Internal audits are the tool to check that things are being done as planned. For example, perhaps you have a procedure that requires credit-checking of all new customers and then re-checking every 12 months. The procedure has been written, communicated and training has been provided. So, it must be done correctly then? Well, maybe…. or maybe not. Until you go in and check whether it is being done, you don’t actually know.
How do you conduct an internal audit?
So, how do you conduct an audit? Generally, you will audit a process (for example, the process of supplier evaluation, or for the selection of materials for assembling a product). Firstly, you need something that provides the structure and details for how the process is controlled. This provides you with criteria to audit against. This is usually in the form of a procedure or a checklist.
What happens if there are no documented procedures?
If there is no documented procedure, you need to determine how the process should be controlled – in other words, what should happen when the process is being performed correctly. You then need to consider if an undocumented procedure is a sufficiently robust approach: this might be your first audit finding! Whether a documented procedure is required or not depends on the complexity of the process, the importance of the procedure, the risk, how many people are involved in the procedure, and whether it is controlled by software that effectively provides the procedure. Sometimes this can be a bit counter-intuitive – a process that is performed occasionally might need a written procedure because it is difficult to remember how to conduct the process; and if only one person conducts a process what happens when they are on holiday or off sick?
If there is no documented procedure you could develop a checklist of the key elements that control the process. What you are looking for is to identify the critical controls. These are the actions that are fundamental to successfully controlling the output of the process. For example, it could be identifying the most up-to-date version of a quote or drawing, choosing the correct grade of metal, selecting only trained and qualified handlers, or using only certified timber in a product.
Let’s look at an example of supplier evaluation. You identify from either a procedure or discussion with key staff the following critical controls: valid professional indemnity kept on file; up-to-date qualifications of key staff; and a ‘B’ or better credit rating checked in the last 12 months. If any of these are lacking, there is an unplanned and unacceptable risk to you: the controls you have put in place to mitigate the risk are not being applied.
Now you can check whether what was planned is actually happening. To do this efficiently, you sample. For suppliers, you might sample a few to see if they are compliant. But how many to sample? Generally, a square root of the total will do, so for 25 suppliers, 5 would be fine. Another ‘rule of thumb’ is sample 3. Supposing they are all OK and fully compliant, move on. However, if 2 or more are not compliant, you have identified an issue that needs recording and addressing. If 1 has an issue, sample some more to see how widespread the problem is.
It is important to remember that the purpose of the internal audit is to generate improvements. With this in mind, non-conformities should not be dreaded as they are the raw material for improvement and reducing risk. They also provide information to management on where risks lie, which can be hard to identify by other means. We have seen many examples of processes that senior managers thought were well controlled and compliant, which after internal audit were found to need significant continual improvement.
You can download a template for a simple internal audit here.