Internal Audit

1.1 Internal audit

To review the compliance of the system or to analyze/find the gaps in the system, to overcome the weaknesses before external audit, or to compare the achievements of the defined objectives.

1.2 Purpose of internal audit

The purpose of internal audit is to confirm that the practical implementation complies with the accrediting standard, the management system requirements, and other requirements such as local, state, federal, and international laws, etc. The primary goal of the audit is to generate a judgment about the data in the report as a whole, not to find every possible inconsistency. This translates to the fact that, despite the fact that auditors keep an eye out for any indications of potential material fraud, it is impossible to guarantee that frauds will be found [3].

1.3 Objectives of internal audit

The objective of an auditor during an audit is to verify compliance, controlling all organizational activities strictly is one of an internal audit’s key objectives. Management is responsible for ensuring the accuracy of the company’s financial records and the effectiveness of its operations. To ascertain both, conduct an internal audit. Controlling all organizational activities strictly is one of an internal audit’s key objectives. Management is responsible for ensuring the accuracy of the company’s financial records and the effectiveness of its operations. An internal audit helps to determine both. The internal audit function works from within and serves as a guardian of the integrity and accountability of the organization, examining financial reporting, protecting against fraud, error and risk, and providing objective assurance that the company is complying with the regulations and standards it should. The objective of an internal audit is to advance and improve an organization’s operational processes. An organization’s current Quality Management System (QMS) is evaluated by a quality management system audit to determine whether it complies with organization policies, contractual obligations, and legal requirements.

1.4 External audit

The most frequent third-party audit is the certification audit carried out by the certifying organizations. The external audit is an audit carried out by a second party or third party on his own behalf or on behalf of another company. The difference between internal and external audit can also be understood in the following way: the findings of an internal audit will only be used within your organization, whereas those of an external audit, or third-party audit, can be used publicly as well. For instance, if an organization chooses to undergo a certification audit and receives a certificate, this certificate is a public document, meaning it will frequently be shown to others.

1.5 Difference between internal audit and external audit

Internal audit evaluates risks and issues connected to business procedures, whereas external audit focuses on the all activities’ records and provides an opinion on the organization’s improvement statements. While external auditors typically do a single annual audit, internal auditors conduct audits throughout the year.

1.6 The importance of an audit

The audit is an important as it provides credibility to a set of statements and gives the stakeholders confidence that the system reports are true and fair. It can also help to improve an organization’s internal controls and systems. Internal Audit would pay close attention to any organizational changes that might have an influence on risk management. Organizational ethics, managerial reorganizations, financial requirements, resource limitations, technology/internet/E-business, consolidations/alliances, and legislative/regulatory imperatives are just a few examples of these adjustments that may occur. Internal audits are necessary if you want assurance that your business is accomplishing its primary objectives. Internal audits will help you get there if you want to save your company time and money and keep everything running smoothly. Internal audits are essential if you want to defend your business against fraud and stop fraudulent behavior.

1.7 Internal audit focus

A company’s risk appetite, risk detection and mitigation techniques, and risk communication and monitoring protocols are all examined through internal audit. One of the primary functions is to guarantee that risks have been adequately defined and evaluated. Internal audit is tasked with independently attesting to the effectiveness of a company’s risk management, governance, and internal control systems. The objective of an internal audit is to advance and improve an organization’s operational processes. Evaluation of the effectiveness of the organization’s quality management system and overall performance are the objectives of the internal ISO 9001 audit. An organization’s present quality management system (QMS) is evaluated to see if it conforms to corporate standards, contractual responsibilities, and legal requirements.

1.8 Types of internal audit

• Financial/controls audits

• Compliance audits

• Operational audits

• Construction audits

• Integrated audits

• Information systems audits

• Special investigations

• Follow-up audits and validation testing

1.9 Scope of internal audit

The scope of internal audit within an organization is wide and can include many issues such as operational efficiency, Quality Management System compliance, financial reporting reliability, fraud prevention and investigation, asset protection, and regulatory compliance.

1.10 Stages of internal audit

Internal audit performs a warranty audit in a five-step process that includes

• Selection

• Plan

• Perform fieldwork

• Report results

• Follow-up of corrective action plans

1.11 Benefits of internal audit

Audits are used to obtain factual information for management system, unbiased management information, to improve communication and motivation. These audits are further used to identify the areas of risk, opportunities, and need of trainings. This supports to assess performance and equipment status. Internal audits offer management and the board of directors a further benefit by allowing process weaknesses to be found and fixed before external audits. Internal audits have the responsibility of independently confirming the efficiency of an organization’s risk management, governance, and internal control systems.

1.12 Risk assessment

There is very important role of internal audit in development or progress of any organization. Risk is the likelihood that a circumstance or course of action will have a negative impact on the entity or activity that is the subject of the audit. The organization can use a risk assessment to prioritize audit projects according to the level of potential risk, determine the nature, timing, and scope of internal audit procedures in direct relation to the level of risk, and develop a plan for carrying out internal audit projects in a risk-based manner. Prior audit findings, the entity’s strategic plan, and its financial statements are reviewed as part of the risk assessment process. Department heads and process owners are also interviewed with an emphasis on “what may go wrong” scenarios.

1.13 Role of internal audit

Internal audits will outline the steps you need to take and how to conduct them if you want to lower risks to your business’ operations, finances, cyber security, and other areas of concern. You need routine internal audits if you want to be sure your organization is abiding by the rules, regulations, and standards that are relevant to it and if you also want to save money and time when external auditors check your compliance. After defining management’s responsibility for internal controls and how internal audit might contribute to management fulfilling this obligation, let us examine some specific benefits that an internal audit function might provide to an organization and its management. Internal audit provides “reports” to management or the board directly rather than through an outside agency or adversarial body; it also improves the “control environment” of the organization. It increases responsibility within the organization by spotting redundancy in operational and control procedures and making suggestions to boost the efficacy and efficiency of procedures. It serves as an Early Warning System, allowing flaws to be discovered and corrected promptly. As a result, management would have a support system, risk manager, controls specialist, efficiency expert, partner for problem-solving, and safety net. There are so many advantages for businesses that we could write a book about effective internal audits. It suffices to remark that, aside from the expense of hiring an auditor, these highly skilled, accredited specialists are not cheap; there are not really any drawbacks. Additionally, automating allows you to cut expenditures.

2.1 Audit techniques

2.2 Methods during audit

1. Horizontal approach

2. Vertical approach

3. Review of documentation and records

4. Interview and discussions

5. Observation of inspections

2.3 Important steps in planning of the internal audit

Planning the Audit Schedule; Planning the Process Audit; Conducting the Audit; Reporting on the Audit; and Follow-up on Issues or Improvements Found. Auditing is a science with increasing importance in the last years [5]. Internal auditing is performed by a professional with specific scientific and professional background for technical and non-technical organizations, who is an employee of the audited company [6]. A managerial control activity is important for the evaluation of performance, nonconformities elimination, and ISO standards compliance is the important feature of the audit [7, 8]. As per data most organizations are not interested to be beneficiary from the internal audit process, to improve the system [9]. Alic and Rusjan [7]; Panhwar et al. [4] have discussed that internal audits are an improvement tool.

2.4 Effects of internal audit

The effects of internal audit help management to keep proper control of the assets, activities, and responsibilities. Internal audit gives confidence to management on the working of its system. There is biggest impact of internal audit on testing, calibration, and medical laboratories. As we know that testing laboratories are very important as per nature of work, these are directly relevant with our life. The huge investment on these laboratories is another aspect. To maintain the temperature is essential requirement, and ambient temperature is basic requirement (23 + −2°C) because temperature for the concerned test in laboratories is very important. Almost comfort environment is considered 25 + −5°C, if temperature is not mentioned in related method. In textile testing laboratories to maintain relative humidity is important; in other words, to maintain the temperature, relative humidity, to qualify in Proficiency Testing (PT), are effects of internal audit. Another benefit of proficiency testing is to validation methods, using in the laboratory.

2.5 Internal audit as an improvement

Additionally, internal audit reviews to lower product flaws and enhance quality controls are also included. Customers will be less likely to complain, productivity will increase, costs will drop, and profitability will rise. Internal auditors help businesses discover important risk issues. This enables the business to recognize present shortcomings and anticipate potential future issues. It also enables a business to pinpoint ineffective procedures and controls and presents a chance for improvement, aids in asset protection and lowers the risk of fraud, increases operational efficiency, and boosts financial stability and integrity, ensuring adherence to legislative requirements and the law. Compliance hazards are a simply type of risk that internal audit analyzes to assess how well the company’s risk management procedures are working. Compliance needs to be audited as a management function, usually via internal audit. Internal audit examines recent occurrences, whereas compliance must be involved prior to the creation of a new product, service, or agreement. Internal audit is in charge of the company’s overall risk management, whereas compliance is in charge of the three major risks of reputational, regulatory, and legal nature.

3.1 Levels of quality

The levels of quality that the authors talk about are:

• Acceptable quality

• Appropriate quality

• Aspirational quality

3.2 Skills and characteristics of an auditor

It is wish of majority of the people to be an auditor but not everyone can be a good auditor. Auditor should hold good communication and interpersonal skills, intelligent, good listener, good analytical skills with ability to assess the data and determine how it is related to the audit criteria, command over standards, regulations, audit techniques, as well as management skills. Auditor should check the compliance as per objective evidence, audit should be documented if found any irregularity. Audit in depth in any one clause, this audit type is necessary to find out the system errors. Auditor should be open-minded and mature, to communicate well, good listener, possess sound judgment with analytical skills; to understand the knowledge of conducting assessment, be updated regarding the latest relevant polices, have the skill to complete the tasks within time limits. Must be able to distinguish crucial and essential points, be able to perceive situation and can understand the role of individuals within organizations.

3.3 Principals for a good auditor

1. Honesty

2. Integrity

3. Impartiality

4. Good listener

5. No talkative

6. No leading questions

7. Positive

8. Open-minded

9. Punctual

3.4 Responsibility of lead auditor

The Lead auditor has to lead the team members, be able to support and guide the technical experts, can conduct introductory/opening as well as final/closing meeting. Have command on assessment process, planning, and preparing the audit and reports. It is prime responsibility of the lead auditor to assess the management system against required standards, have competence to review technical activities being evaluated by the team. The decision regarding the grading of the non-conformities, decision on time frame for corrective actions, and finally recommendations for grant of Certification lies with the lead auditor. The Lead auditor be able to make learn to his team about to conduct audit within time and manners, to collect the required/necessary information by effective ways, e.g., interview, listening, observation, review of the documents and records. Overall Lead Auditor should be firm in his opinion despite pressure to change the objective evidences and loyal to the policies/rules/regulations. There is another prime responsibly of the auditor is to provide comfort environment to his team members as well as auditee during the audit.

3.5 Auditor should avoid

The internal auditors should not take audit as a hunting of non-conformities, no act the role as police, and no criticize on system or individuals. No sharing of experience and examples of other bodies. The auditor should not show himself as a champion of the expertise or Jack of all trades. Auditor must not pretend that he has understood something that he does not. Auditor should remain neutral, positive, and avoid the dropping out at eleventh hour. During the audit the role of an auditor should be cooperative, never place the examples of auditor’s own organization, job, or environment.

3.6 Code of conduct for auditor

3.7 Questions in internal audit

The internal auditor should use/ask easy questions but must have control over the question (limit/number of questions). The auditor must avoid questions based on Yes or No, Leading questions on assumption basis, multiple questions, means question upon question without complete listening of first reply, provocative question, and any question without any meaning or meaningless questions. An auditor can ask questions with the help of seven best words such as what, why, When, When, How, Where, and Who, and the last/seventh word is SHOW ME. An auditor should start with general questions, continue into details if necessary. Distinguish between essential and unessential elements. Control the interview so that can collect the needed information. Planned aspects be assessed and auditor be polite and flexible for new solutions, and never think that (auditor) knows the best.

The following questions may be raised during the audit:

• What do you do with…?

• Why do you…?

• How often do you,,,?

• How did you make…?

• Where do you keep…?

• Where do you find information about…?

• Who has the responsibility for…?

• Can you tell me about…?

• When do you see…?

3.8 Questioning techniques: types of questions

The internal Auditor may use some or all of the following questioning techniques.

Hypothetical

Let us suppose that…

I do not understand

Can you explain it again please…

Systematic

OK, you have done this, this and this, what is next …?

Silent

Many people find silence uncomfortable, and will offer information.

Obvious

Ask the obvious question and hear a pin drop!

Unasked

Analyze the evidence out load, the auditee will interrupt with more information.

Inverse

Good for “resentful” auditee; e.g. do you have all the cooperation you need to do your job? Breaks the barriers.

Composition

OK. So the instruction says a, but you do b…..

3.9 Internal audit procedure

The inspection/certification/conformity assessment bodies shall have a procedure to ensure that the organizations have structure, time table, responsibilities, auditor’s qualification, training of personal and technical requirements for utilization of an internal auditor for the audit. The auditor must be aware of independence of the auditor, reporting requirements and information of the outcome and follow-up activities.

3.10 Training and approval of the auditors

The selection of internal auditors is also an important aspect of the audit. Before selection and approval of the auditors, it is necessary to evaluate the auditor in terms of education, external and internal trainings especially during recent years. The knowledge and command of the standard include relevant audit techniques. The auditors can be selected following the rule “Right person, Right Job, on Right time” from the organization, sister organization, part-time auditor, combination of above; but an auditor should be dedicated, committed, and having command over related standard.

3.11 Internal audit plan

The proper plan of internal audit is mandatory and according to the requirement of the standard all areas must be included. The plan of internal audit be given as planned activity well in time.

3.12 Internal audit’s structure

Following are the parts of the structure of internal audit. Such as Agenda of the internal audit, opening meeting, check lists, closing meeting, report writing (activity audited, findings, nonconformance, and recommendations for improvements), and follow-up audits.

3.13 Systematic approach plan

PDCA: Plan, Do, Check, Act.

3.14 Why audit reports

To find facts during audit of the organization, an informative report should and must be written clear and there must be no ambiguity in findings of internal audit. The raw data sheet is an essential document to report the facts found during the audit and be attached as evidence. Every sentence of the internal audit report should be no ambiguity and use 3 Cs: Clean, Concise, Complete.

3.15 ISO-19011 audit principles

ISO 19011 [1] is defined as a standard that provides guidelines for auditing management systems. This standard provides guidance on managing the audit program, audit principles, and the evaluation of the person responsible for managing the audit program. There are seven principles that need to be incorporated into an audit program to make auditing an effective tool for your organization and to make the collected data accurate and useful. These principles help you draw relevant, consistent, and useful audit conclusions. All audit members are expected to follow these principles during the audit process.

Integrity: The integrity of inner auditors establishes belief and affords the premise for reliability at the judgment. Auditors want to be ethical, honest, and responsible. If you aren’t able to audit a procedure, because of a loss of understanding, then you definitely want to stop. Audits want to be completed impartially to cause them to truthful and unbiased. Remember, you are auditing to affirm conformity you are not digging for errors.

Fair presentation: Audit findings, audit conclusions, and audit reviews must replicate truthfully, objective, timely, clear, entire, and as it should be the audit sports performed. The audit wishes to file the truth, as it should be and objectively. Any audit statements want to be primarily based totally on verifiable data and now no longer at the opinion of the auditor. Audit reporting wishes to be timely, clear, and entire in order that the data may be acted upon if necessary. If there’s a trouble in a procedure, this wishes to be said virtually all through the audit procedure, now no longer not noted all through the audit and simplest pronounced within side the audit file.

Professional approach: Auditors have to exercise due care according with the significance of the mission they carry out and feature the self-assurance for the audit consumer and different involved parties. Making affordable judgments primarily based totally at the significance of the mission is essential. If you are auditing a crucial function, searching deeper and taking extra samples is a great manner of making sure which you test thoroughly.

Confidentiality: Internal auditors appreciate the fee and possession of statistics they obtain and do now no longer divulge statistics without suitable authority except there’s a criminal or expert responsibility to do so.

Impartial/Independence: Auditors must be unbiased of the hobby being audited anywhere practicable and must in all instances act in a way this is loose from bias and war of interest.

Evidence primarily based totally approach: Internal auditors observe knowledge, skills, and revel in had to gather the proof and have to have basic evidenced primarily based totally approach. Similar to truthful presentation, the auditor wishes to have verifiable data to lower back up their audit findings and conclusions. These data basically come from facts of the procedure; however, they also can be statements of truth through informed employees or observations of sports. If there’s no proof of non-conformity, then non-conformity must now no longer be raised.

Risk primarily based totally approach: Considering dangers and possibilities within side the audit is critical to make sure which you recognition on extensive matters. Remember the two sorts of dangers that want to be addressed the dangers that the audit targets will now no longer be met, and the threat that the audit will adversely have an effect on the procedure being audited.

Culturally sensitive: Respect for the lifestyle of the auditee is vital for an auditor to efficaciously discover the statistics they want to decide if the deliberate preparations for the procedure are met.

Collaborative: Even though audits are completed independently, the general audit is frequently completed as a team, and the auditor will want to collaborate with that team, and the auditee’s employees, to get the activity completed.

3.16 Types of non-conformances

It is responsibility of the assessor’s in consultation with the technical assessors (if relevant). International guideline is available [10] on grading of non-conformances exist. The non-conformity may write after completely investigation/digging of clause.

Observation: If there is a minor gap in compliance as per requirement and there is a single instance that does not lead to destruction is given as “Observation” in result of audit.

Very Serious (Major): Systematic and/or extensive problem that may or definitely threaten the results and hence threaten the credibility of Conformity Assessment/Certification is considered as “very Serious” Non-Conformance. Very serious non-conformance must be corrected as soon as possible without wastage of time.

Essential (Minor): An essential non-acceptable single incident or a continuous problem (systematic) that must be addressed and corrected in a timely manner but does not have a destruction threat to the system.

Non-Conformities: Despite above grading of non-conformities, following are also considered non-conformity, if no follow-up of Management Review Committee (MRC) and violation of own procedures.

Note: If assessors are assessing as a team, then many single event non-conformities raised by different assessors/auditors can be combined to a systematic non-conformity. Avoid those non-conformances regarding direct to analyst of do not write name of any analyst in nonconformity. Nonconformity may write after completely investigation/digging of the clause.

3.17 Difference between evaluation, audit, and assessment

There is no much difference in the evaluation, audit, and assessment activities, but there is a difference between names of performing audit and auditee.