog, you will have an insight into how you would go about articulating that to management.
Number 1, we know that planning and conducting internal audits is a mandatory requirement under the ISO management systems standards.
As someone who supports organisations to set up systems, and also audit systems - I do see examples where organisations going through the motions with their internal audit programme and doing it because their external auditors would expect to see records. To me, that’s a big missed opportunity.
An effective audit program gives your organisation a tool to actually confirm that your operational and system processes (safety, environmental or quality) are being conducted as planned. You may need to modify your processes or train your people.
Critically under a safety system, Organisations identify hazards, risks and controls. Or, in the environmental standard; aspects, risks and controls.
We identify those hazards up front and assess the level of risk, but fundamentally need to identify some control measures. At that point, we’re hoping they are going to be effective in reducing risk.
Audits are based on objective, factual evidence so it can be a really good way of coming back and saying “are our control measures all actually implemented? Are they effective and maintained so they’re working at all times?”
That’s absolutely critical, because if they’ve failed or are compromised in anyway, the risk level can be a whole lot higher than everyone’s assuming.
But also, have they reduced the risk to the level that we had hoped they would reduce the risk to? Rather than just assuming that we can reduce the risk by applying some controls because it may not achieve the level of risk reduction we are looking for.
A robust audit program that is risk focused can provide evidence to our management or compliance management team. This evidence may show that areas of risk within our business are consistently planned and managed. That is a very valuable finding for your business.
As well as, we can do audits against some of our compliance obligations which can help us determine whether we are managing our legal requirements.
It’s much better than having some kind of incident or a dissatisfied customer, or a loss of reputation to tell you that your risk controls aren’t effective.
Another way of looking at this one, is, it’s much better to self-evaluate the company, rather than having the EPA, Worksafe, or a regulator telling you that you are not achieving the operational control required.
In our next blog, I’m going to give you my personal top 5 tips for conducting a valuable audit within your business.