20 Common Mistakes of an Internal Audit. Plain Speaking From an ISO Consultant
In my role as an ISO Consultant, I’ve been delighted to observe many an ISO internal audit done very well indeed. The value added to the business, both by doing better business, and not having to engage a consultant to sort out messes, is significant. When Internal Auditing works, it works very well indeed.
Yes, you’ve guessed it. When it becomes dysfunctional, it really does do some damage to the long-term willingness of the enterprise to engage with the standard. And it wastes staff time simply due to a task being conducted badly. Then there’s the cost of additional days of an ISO Consultant’s time in putting things right. Now, I don’t really mind the latter, as it helps to underwrite my wife’s shopping habit, but it certainly does distress my professional conscience. It really does not have to be like this.
So, some points on what goes wrong.
- Utilising staff that do not believe in the value of the standard (and need for audit) value.
- Not making senior Management aware that you add value.
- Simply reiterating old audits to “tick boxes”. Audits need to change with the business.
- Issuing out of date, over-long, factually-incorrect, over-detailed and generally non-user-friendly reports.
- Focussing on insignificant problems, rather than broader, more business-critical issues.
- Lack of quality communication (minimal rapport, outward suspicion) with those audited. This includes lack of informal socialising!
- Audit team not truly understanding the areas of the business they are auditing, including technical, regulatory and current industry sector issues.
- Re-auditing after an external audit, again to tick an (irrelevant) box (No need to redo work that has been done by others.)
- Lack of professional standards in punctuality, dress, protocol, use of time.
- A “hit and run” approach – not following through on actions. Not being available or responsive.
- Not sharing and explaining audit tools, such as flow charts, walk-through documentation, key performance indicators, etc.
- Having reports that are negative and destructive in approach and tone.
- Not attending business strategy meetings.
- Transferring blaming, declining to take ownership of issues.
- Finishing audits even if they don’t need finishing, such as when you have already determined key controls are working.
- Having no team personnel turnover. No new blood – or thinking. Or…
- Having too little experience or continuity.
- Hiding behind distance and independence and not adding value via “team participation”
- Monitoring the wrong KPIs (key performance indicators).
- Not continually educating Senior Management about the top inherent areas of exposure, as well as residual risks.
- Being a data-provider not knowledge-provider. An Internal audit adds value through application of findings, not just by supplying findings alone.
- Not “selling” the audit across the organization via every possible means. Talk to key stakeholders!
And I pose the following tough but revealing question; if you had been a client, would you have paid for your last audit?
Written by Colin Brown of ISO Consultants