An often over-looked part of your company’s compliance system is the internal audit schedule.
If you aren't careful, your internal audit schedule can cause a lot of waste. You could be auditing things that don’t need to be audited.
You should always be looking where you can save time and add value to your systems. Reviewing and updating the internal audit schedule is a great place to start.
This blog comes from an ongoing series that originated from "26 Ideas for Working from Home for Compliance Professionals".
Audit Based on Risk
Firstly, not everything needs to be audited.
Your systems should be audited based on risk. This means that the higher the risk, the more frequent the audit. The lower the risk, the less frequent the risk.
So not all your systems are equal.
To help all the recent ISO standards provide guidance here. They suggest there are 3 things to consider:
- The importance of the systems to your company.
- Are there any changes to your company?
- What were the results of the previous audit?
What Needs to Be Audited?
Next, to help you identify what should be audited and their frequency, here are a few ways that you can quickly apply.
These will save you time and free you up to do more value-adding activities.
- Use a criteria to determine importance, risk and frequency of audits.
- Here is a simple example:
- High importance + high risk = High frequency of audit
- Medium importance + high risk = High frequency of audit
- Low importance + high risk = Medium frequency of audit
- High importance + medium risk = High frequency of audit
- Medium importance + medium risk = Medium frequency of audit
- Low importance + medium risk = Low frequency of audit
- High importance + low risk = Medium frequency of audit
- Medium importance + low risk = Low frequency of audit
- Low importance + low risk = No audit needed
- Here is a simple example:
- Some companies have a standard "annual audit of our policies". Reconsider this and look to auditing them say every 2 or 3 years.
- Use data from your management system and identify what parts of your business cause you concern and then increase or decrease the audit frequencies based on that data.
- Look at previous audit results to determine the frequency.
- If there were no issues identified, then simply decrease the frequency.
- If there were some major issues, then maybe increase the frequency of audit.
- Review your external audit reports. Look for areas of concern and focus the audit and frequency on that.
- Consider that if your company or processes have not changed and your staff are competent and have good training records, why would you need to audit them?
- Audits and frequencies can be added, increased or decreasing but should be based on evidence.
Change that Schedule
Finally update your audit procedure. Include the new criteria.
Change the audit frequencies to free up time for your organisation.
Get your management team to understand and agree that the internal audit frequencies are based on risk and importance.
Always remember audits and schedules are fluid. They should be reviewed and changed based on risk, importance to the organisation and data and not on the old thinking that everything should be audited at the same frequency.
This approach will free up you and your organisation to do more value-adding activities.