Speaker 1: In today's presentation from Mango, you're going to learn how to conduct internal audits in your organisation. Hi, it's Craig Thornton here from Mango. In today's training session, you're going to learn how to set objectives for your internal audit, what are the five key principles of an internal audit, what are the roles and attributes of an internal auditor, what sort of behaviours should an internal auditor present, the audit techniques on how to actually conduct and question people, the audit process, how to conduct an internal audit from the planning through to the report writing. We then discuss how to do that planning in detail. And finally, we discuss the report writing. So let's start off with the objectives of conducting an internal audit. The first one really is to determine whether your systems actually meet the standards set by your management team or by your customers. So these standards could be ISO standards, these could be customer requirement standards, these could be standards that you've set your own organisation, that means that you're operating in a safe or secure or not polluting the environment or your staff are safe. Secondly, you're going to determine whether your systems are actually working. So are people actually following the systems? Are they actually producing the outcomes that you want for your organisation? Not just them following the process, but are the outcomes of the objectives of the organisation, are they being met? The third objective really is to determine compliance with statutory requirements or OSH requirements. So there could be some statutory or legal requirements, maybe health and safety at work acts, depending on your industry, maybe some ISO 45001 which is safety standards or a 9001 quality standards or ISO 14001 which is environmental standards. There's a whole suite of different standards and legislation that needs to be met. So you need to work out when you're creating your internal audit, what's the objective of doing that internal audit. The other objective is to find and collect objective evidence. So evidence to prove that you're actually following your procedures. And then finally, it's an ideal way for internal audits to actually find some improvement opportunities, because you may be talking to frontline staff and they have some excellent ideas on making improvements. Okay, so there's sort of five key principles of an internal audit. The first one is that the internal auditor needs to be independent of the process. So they need to come in with a fresh set of eyes and be independent from that process. So they're finding things that mean they're outside of their influence. So make sure that the internal auditor that's coming in to do the internal audits is independent of that process. The internal auditor needs to be systematic. So they need to conduct the planning. So they need to plan carefully before they actually go in and do the audit. They just don't turn up on the day and start the audit. They've actually planned it. They've read through maybe some documentation. Maybe they've done some early interviews with customers of that process. But they need to be systematic. They need to be planned. They need to be organized. And they need to maybe even have a checklist just to make sure that that process is systematized. They need to be system-based. So they're looking at the system. They're looking at making sure that that management system is operating. They're not actually looking at the person. They're not looking at the personality of the person actually being audited. They're actually looking at the system. So you want to try and focus completely on the system. You want to be objective. So you're looking for facts. You're not looking for opinions or outside influences that aren't objective. So you need to be looking for evidence. So the internal auditor must be objective in their discipline. And the audit needs to be standard-based so that you're actually auditing against something. So that could be an ISO standard or a legislation standard. Or it could even be your policies or your procedures. Those are standards as well. So those are the five key principles of an internal audit. Let's move on to the roles and attributes of being an auditor. So the auditor there really is to obtain information. They need to look for information that is part of the audit. They're not there to look elsewhere. They're looking for information. They're also looking for improvements and maybe looking for problems that may be causing issues inside of that particular process. And they can be there to facilitate solutions if that's required as part of the audit. But in most cases, I wouldn't recommend the facilitating of solutions. But the auditor needs to be properly trained so that they can actually undertake the audit. Supposedly, they need to be sufficiently experienced about the process under audit. So they may be a technical auditor that knows a lot of the technical detail of the process or the system under audit. But certainly, they need to have experience and know what are the outcomes that are part of that process. So if the process is to have an outcome of delivery on time or delivery to specification, then the auditor needs to be experienced enough to be able to say whether that's actually right or wrong. The auditor needs to be accepted by the person being audited. So you don't want conflict or any political sort of outside influence that may mean that the auditee doesn't accept the auditor. And the auditor also needs to be a good communicator. So they need to be able to ask nice, clear questions. They need to be great at listening. They need to be good at conducting in-entry and exit meetings. And they need to be good at actually report writing and reporting what was actually seen and found on the audit so that it's nice and clear and it's understood by all. Okay, so let's have a look at the behaviours. So once you're actually in the audit, what sort of behaviours do you expect the auditor to have? So they need to be fair, maybe in well balance, so they now understand what is right and what is wrong. They need to be objective, so they're not subjective and coming in with their own opinions. They need to be objective and actually looking for objective evidence. And if that evidence is there, they need to be able to question staff to understand that the objective evidence that they're getting from the staff can be verified. They also have to have some level of confidentiality so that the information they're providing is confidential and maybe if it's not confidential, it's maybe released outside of that confidence, then it could put that auditee at risk. Again, good communicator, so be able to question and listen at the same time and be able to write nice, clear, understandable reports. There needs to be some cooperation between the auditor and the auditee so that the evidence is actually presented fairly, so that both sides are cooperative. The auditor also needs to have the customer in mind so that if the customer is wanting a particular requirement, then the auditor needs to be focused on that requirement to make sure that's what's actually getting delivered. They need to be ethical so they can't be underhanded and undermine the audit with unethical behaviour. They need to be analytical, so they need to be able to understand maybe complex details and be analytical in that and make a judgment call and be able to be analytical about that. And to be able to be a good judge so that when they're looking at the evidence, they can see right from wrong and judge what's good and what's bad. So mostly the audit techniques will be around questioning. So let's have a look at some audit techniques around the questioning. So the first type of questioning is open questions, asking the auditee open questions and get information from those open questions. So begin with who or what or why or how as a way of or even show me could be a good one for an open question. So rather than a closed question that may not elicit a lot of information, you want to maybe ask more open than closed questions. You can ask closed questions, but purely just to get confirmation that something's right or wrong. That's a yes or a no. So sometimes you can ask a closed question just to clarify or just to get confirmation, not to clarify, but just to get confirmation that that answer is correct or not. But my favorite really is the clarifying question, which is sort of taking, say maybe some misunderstandings or maybe some open questions or closed questions have not been very clear with the answers. Then you can ask show me or can I see or let's take a look at. Those types of opening of questions means that you're actually going to get some information from the auditee that hopefully clarifies maybe some misunderstandings or clarifies in your mind as an auditor that the information is nice and clear. But the main thing you're going to be doing is listening. So as an auditor, you're going to be asked questions by the auditor. But as an auditor, you want to be talking way more than the auditors or as an auditor, you want to be asking a question and then shutting up. So as an auditor, you want to be listening for 90% of the time and understanding what's actually going on in the process and being very clear of what's happening. And you do that by listening. So you just don't want to be talking over the auditee. You want to be listening to their answers and maybe taking some notes. OK, so just some overriding techniques or hints that you can use. When you are actually interviewing people, you just don't want to regurgitate the question maybe from your checklist. The checklist there really is only a guide. So just don't regurgitate the question. Pitch the question in such a way that the auditee will understand and will be able to verbally give back you the answer so that it's nice and clear. So you just don't want to regurgitate something that's on a checklist because from their answer, they may go off onto a different tangent and actually provide more value elsewhere that's not even on your checklist. So just don't regurgitate questions from your checklist. Use your checklist as a guide or prompt to help you along the way. A good idea is to follow your nose. So when you ask the first question and you get a hint that maybe there's some issues or some problems, then maybe follow down those issues or those problems and understand what's actually going on. You may have a whole bunch of questions that are in a particular order that you think is right and it may just follow the company's procedures. But when you're actually getting out on site, you may see that that's not actually the way that things follow through. So just don't regurgitate what's actually in the company's procedures. Just ask an open question because the person might be presenting information as work is done rather than as work is planned. So you may want to see the gap that's between those two. You want to be presenting positive body language as well. When you're talking with an auditee, you want to be looking them in the eye, nodding. Head nodding is a very attractive way of getting more information from people because you're acknowledging what they're saying, you're being positive about it and you're nodding in agreement maybe with some of the information. And they may want to give you more information to get more head nodding. But try not to raise your eyebrows or shake your head in disagreement. Just understand what's actually happening and be very positive with your body language. And finally, an internal auditor is not there to do a gotcha to say, ha ha, found something wrong. It says here in the procedure you're doing this, but you're doing something completely. You're not there to do a gotcha. You're just looking at what's actually happening and trying to understand why those things are happening. Okay, so the audit process, right at the start, you want to plan your audit with maybe a checklist or a whole bunch of questions that you want to ask during the audit. But you want to plan the time, book the auditee, book an entry meeting, book an exit meeting, make sure that everybody's available, that you maybe want to read some of the documentation before you turn up on site. So 30% of the audit process is just in the planning phase. So this is normally skipped as part of an internal audit. I would highly recommend that you spend about 30% of your time just doing that planning phase. I always recommend having an opening meeting with the auditees, maybe with them and their boss, and 5% of the time spent on that, just getting an understanding of how our work is conducted, just purely in an entry meeting or an opening meeting. Now's the time to actually go in and do the audit and you're looking at your findings, you're looking at and observing how things are occurring and any NCRs or non-conformance reports. Are there any non-conformances occurring? So 30% of your time is actually conducting the audit either on site or remotely. And then finally, well not finally, then you have an exit meeting where you discuss those findings, those observations, and any non-conformances and you agree those with the people in the exit meeting. So get an agreement on those issues that you have found and discuss and debate those. And then finally you conduct or you provide an internal audit report, again 30% of your time. So then you're presenting all your findings, your observations, your NCRs, your planning, and we'll go into a little bit of detail about that later on. Okay, let's have a look at the planning part. So you'll have an audit schedule that you'll be following, but in that planning phase you're going to be looking at what's the objective of this internal audit? What are we trying to achieve? What's the scope? How does this process actually operate from what starting point to what ending point? So what's the scope of what are we trying to achieve and what are we trying to look at? You may want to have an audit team. So you may want to have maybe two or three people on your audit team and they may be technical advisors if you're lacking some of that expert knowledge to be able to understand some of the technical detail that you may be looking at. Also in that audit planning you're wanting to coordinate with the audit team, make sure that they're available on site and that they can be available to answer any of your questions and they have the appropriate documentation. So you need to obtain any required documentation as part of the planning phase. Now you head into the entry meeting. So introductions, you just confirm with the audit team the scope that you're looking at. You may want to clarify any questions that they may have so make sure you ask have they got any questions or any concerns when you're out there on site or doing things remotely. And then also agree on the exit meeting. When are you going to have the exit meeting? So any non-conformances, any issues, anything like that are discussed and debated. And you need to arrange for any staff when you're on site including the auditee if there's any people available to escort you around the organisation. So once you are on site, again like we said before use a checklist purely only as a guide only. So it may be early questions will be on your checklist but as you go around you may come up with other questions that aren't even on your checklist. So just start off with the checklist for a start and then build on that as you go around. Collect objective evidence as you're doing things. So you may have a notebook where you're recording evidence and you may want to record certain bits of evidence with references to cross-reference later on. And if you have any non-conformances there put down the details of the non-conformance not just have it as conjecture but actually have real objective evidence with dates and times and sign-offs and things like that. You want to spend a bit of time evaluating the results of what you've found. So just make sure that what you're looking at and we'll look at it in the next slide a little bit more detail about that. You want to evaluate are we actually looking at something that is a non-conformance or not. And then you're wanting to generate any findings so corrective actions or non-conformances look for any improvements as you're going around. So you want to generate those as you're going around noting those in your notebook. So back to the evaluation of the audit findings The first one there, if you're finding an error you need to ask the question, is this an isolated error? Is this something that's minor? And so you need to decide if it is minor then maybe that's just a one-off or if you feel that it's not minor and it may be reasonably a major then you may want to sample further data and just see if that's actually occurring. Any other minor errors? If you find a minor error you may want to look wider at the process and maybe look at another part of the process to see whether that error has come through. You need to determine, is that really a non-conformance? So look at the standard, look at the policies and procedures Is this significant? Is this not significant? You need to make a judgment call on that. Look at the category that you've categorized if it's a minor then maybe that's not something to worry about but if it's a major error then categorize it correctly and maybe get agreement from management on that. You need to make sure that you've looked at sufficient data to make a judgment. So as a one-off, it could just be a one-off but if it's not a one-off then you may want to look at three or four other areas or maybe even five areas to see, is that actually happening in these other areas? And then assess, it's not really your job to assess the potential corrective actions but if you've got experience in this area then give your advice if you feel it's necessary. Next up, once you've done all of that and you've recorded all your non-conformances discuss all of those findings in an exit meeting. So sit down with the auditee and maybe their supervisors or managers and discuss any of those findings and make sure you get acceptance from the auditee of those audit findings. There's nothing worse than turning up later and finding a non-conformance that you knew nothing about. So make sure that you get acceptance from that and then close the meeting so that everybody knows that that particular audit is now completed. Finally, let's head into the report writing. You want to keep a record of how the audit was conducted. So you want to clearly define in the audit report what was the purpose of the audit? What were you trying to achieve? What was the scope? And you'd already determined the scope as part of the planning so put that into your audit report. Define any references, so you're looking at any standards or any policies or procedures with inside of the organisation. Any forms or any checklists that you looked at, put those as your references. Define who your audit team was. It could just be yourself or you had a team of other people. Talk about in your audit report what documentation you looked at, what things were covered inside of that documentation. It could be checklists or templates or forms but also all the records that you looked at and the policies and the procedures. What equipment did you look at? Did you record, make sure you record what equipment you looked at and even discuss what maintenance was done on that. Any resources that were required as part of the audit. And discuss the audit findings in a positive and negative light. So you may just not want to do things in a negative way or the non-conformances. You want to present the report in a positive light as well. And of course the final part is look at what deficiencies were found. So there you go. That's the internal auditor training for internal auditors in your organisation.