The Top 5 reasons why your internal audit programme may be failing

ISO Management System Internal Audit Service

The Top 5 reasons why your internal audit programme may be failing

October 2024.

When our team of management system consultants and certification auditors look at system for the first time, they often find that the organization's internal audit programme is not working as well as it should be. We have come up with what we believe are the top 5 reasons why, and here they are listed below.

1. Tick and flick

Is this scenario familiar to you?  The audit programme includes a number of records. Every item in those records is ticked, and there is a name and date at the bottom. On face value, that may seem to be acceptable. However, there are no details on what was checked and there were no issues identified or any other observations made. Without details on what was checked, the veracity of the audit is unknown. Also, while it’s possible that the audits found absolute perfection in the way a process is being implemented, the chances are that the reality is different. It’s more likely that the audits were skin-deep at best. As certification auditors ourselves, we sometimes find items that had previously been ticked at an internal audit were in fact not compliant at all. Without any details on what was checked it’s impossible to verify.

2. Cramming for the exam

Picture this…The third-party certification is due next week and (as always) they will be looking at the internal audit schedule and records. But there aren’t any. Nothing has been done since the last external audit. The panic begins. Quick…get some internal audits done urgently. Audits are then hurriedly performed over a day or two involving whoever is available.

The result is that Yes, audits were performed and there are records. That’s OK, but were the audits a genuine attempt to verify that the organisation is doing what it set out to do across its various processes and activities? Were the audits likely to lead to any efficiencies or other improvements? Probably not.

3. Auditors not skilled in the role

A person may be an excellent administrator, technician or manager, but that doesn’t necessarily make them an excellent auditor. All roles have their required skillsets and abilities – and auditing is no exception. An auditor should have a reasonable knowledge of the subject they are auditing, but the role also requires some very specific skills; the ability to plan for and prepare an audit, perform the audit – including interviewing people, observation, and knowing the appropriate records to check - then documenting concise yet informative audit reports and communicating the results. It is rare for an untrained person to know what is required of an auditor and to instinctively perform the role to a good standard. The ISO management system standards require people to have the necessary competence for their work – and that includes your internal auditors.

Internal Audit Service by one of our team of qualified ISO certification auditors

4. Poor systems

In many businesses that we visit for the first time, we find an internal audit schedule documented in a spreadsheet with individual records in a word-processed document in a folder. The spreadsheet lists the same audits every year. When an audit identifies issues, they are noted on the audit record or sometimes in a separate document. Issues usually get communicated to the relevant manager at the time. It is up to them what actions they take. If they are not available at the time they may be sent an email. The auditor usually emails the Compliance Manager to advise that the audit is complete, and they usually update the spreadsheet. All these steps are very manual, and they usually happen but not always. It’s very difficult for the Compliance Manager to really know the status of the audit programme or about any actions that were taken to address the issues identified. Unfortunately, sometimes no action has actually been taken. In general, such arrangements as described here are time-consuming, inefficient and rarely effective at helping to maintain and improve the management system.

5. Not understanding the purpose and value of internal audits

Perhaps all of the above reasons have their root cause in not understanding the purpose and value of internal audits. The problem often takes root (excuse the pun) when a management system is first implemented. Without a genuine understanding of that purpose and value, internal audits are just another item on the to-do list. The ISO standard specifies them - so they are done, but perhaps in a matter-of-fact way that doesn’t quite hit the nail on the head. The result is that often that they are not effective at achieving the intended purpose of verifying that the system is working to achieve its stated objectives and offer little value to the organisation and its stakeholders.

Solutions

So, that’s our top 5 reasons why internal audit programmes don’t always work. If one or more of those seems to fit your organization, then you have a problem. However, the good news is that there are solutions to all of them.

Let’s look first at solving the issue of not understanding the purpose and value of internal audits. All management systems need checks to ensure that they are being effectively implemented to meet requirements. An internal audit programme is therefore, a mandatory requirement of standards like ISO 9001, ISO 27001 etc. This means that your   management system cannot be certified without them. Failures of the internal audit programme are one of the most common reasons for nonconformances at external certification and surveillance audits. So, we can clearly see that a good internal audit programme is essential from the compliance perspective, but what other value can it add. Well, here are a couple of illustrations of its value-adding capability.

  • While on day one, a documented management system may be a fair reflection on what goes on in practice, over time things have a habit of changing. For example, new tools and methods are used. Without careful change management practices, that can lead to documented procedures, plans etc. no longer reflecting the reality. An internal audit to is the ideal way to verify that the documented system does in fact match the reality. Where there is a discrepancy, the relevant management can decide whether to update documents or bring people back to their intended way of doing things.
  • Internal audits can detect errors and omissions. That discovery may well occur before they have led to any significant harm being caused. The value of this cannot be over-stated. Early detection of errors and omissions may prevent inconvenience to clients, avoid a harmful data breach, prevent distribution of a faulty product, minimise damage to the environment of even avoid illness or injury.

The Tick and flick issue can be quite readily solved with just a little bit of effort and good intent. There should be an expectation that a checklist item in an audit report includes a note of what was checked. That expectation can be made known to internal auditors by way of a documented procedure that states the requirement, and ultimately a check of the audit process itself. When we create an audit schedule for clients, we always include an audit of the internal audit itself – you might call it checking the checker. Of course, to maintain impartiality and objectivity, that one should be performed by someone other than whoever has conducted the other audits.

To avoid cramming for the exam, an internal audit programme should be scheduled to take place by individual topic-specific audits over a defined period. A year is the obvious time frame in most cases. For our Qudos3 clients, we add internal audits into a software-based schedule and both the auditor and contact person are automatically emailed reminders.

There are really three solutions available to internal auditors not being skilled in the role:

  • Recruit one or more people that already have the competence needed.
  • Provide training for your audit team to gain that competence.
  • Simply outsource some or all of the internal audit process.

The issue of poor systems is addressed by introducing dedicated software to operate the management system – including an internal audit programme. The audit schedule, audit report, issues and action forms and the communications between them can all be integrated and automated. Apart from anything else, the small investment in software will save time and money in man-hours, and lead to fewer errors and omissions.

Qudos3 - Comprehensive Integrated Management System software

Let us help you

Qudos has a team of qualified auditors that can help you build a great internal audit programme

Qudos Club is all about helping you with your management system, Its free to join and you will get access to newsletters, resources and more.

Click the LinkedIn Follow button below to follow Qudos and be the first to receive further articles like this.