Some Thoughts about Internal Auditing Before We Discuss Security

Management consultants (like me) routinely help to set up or reorganize companies in order to help them to reach their full potential. With a little more effort, some of us give them the ongoing capability to effectively audit themselves, and to improve themselves on a continuing basis.

Points to Remember

[check] An "audit" is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. "Internal audits" are audits conducted by on behalf of the organization itself for internal purposes, and can form the basis of the organizations self-declaration of conformity (compliance).

[check] Developing an internal (self) auditing capability within an organization is vital to the continued success of that organization.

[check] A well-planned, effective, internal auditing program should consider the relative importance of the processes and areas to be audited.

[check] The success of an organization is the sum of the effectiveness of management authority, responsibility, and accountability. They are, in turn, the sum of the manner in which management deals with the findings of the internal audits.

Management consultants, who can audit processes and train organizations to audit themselves, can be heroes to their clients, as well as permanent "value-adds". Audits provide practical, impartial, feedback, and can save large amounts of time and money. Structured, proven, management programs such as ISOs 9000, 14000, 27000, and 28000 accentuate the value of effective internal auditing of organizational processes, toward a goal of continuous improvement. An organization must be able to identify and correct its own shortcomings, without relying on outsiders. Developing an internal auditing capability within a client organization can be as important to the continued success of that organization as the consulting engagement itself. More than ever, organizations must satisfy themselves and their stakeholders that they are as secure as possible from threat and attack. Moreover, they must realize that security can be more important than profitability.

Years ago, one of my many and often-frustrated mentors had a sign in his office that read: "Expect What You Inspect". That meant, as he "patiently" explained: "If you check on something routinely, before long you will be happy with what you see. If you hardly ever check it, you'll likely be unhappy when finally forced not only to look at it, but also to fix it, and if you inspect frequently, the area or function eventually operates well and continues to improve". Outside auditors audit against known standards, internal auditors should do the same.

Looking critically at internal operations and processes and comparing them with approved standards is the basis of internal auditing. An organization can develop its own internal auditing capability, or (you guessed it) can hire a management consultant. Either way, an effective program of internal auditing provides a comprehensive, self-sustaining, evaluation and improvement capability for an organization. Its structure and administration can be inexpensive, but its contribution can be priceless to the client, as well as satisfying (and lucrative) to the consultant.

Organizations don't always do all the work required to establish effective internal auditing programs or adequately qualify internal auditors. As a result, audits tend to be perfunctory, biased, or sporadic. More important, critical audit findings may not be declared (and corrective actions not instituted). Instead of executing a meaningful measure of organizational effectiveness, unqualified and unmotivated auditors only waste time, annoy busy people, and turn everyone off to the potential benefits of internal auditing.

Auditing to "Approved Standards"

"Quality," in its most simplistic definition, is conformance with standards. Approved process standards are vital to the continuous improvement and competitiveness of an organization. They form the criteria with which meaningful self-assessment can be made. The ever-changing global marketplace has placed great emphasis on the importance of quality in all goods and services.

Internal Auditing

The best way to describe internal auditing is with two definitions from the ISO 9000 Standard.

* An "audit" is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

* "Internal audits" are audits conducted by on behalf of the organization (client) itself for internal purposes, and can form the basis of the organizations self-declaration of conformity (compliance).

Properly planned and well-implemented internal audits provide management with an ongoing, credible, and structured measure of how well the organization is achieving its goals and objectives.

What does an Internal Audit look like?

Here are some characteristics of an effective internal audit program. I'll start with the obligatory acronym - that way we'll get it over with:

"SMART": Scheduled – Measurable – Accurate – Repeatable – Timely.

There, that wasn't so bad.

The first step is to define and schedule every "audit-able" process for an audit at least once per year. "Surprise" audits are marginally effective, upset auditees, and reinforce a "pass-fail" mindset. Processes compared against approved standards (pounds of waste produced, finished products per hour, etc.) are measurable. Checklists are important for audit structure and repeatability. Audit findings are therefore accurate. Findings generated during the audit must be repeatable. That is, a different auditor, auditing to the same standard, should come up with the same findings.

Last, the audit should be timely. Discovering a problem that occurred six months ago, or has been occurring regularly for the last six months is not as good as finding it early. As a manager, you already knew that. Sorry!

Internal auditors should be independent of the processes being audited, and should never audit their own work. Some of an auditor's (or a consultant's) most challenging moments can be trying to assure middle managers that their jobs will not be jeopardized or forfeit as a result of audit findings. To do this with genuine...