Defining The Internal Audit Scope Of Work

An internal audit scope of work is the scope of what is being audited. This can be limited to a particular area or function of an organisation or cover an area or set of processes used. Internal audits are one of the best tools to drive continual improvement within an organisation if used correctly. It encourages improvement of products, services, procedures, and documents and increases the quality and capability of the entire organisation.

Internal audit is a review of the proper and reliable functioning of the internal organisation carried out by auditors, using a systematic and disciplined approach. An internal audit is an audit carried out to validate compliance of an organisations processes and is a requirement across the management system standards such as ISO 9001, ISO 14001, ISO 27001 and ISO 45001 amongst others.

The internal audit scope of work is depending on the focus area as illustrated in a few examples below:

• Quality audit
• Environmental audit
• Information security audit

Quality Audit

A quality audit is all about ensuring you know what the customer want, that your processes are controlled to ensure consistency and continual improvement of your product and services.

It looks at how you manage outsourced processes and vet your suppliers. Ensure everyone has the competence required to do their job. Review how risks are identified and any issues raised are being properly dealt with.

Environmental Audit

When environmental audits are conducted, the internal audit scope of work is all related to the environmental impact of the organisation. It looks at how the organisation has identified its environmental aspects and the associated potential impacts. It looks at the waste generated and how KPI’s (Key Performance Indicators) are set to continually reduce the environmental impact.

Information Security Audit

The internal audit scope of work for this type of audits are related to information security which has a wide spectrum. Just to name a few of the items to cover here, then it could be the physical security of a site, policies on remote working, how equipment is securely disposed of, how information security is managed with third parties and many others.

Preconditions for Internal Auditor

Position within the organisation

In order to be able to function properly in the organisation, the internal auditor must have sufficient authority. The internal audit should therefore be the direct responsibility of the organisation’s top management. Top management should communicate the importance of the internal audit program and issues raised by the internal auditor must addressed within due course.

Embedding in the Organisation

When internal audits are carried out effectively and efficiently, there is an insight into the functioning of the business operations. Performing an internal audit is therefore more than checking off a checklist, it must provide useful information. It is therefore very important that everyone within an organisation knows what the purpose is of the internal audits. They should be seen as a tool to drive continual improvement and not as something used to punish people when issues are identified. Good and clear communication is a prerequisite for this.

In order to be able to provide good guidelines for the auditor, an organisation draws up a code of conduct in which all internal standards and values are discussed. These are the agreements to which all employees within the organisation must adhere. These codes of conduct are usually related to the company culture of the organisation.

Compliance

It is very important for an organisation to have all matters relating to legislation and regulations in order. A compliance officer is often appointed for this purpose. This person facilitates, advises and manages the laws and regulations relevant to an organisation and ensure they comply with them. The internal audit scope of work when auditing compliance is to check whether compliance with laws and regulations is part of the business operations.

Reporting and follow-up activities

The internal auditor shall report his/her findings to the person responsible for the audited area or process. Once the report has been issued, the audit results are followed up. The findings of the report are discussed with those responsible and with the executive employees in order to take action based on them.

If you would like some advice on setting up your internal audit program or outsource your audit function altogether, then contact us for a free consolation to discuss how we can support with your project.