How to Audit an Internal Audit Program

Performance Improvement Solutions for Your Business Needs July 2007
In this issue

  • How to Audit an Internal Audit Program
  • Guide to SOX 404 Assessments
  • Responsibilities of a Process Owner
  • Training Courses
  • Greetings!

    Welcome to Sustaining Edge Solutions E- Newsletter

    Our newsletters provide guidance on operational and quality systems ISO 9001, AS9100, ISO/TS 16949, TL 9000, ISO 13485, ISO 14001, and others. This includes process improvement methods Six Sigma, Lean Enterprise, and other topics of interest to our readers.

    If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

    Newsletter Sign-up

    Thanks for your Support!

    How to Audit an Internal Audit Program

    How do you audit an internal audit program? Lets begin by reviewing the definition of an audit from ISO 9000:2005, Fundamentals and Vocabulary, clause 3.9.1. An audit is:

    “a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”

    In other words, an audit is a planned, organized, and documented set of activities performed by impartial and objective auditors. The audit process collects evidence from an area to evaluate conformity to the applicable requirements. Audit evidence is factual, not based on opinion or hearsay.

    The sources of audit evidence are:

    1. Statements (noted during audit interviews)
    2. Observations (made watching the activities)
    3. Documents (reviewed before and during the audit)
    4. Records (examined to evaluate past conformity)

    The primary audit criteria are:

    1. Standard (e.g., ISO 9001:2000)
    2. Company (organization’s requirements)
    3. Customer (as expressed in contracts and orders)
    4. Legal (from statutes and regulations)

    According to ISO 9001:2000, clause 8.2.2, internal audits must be conducted at planned intervals to determine if the quality management system conforms to planned arrangements, requirements of the standard, and requirements of the organization.

    In addition, internal audits must verify that the quality management system has been “effectively” implemented and maintained. The responsibilities and requirements for planning audits, conducting audits, reporting results, and maintaining records must be defined in a documented procedure.

    An audit program includes all the activities needed to plan, organize, and conduct the scheduled audits. The audit program must be planned to consider the status and importance of the areas to be audited, as well as, the results of prior audits.

    The audit criteria, scope, frequency, and methods must be defined. Auditors must be selected to carry out impartial and objective audits. This doesn’t mean that you must show organizational independence, just that auditors can’t audit their own work. Management must ensure that corrective actions are taken without undue delay to eliminate the detected nonconformities and their causes. Follow-up activities must verify that the actions were implemented and report the results.

    ISO 9004:2000, Guidelines for Performance Improvements, clause, suggests that an organization:

    • Establish effective and efficient internal audits
    • Assess strengths and weaknesses of the QMS
    • Use as management tool for independent view
    • Obtain objective evidence that requirements met
    • Ensure improvement actions are taken on results
    • Permit changes in emphasis based on evidence
    • Develop plans with input from areas to be audited

    When reporting the audit results, ISO 9004:2000 suggests you share evidence of excellent performance, provide opportunities for recognition, and motivate people. Remember, these are guidelines, not requirements. A nonconformity report can only be written against a requirement of the standard. However, the absence of a suggested audit practice may identify an opportunity for improvement to include in your audit report.

    Guide to SOX 404 Assessments

    The Institute of Internal Auditors has published “Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners”. The Guide incorporates guidance from the U.S. Securities and Exchange Commission, the Public Company Accounting Oversight Board, The Institute of Internal Auditors, and the real-world experience and insight of practicing internal auditors.

    The Guide focuses on how costs can be minimized without impairing the effectiveness of your internal controls. It also discusses the interplay between the requirements of Section 404 and those of Section 302, which requires annual and quarterly certifications by the chief executive officer and chief financial officer that include assessments of the internal controls.

    Internal control is broadly defined as a process designed to provide reasonable assurance regarding the achievement of objectives. The Guide notes that an internal control system, no matter how well conceived and operated, can provide only reasonable, not absolute, assurance to management and the board regarding achievement of an entity’s objectives. Management has a great deal of latitude in describing the condition of its internal controls. The only formal requirement is that they don’t assess the controls as effective when there is a material weakness. The assessment should clearly describe management’s opinion.

    What is the true condition of the system of internal control at the end of the year? Is it sufficiently robust to provide reasonable assurance that material errors will either be prevented or detected? The investor should be able to read the assessment and understand whether the company has adequate controls to run the business and report the results.

    Responsibilities of a Process Owner

    To understand the term “process owner”, lets begin with the definition of a process. A Process is a set of interrelated or interacting activities which transforms inputs into outputs. The inputs of a process are the outputs from other processes. And, processes are planned and carried out under controlled conditions to add value.

    A Process Owner is a person who is given the responsibility and authority for managing a particular process. Most organizations find it useful to appoint individual process owners and define their responsibilities as ensuring the implementation, maintenance, and improvement of their specific process and its interactions with other processes.

    Process owners take an organization-wide view of their processes. They may not truly “own” the process in that some of the people who are involved in carrying out the process may not report to them. Instead, the owner is responsible for the design of the process, in other words, how it is carried out, how it interacts with other processes, and how it is measured. And, this responsibility is an ongoing task.

    Process owners have responsibility for their specific process, end-to-end. However, as stated earlier, this does not mean that all the staff involved in a process actually report to the process owner. Process owners usually have responsibility for most steps in the process and are able to influence other key areas outside their direct organizational control.

    Process owners should ensure the following activities are completed:

    • Describe its links and interactions with other processes
    • Identify its documentation and training requirements
    • Issue and maintain any procedures and instructions
    • Make available necessary resources and information
    • Operate and control an effective and efficient process
    • Resolve any problems and prevent their recurrence
    • Communicate process changes to the process users
    • Analyze performance data and set quality objectives
    • Track progress against process performance targets
    • Investigate and propose process improvements

    Process owners can use the Plan-Do-Check-Act methodology to improve their processes: 1) planning what to do and how to do it, 2) doing what was planned, 3) checking the results to see if things happened according to plan, and 4) acting to improve the process the next cycle.

    In summary, a Process Owner is the person immediately accountable for creating, sustaining, and improving a particular process, as well as, being responsible for the outcomes of the process.

    Training Courses

    Our July-September course schedule is now posted on our website

    To see the course description, schedule, and on-line registration click on the course title below. Courses are awarded Continuing Education Units.

    All courses can be delivered at your company. Don’t see a course, location, or date that fits your needs?

    Contact Us

    Quick Links

    Comments are closed.