By Jackie Stapleton
An internal audit program is crucial for managing a company’s schedule of audits and reviews. These programs are set up with a focus on risk, ensuring that areas with the highest importance or risk get attention first or more frequently.
Without this focus on risk, a business might find itself conducting audits just for the sake of it, rather than reaping the benefits of managing risks, spotting areas that need improvement, or taking corrective action. This oversight could lead to issues and mistakes that affect the customer and, ultimately, the business’s bottom line.
Case Study: Overlooking Crucial Changes in Internal Audit Programs
Background: During the preparation for a certification audit, an interesting situation unfolded with a client in the communications industry. The aim was to ensure a seamless audit process, and part of the preparatory steps included a routine check-in with the client’s top management prior to the audit.
Challenge: In the course of the conversation, an unexpected admission was uncovered. The client’s top management mentioned that no internal audits had been conducted in the past year. The rationale provided was that there had been no significant changes within the organization to warrant an audit. This statement was initially parked as an interesting comment, given that the focus at that time was not on conducting the audit but on preparing for the upcoming certification.
Discovery: As the dialogue progressed, a critical operational change was disclosed. The client had recently transitioned their Level 1 support desk from Australia to the Philippines, introducing a new structure where only escalated issues would be handled by the Level 2 team back in Australia. This significant operational shift had not been captured or considered within the context of the company’s internal audit program.
Resolution: The conversation circled back to the earlier admission regarding the lack of internal audits. It was suggested that, given the risk-based nature of their internal audit program, it was imperative to reassess the situation. The relocation of the Level 1 support desk to the Philippines represented a substantial change, potentially introducing new risks that needed to be evaluated and managed. The client was advised to consider this shift as a high-priority area for their next internal audit, ensuring that the new offshore support operations aligned with the company’s standards and expectations.
Conclusion: This case underscores the importance of maintaining a dynamic and responsive internal audit program. Organizations must remain vigilant and adaptable, recognizing that significant operational changes, like the restructuring of support services, necessitate a review and possible adjustment of the audit focus. By doing so, they ensure that the internal audit remains a robust tool for risk management and continual organizational improvement.
ISO 19011:2018 Guidelines for auditing management systems states that when planning the audit programme, the audit priority should be given to allocating resources and methods to matters in a management system with higher inherent risk and lower level of performance. The audit programme should also be reviewed in order to identify needs for changes and possible opportunities for improvement.
Dynamic Risk-Based Audit Cycle (DRBAC) Model
By following the DRBAC Model cycle, the organization ensures its audit program is continually refined and aligned with its current operations and risk profile. This dynamic approach helps to maintain the effectiveness of the audit program and supports the organization’s overall risk management strategy.
Risk Identification: In this initial phase, the organization systematically identifies potential risks that could impact its operations. This involves analyzing internal processes, external events, and other relevant data sources to pinpoint where vulnerabilities and opportunities lie.
The goal here is to create a comprehensive list of risks prioritized by their likelihood and potential impact on the organization and which areas will benefit from being included on the audit programme for continuing review.
Planning and Implementation: Drawing from the identified risks, the organization then moves into the planning phase. This involves developing a strategic audit plan that aligns with the business’s objectives and risk profile.
Decisions are made regarding the scope, timing, and frequency of audits, with a focus on areas of higher risk. Following the plan, audits are implemented accordingly, ensuring that resources are optimized and directed where they are most needed.
Review and Improvement: Post-implementation, this phase involves a thorough review of the audit program itself. The focus here is to evaluate whether the program is still fit for purpose in light of any changes within the business environment. Have new risks emerged? Have existing risks escalated or diminished? This review ensures that the audit program remains relevant and covers all aspects of the business that could impact performance and compliance.
Update and Adapt: Based on the findings from the Review and Improvement phase, this final stage is where the necessary changes are made to the audit program. Any new or changed risks that have been identified will be incorporated into the program, ensuring it is up-to-date and reflective of the current risk landscape.
This may involve adjusting the scope of future audits, changing frequencies, or reallocating resources to ensure the audit program remains a robust tool for risk management.
This article first appeared on Auditor Training Online‘s Lead The Standard newsletter and is published here with permission.