In my quest to finding an adequate buzzword for integrating internal audit approaches, I decided to name it as Wholesome Internal Auditing.
Let’s dive deeper to understand what it is, how it came into being and why it should be the mainstay for Internal Auditing!
Thanks to the corporate failures of the 2000s, the Internal Auditing is no more a mere cost center deployed for gaining extra assurance over the regular transactional processing and giving away its own independence in the process! (Unfortunately, though, no matter how unbelievable it seems, the practice continues to this day even in the developing and not so developing world) The scandalous spotlight offered the Internal Auditing a place on the executive table and the resultant legislation ensured the profession rediscover its position.
Leaders of the profession grabbed the opportunity to reassess the internal audit’s value premise and reposition itself as a trusted business adviser. The profession’s global voice, the Institute of Internal Auditors with its flagship program Certified Internal Auditor ® (CIA) and the International Professional Practices Framework giving mandatory and recommended guidance to the Internal Auditors worldwide gained more traction and is responsible for what is known as the modern-day Internal Auditing. Whilst the CIA program is indeed a globally recognized credential for internal audit professionals and equips them with desired competencies, it is indeed not a mandated practicing requirement, and this flexibility is also responsible for skills set diversity in the profession.
Another guideline available to auditors is from the International Organization for Standardization (ISO) which through its technical committees prepares international standards. ISO’s 19011 standard gives Guidelines for Auditing Management Systems where a management system embodies objectives, policies and processes of an organization. ISO does not offer a credential or a certification; the standards are intended to provide guidance as either best practice or when conformance with a global standard is a legal or contractual requirement.
In one of my professional experiences, I was responsible for heading the internal audit function and providing dedicated advisory for the Quality Management System established under the guidelines of ISO 9001. The Organization had also attested compliance with Health & Safety and Environment Management Systems (ISO 45001 and ISO 14001) under its Integrated Management System (IMS). The Quality Management System (QMS) was at the driving seat of the IMS and was thus also responsible for planning and executing the internal (first party) audits of IMS. At the time the Organization had 2 types of Internal Audits; the Corporate Internal Audits under the code of corporate governance for which reporting was to the Board and was governed under the IA Charter modelled on International Standards for Professional Practice of Internal Auditors (ISPPIA) and the IMS internal audits for which reporting was to the Executive Management. Being the official responsible for both the audit requirements and efforts, I was the first one who witnessed the massive audit footprint in the Organization.
It was then that I decided that something needed to be done to reduce the audit footprint and allow the client functions a breather to implement actions that could improve the systems. To proceed ahead I decided that our internal audit teams need to be well versed in ISO’s auditing requirements. For this purpose, I identified and organized a training session on ISO 19011: 2018 Guidelines for Auditing Management Systems. Since all ISO standards follow the process approach to managing systems, I found its approach aligned with ISO 9001, 14001 and 45001.
The IMS Audit planning was tweaked to gain maximum benefits from the new learnings of ISO 19011. I then embarked on compiling the complete consolidated inventory of IMS Audit findings from internal and external audits and for all standards; ISO 9001, 14001 and 45001 since the time of first adoption of IMS in the Company just like we had one for corporate internal audits. In the initial stages of this integration, the findings inventory from IMS audits and that of Corporate Internal Audits were merged to inform the audit findings review process; draft findings were reviewed against both the inventories and were dropped or retained if these were in progress at any of these or closed to further improve the corrective action then taken.
In the next phase we moved on to analyze performance of each functional area under the merged inventories of IMS and Corporate Internal Audits. The functions were rated with average number of findings per audit engagement, percentage of ratings of findings in each area, average ratings, etc. to determine the areas with continued audit significance. The analysis was reviewed to smooth out obvious anomalies so that results were correctly comparable. Nature of findings of the areas highlighted to be of significance and the corrective actions taken thereon were reviewed to determine if the results correctly reflected the overall management assessment of state of internal controls, inherent risk profiles and the performance management results for the areas and their teams. Along with the emerging risk profiles for all areas and their significance going forward, this review revised the risk assessment plan which is used for corporate and IA audit planning so that the core audit focus remained on areas needing it the most, thereby integrating the overall internal audit planning.
The final manifestation of this integration is a unified audit engagement that satisfies the corporate IA objectives and the ISO 9001 or the larger IMS requirements. We were able to review and align the objectives and requirements through a unified framework (more on that later!) and found that becoming one whole is a natural progression of internal auditing because;
- ISO 19011’s approach to auditing management systems is process based (PDCA) much like the generally accepted process auditing approach (cradle to grave) in which functional boundaries are blurred.
- ISO 9001, 14001 and 45001 require internal auditing for conformance and continual improvement under the performance evaluation much like the assurance and consulting approaches under IIA’s internal auditing.
- Requirements and expectations from auditors are aligned under ISO and ISPPIA’s Attribute Standards.
- Both require risk based approach to audit planning, its conduct and reporting.
- The guidance available on engagement conduct available for conformance (ISO) adherence (ISPPIA Performance Standards) is also aligned for specification of audit.
In my opinion therefore, the internal auditing needs to enrich itself ideally by adopting / incorporating and aligning the Quality Environment Health & Safety (QEHS) auditing and approach.
Trackbacks/Pingbacks