by Craig Cochran:
As with everything else in an organization, the internal audit program starts with top management. Auditing is meaningless without the full support and sponsorship of leadership. Does that mean that top management is going to have expert knowledge of auditing? Hardly. It’s rare that top management knows much about auditing. Top management establishes the audit program through three key actions:
- Selecting someone to lead audit program
- Communicating the audit program to the organization
- Ensuring resources for the audit program
There are other responsibilities of top management, especially related to analyzing trends in audit results and reviewing corrective actions, but we’ll address those later. The three tasks mentioned above specifically relate to getting the internal audit program started. Let’s discuss each of these tasks.
Selecting someone to lead the audit program
Top management is the starting point, but the audit manager takes the baton and runs with it. The term “audit manager” is arbitrary. The person leading the internal audit program could be called the audit manager, audit director, quality manager, lead auditor, or any number of other things. The key isn’t the individual’s title, but rather what competencies the person has. The most critical competencies are shown below:
- Communication. Communication is the oil that flows through the auditing engine. The audit manager must be equally adept at both written and verbal communication. He or she must have the experience to prepare carefully crafted communications that are very direct, but which also possess sensitivity and diplomacy. He or she must also be able to evaluate other auditors’ communication skills and provide feedback. Communication is possibly the single most important competency.
- Audit principles. These are the foundational ideas on which effective audit programs are based. They include such things as a focus on processes, not striving to find nonconformities, remaining unbiased, maintaining confidentiality, basing the audit on requirements and evidence, and being professional. These concepts were described in detail in the November–December 2014 issue of The Auditor (“Principles of Auditing”).
- Audit techniques and procedures. This topic comprises the hands-on knowledge of how an audit happens and includes audit planning, interviewing, evidence gathering, writing nonconformities, etc. Audit techniques and procedures are often learned through a lead auditor course, but there are many other ways to learn them. The audit manager should be well versed in the full range of audit techniques.
- Standard requirements. Most management systems are based on an international standard of some sort. The most common standard is ISO 9001 but there are many others. Thankfully, audit techniques generally remain the same, regardless of the standard being audited. One of the challenges of auditing is that you’re using two different sets of criteria for the audit: the international standard and the company’s documentation. In theory, the company’s documentation has been written to conform to the international standard adopted by the organization, but this connection is sometimes tenuous. Auditors have to keep their eyes on both sets of criteria as they conduct the audits.
- Company documentation. This competency category encompasses all the various documents written by the organization. This could include policies, procedures, work instructions, flowchart specifications, and many other information sources. The audit manager certainly doesn’t need to commit these to memory but should be aware of their existence and know which documents apply to which departments. Company documentation comprises the single most important source of requirements used during an audit because the documentation is generated by the company and presumably has more relevance.
- Diplomacy. This is the ability to communicate important messages without making people angry. Because auditing often reveals nonconformities and opportunities for improvement, diplomacy must always be applied. Most people don’t mind hearing how they can improve, as long as the message is delivered in a sensitive and balanced to way. Diplomacy, like all competencies, can be learned though it also tends to be an essential personality trait.
Communicating the audit program to the organization
Once top management has selected a competent person to lead the audit program, they must let the organization know what is coming. The communication doesn’t need to be grandiose—just a simple heads-up that the organization will begin doing internal audits of its processes. The communication will track very closely to the audit principles we discussed in my “Principles of Auditing” article, with a few extra topics thrown in. Here’s a basic outline of what top management should tell everybody:
- Audits will help us improve. That is the overarching message: The purpose of doing these audits is to help us get better. We will not only look for flaws in their processes, but will also look for strengths in our processes that should become the new standard. Our internal audits will be a truly balanced snapshot of how our processes are functioning.
- The internal audit will be led by [insert name here]. This is where you identify the audit manager and say a few words about why he or she is ideally suited to the role. Experiences with quality assurance, auditing, or improvement efforts are often cited. The point is to give everyone confidence in the person taking the lead and this can provide a warm welcome to the job. It’s most often the case that managing the internal audit process is not the only role of this individual, so he or she may already be well known to the organization.
- Audits aren’t intended to get anybody in trouble. Yes, our auditors will speak to a wide range of personnel throughout the organization. The focus of the audit will be on our processes, though. If there are nonconformities detected during internal audits, they’ll typically be treated as flaws of our processes and procedures rather than flaws of people.
- Everybody is expected to cooperate. When you see your department scheduled for an audit, make time for it. Tell your employees what to expect and make sure they cooperate. There’s nothing scary about an audit. Just treat it like a friendly conversation and don’t try to hide anything.
- Audits will be scheduled in advance. There will be no surprise audits. You’ll know when they’ll happen and you’ll know the topics of the audit. In this way, the audit will be a cooperative improvement event.
- Any nonconformities will be handled through corrective action. If we find problems, we will fix the processes. The objective is to make our work more effective and more efficient. Please note that corrective action is not the same as disciplinary action. Our focus will always be on our processes and procedures.
- If anyone is interested in auditing, please contact your supervisor. This final message is optional. The organization may have already hand-selected the employees it wants to serve as internal auditors. It’s common to be very familiar with the employees who are perceptive, detailed, and industrious. If you’d like a pool of applicants, however, this is a good time to ask for them.
You will certainly need to fine-tune the message, depending on your own unique circumstances. The communication can be provided through a variety of means, though in-person is preferable. When employees see top management talking about internal audits live and in-person, the importance is indisputable. It also provides an opportunity for questions and answers. Top management should plan on having the audit manager present to help answer any questions. All-hands meetings, town halls, or quarterly reviews are great forums that already take place in many organizations and these can effectively be adapted to talk about internal auditing. No matter what you do, don’t make the mistake of beginning an internal audit process without letting everybody know what’s happening.
Ensuring resources for the audit program
Like any organizational process, internal audits require resources to be successful. The resources are an investment in your organization’s success and could be correctly categorized as a preventive cost. Internal audits will identify problems and potential problems before they blossom into serious threats. The preventive costs of auditing are significantly less than the nonconformity costs of dealing with problems once they reach customers. Here are the most typical resources required for successful internal audit programs.
- Internal auditors. The single biggest cost of doing internal audits is the time it takes to carry them out. Auditors put their regular jobs on hold briefly while they audit. I generally recommend more frequent audits of shorter duration simply because they’re easier for the organization to digest and are less disruptive. Half-day audits, spread throughout the year, seem to work very well. This strategy of internal auditing enables auditors to spend at least part of the audit day on their regular jobs. At the beginning of an audit effort, it’s also recommended that auditors work in pairs. This provides a valuable opportunity for others to learn from each other and leverage each other’s strengths.
Imagine a hypothetical organization with ten departments or processes. We can begin to get a rough idea of how much auditing time might be necessary. The table below illustrates the investment:
|Process||Duration of audit||Number of auditors||Person days|
|1. Top management||0.5||2||1|
|2. Sales/customer service||0.5||2||1|
|TOTAL||5 days||2 auditors||10 person days|
In this hypothetical organization, it would require 10 days to perform internal audits over the course of a year. As auditors become more experienced, this time might decrease. For instance, auditors could work independently instead of in pairs, and the planning and reporting activities could be expedited. Internal auditing is still a significant investment, no matter how you cut it. The benefit you get from this is highly dependent on the time you put into it, though.
The size of your organization will dictate how many internal auditors you will need. These are some basic guidelines gleaned from many years of coaching and managing internal audit processes:
|Total employees in organization||Auditors desired|
|2 to 10 employees||2 auditors|
|11 to 15 employees||3 auditors|
|15 to 20 employees||4 auditors|
|21 to 30 employees||5 auditors|
|31 to 50 employees||6 auditors|
|51 to 100 employees||8 auditors|
|101 to 200 employees||15 auditors|
|201 to 300 employees||20 auditors|
|300+ employees||20-25 auditors|
Choosing the right number of auditors is a balancing act. If you have too few, your auditors will get burned out and will hate doing it. If you have too many, they won’t perform enough audits to gain experience and have confidence in their own performance. The recommended numbers in table 2 take both points into consideration, but they are by no means cast in stone. Every organization has to experiment with and see what works best for it.
- Auditor training. Once you’ve selected auditors, they have to be trained. This training generally requires at least two days, and it’s usually recommended that the training be provided by an external organization with experience in adult learners. After you have an established audit program, it is possible that you could provide the training internally, but starting out an external training provider will prove more effective. If you have four or more employees to be trained at the same time, it’s usually cost effective to bring the training on-site to your organization. In this way, the examples and exercises can be tailored to your unique environment.
It’s recommended that at least one employee receive lead auditor training. This is typically a five-day training course that takes place at an offsite location. Lead auditor courses address auditing from every angle and stress the management of the overall audit program. The audit manager would be an obvious candidate for this type of training, if he or she hasn’t already received it.
We will address auditor training in more detail in another article.
- Problem solving training. The next type of training is not aimed at the auditors, but rather the other side of the equation: the auditees. Specifically, the people who manage the processes being audited. When nonconformities result from an audit, corrective actions will be generated. These corrective actions might include very meaningful process improvements, or they might just include some fancy words that amount to nothing. It all depends on how well people understand what corrective action is all about. Your managers and key personnel will most likely need training on how to take effective corrective action. This training could go by a number of different names: problem solving, root cause analysis, corrective action, process improvement. Regardless of the name, the consistent theme is that it will provide a systematic and disciplined way to taking corrective action on audit nonconformities. Problem solving training is typically provided in one or two-day formats, though there are courses that can run significantly longer.
About the author
Craig Cochran is a project manager with the Georgia Institute of Technology Economic Development Institute. He has served in management roles in multiple industries-including textiles, glass manufacture, semiconductor, and telecommunications-for nearly twenty years. Some of his specific areas of expertise include customer feedback methods, auditing, development of key measures, organizational development, management systems of all types, and problem solving. He is the author of ISO 9001 in Plain English published by Paton Professional.