Speaker 1: In this short video we're going to run through how to write an effective internal audit schedule. We're going to use one of our templates that's available to you which you can access from our website free resources. We'd like to take this time to ask you to subscribe to our YouTube channel and follow us on LinkedIn. My name is Chris Daugherty, I work for FQM. We are a QHSE consultancy training and software organization focused on making compliance simpler. So an internal audit schedule is something that's required as part of your compliance to ISO and various other international standards. A lot of people use a traditional approach to internal auditing and undertake audits based on the standards or based on maybe something that's been prepared for them by an external consultant. What we really want to talk about here is getting the greatest return on investment of your internal audit process. After all you have invested in training internal auditors, you're giving the time away from their normal day job to do internal audits therefore you want a return on that investment. So one of the key things is what is an internal audit schedule or plan. So it's a list of internal audits that you need to do, it should identify what the scope of the audits are, it should identify who the auditors are, who or what will be audited, some date and timeline around that and requirements to meet where appropriate an international standard. Whether that be ISO 9001, 45001, BRC food safety for example. One of the things we want to talk about in more detail is taking a better approach so that it is a risk-based internal audit schedule and therefore you are putting your attention and focus in the right place. So the first way to do this around the method is we want you to identify the risks and weaknesses in your business. Not something I can tell you not knowing your business, not something really an external consultant can do perfectly well. You know your business so put a small team together to have a small session 30 minutes, one hour shouldn't be any longer than that. Go through your different procedures and processes and activities that you do within your business and identify the areas where you believe are potentially the greatest risk to your business or the weakest links in your business. Remember also that these can be the links between processes and therefore doing an audit on a standalone process might not be the most beneficial for that activity. It might be more appropriate to audit for example three different processes or procedures together to see the interaction of how they link between one another. It's then important to grade them according to how important it is to you or how high a risk they have to your business and again I want to stress that this is something that is important that's done within an organisation. You know your business, you can look back or think back to the past couple of years and think about areas that have brought about concern or weaknesses or have caused issues with your customers or your supply chain and look at that and grade that. You may want to use low, medium, high or some other methodology. Also don't forget about your critical suppliers. Critical suppliers if they're a fundamental part of your business and they potentially could cause additional risk or weakness in your workplace or the services you provide to your clients then you must consider them as a critical process within your business. Therefore why would you not include them as part of your internal audit schedule. It is important to remember here that it doesn't necessarily mean that you have to go and visit them. It doesn't necessarily mean that they have to come to you. It could be a desktop exercise that's sufficient to satisfy the criticality of that supplier. So what's the benefits of doing it this way? Well focus is given to what is important inside your business. Not what's required by an international standard or an external auditor or suggested by a consultant. It's what's important to your business and remember it should be a live document. So make changes as additional weaknesses are uncovered. What we mean by that? So where we see an increase in the number of customer complaints, an increase in the number of issues with a particular supplier, an increase in our scrap rate or a rework rate or service provision recalls or warranty claims. Where these things happen, yes we have to put improvements or corrective actions in place but think about updating your schedule so that you bring those weaknesses or risks or concerns in and put additional focus on them. You want greater return on your investment. That time you put in to doing the audits should not just be about ticking boxes to satisfy an external auditor. You must move beyond that. It's about getting that return on investment so that you can drive improvements in your business and give you confidence that the actions you've taken to correct weaknesses are working well. It also means you can focus less on multiple audits. So less audits with more focus. Also you can get more engagement from your workforce. Rather than doing these audits based on what an ISO standard has said or an external consultant, let's do the audits with the people in your workplace for the people in your workplace. Let's give them the opportunity to report areas of concern that they know about. Often the people doing the work are the ones that are experiencing the higher risks, the concerns, the face-to-face interactions possibly with unhappy customers, the face-to-face interactions with always addressing supplier issues. So more engagement with the workforce improves that and of course it's a focus on improvement. The other area I want to talk about is not just about repeating the same audits time after again every year. Think about doing your audit schedule over a three-year certification cycle and when you look at your audits and your processes and risks, think about grading them and making a case for how often you should be auditing them. So low risk things, maybe that you don't have to audit them at all if you've got a case not to or maybe you're auditing them once in a three-year cycle. Medium risk activities you may say well I think again once every two to three years might be sufficient but remember it's a live document so if any of these processes have additional weaknesses or risks that appear over that three-year cycle you may need to upgrade them from medium risk to high risk. Then maybe you might look at high risk and say well for high risk we're going to do these once every year and then you may also have critical. Critical typically will be only a handful of processes or activities or procedures that are really fundamentally critical to what you do and you know that they have a critical risk level in your business if not well controlled and also you may know that there are could potentially be some weaknesses. These you may decide to do two or three times a year therefore to give you more focus on the things that are important to your organisation. We're now going to jump out and have a look at what an internal audit schedule looks like. So when we look at this internal audit schedule which has been partly prepared we want to show you an example of what it could look like and the methodology around this. So as before I mentioned that a team of individuals may come together within the business broad spectrum from different areas and they may identify what the different processes and procedures are within your business. Based on these processes and procedures you can then put a criteria around these and this criteria I'm going to show you down here on this demo is from low to critical with some colour coding and with some guidance around how often we would be doing audits. You can see that I have applied the colour code to these different processes and procedures noted down in this column and also for additional benefit for my external auditor I've also identified the appropriate ISO clauses that align with those processes or procedures. This is not really for my benefit this is simply for the benefit for the external auditor makes it simple for me to present it to that auditor. I've then gone through the process of working in my small team to look at the schedule and identify which areas are critical, high risk, medium risk and low and apply them appropriately to the scale that we've decided being once every three years, once every two years, once a year and maybe a couple of times a year. And what we've done is put inside each of these boxes the initials of the auditors that we believe are the appropriate person to undertake this audit so that as much as possible they have a degree of separation from the actual activity that's happening. So what's important to recognize here is that we've also locked off a few months. This is not a requirement it's just an example where we can show you that there are certain months in the year in this case our year end which is so critical from a financial point of view that we really don't want to disrupt what's going on at all within the business. Therefore we are blocking off all of the March, Marches, month of March within each of our years. You can see at the top here we've created the schedule over a three-year window based on our three year certification running from March 2020 through to January 23. You can also see that we have created an area here where it counts the number of audits in a month. Now that's also very important as a little tip because what you don't want to have is periods within the year where you're doing excessively large numbers of audits and other periods where you're not. Ideally you want your audit schedule to be rolled out across the full year. The best process of delivering these audits is minimal amount of interaction regularly. So what we're looking at there is maybe 30 minutes possibly one hour maximum for each of these audits unless they're grouped together and then maybe looking at doing that every month so someone is interacting. Now of course this is dependent upon the size of your organization, the criticality, the number of auditors you have. It may be that you don't need as many as this. This is just an example and we've recorded evidence of this as a separate document linked to our management review which we can present to an external auditor that says here is the output of our brainstorming session associated to creating a risk based internal audit schedule. So for example we may scroll down a little bit further we see here that critical risk items might be quite appropriate so we've got two operational activities here which are critical and something that's medium risk. We may decide that these operations are so closely linked together and interlinked with each other that it's important to do them at the same time. So we may say here that we are going to do these particular activities at the same time with the same auditor. So we may simply identify these here and put the red against this and the orange against here but we may also simply just try to show that these activities are linked together and therefore we may use some other methodology of showing that. So we may want to say that these are being done by this individual at the same time and we might want to link them together in some way. This is evidence to show that these are being done together and you might want to put some key associated to that. Key message here is that it's a live document so if something has been an issue let's say this particular process here which is being done once every few years we might see that this suddenly has been escalated to high risk because of some issues. We don't change the audit that's been complete but we may add in additional audits that need to take place throughout the next couple of years just to give us some confidence that this is working and identify who the individuals are that are going to do these audits and it's possible also you might want to mix up who the auditor is to get other people's opinion on it. So hopefully that's given you an idea of this particular schedule as a template is available to you on our free resources area on our website. We would like to ask individuals who are seeing this through being shared on LinkedIn or other places please follow us on LinkedIn, follow our company page as well as my own page Chris Daugherty and it would be great if you could also subscribe to our YouTube channel. We've lots of different free videos, free training sessions that we offer on there and we welcome any feedback you give us. Thank you.