INTERNAL AUDIT AND LEGAL COMPLIANCE EVALUATION

INTERNAL AUDIT OF MANAGEMENT SYSTEMS

1
Internal audit training/QCM/AYAT
Definition of the audit
Systematic, independent, and documented process allowing to obtain evidence
objectiveset to evaluate them objectively to determine to what extent
the audit criteria are met.
The audit is an examination that allows for the evaluation:
ó
The existence, application, and adequacy of a quality system in relation to
fixed reference at the start.
The main purpose of an audit is to assess the need for action, improvement or
correction.
The audit is then considered as a tool for progress and it is:
ó
ó
ó
in an inspection,
not a means of control,
not a mode of surveillance
Objectives of internal audits
ó
Determine the adequacy and conformity of system elements to the requirements
specified (internal and standards), their documentation and the implementation of the
requirements;
ó
Determine to what extent the implemented system is effective for
reach the objectives;
ó
ó
ó
Provide the opportunity to enhance management systems;
Verification of the implementation of corrective actions.
THE AUDIT STANDARD ISO 190011
ó
ó
ó
ó
Principles of auditing;
Management of audit programs;
The skills of auditors;
Applicable to all organizations for internal or external audits
Structure of the standard
The standard consists of 7 articles:
ó
ó
ó
ó
ó
ó
ó
ó
Article 1: Scope of application
Article 2: Normative References
Terms and definitions
Principles of the audit
Article 5: Management of an audit program
Article 6: Audit Activities
Article 7: Skills and Evaluation of Auditors
Annex A illustrates the application of the guidelines of Article 7 to different
disciplines.
ó
Annex B provides additional guidelines for auditors.
on the planning and execution of audits
Principles of auditors:
ó
ó
ó
Deontology
Impartial presentation: to report in an honest and accurate manner;
Professional conscience: making informed decisions in all situations
audit situations;
ó
ó
ó
Confidentiality: information security.
Principles of audits
Independence: the foundation of audit impartiality and objectivity
audit conclusions;
Evidence-based approach: Audit evidence should be verifiable.
DEFINITIONS
Definitions
ó
Audit program:
Set of one or more audits planned for a specific duration and directed in
a specific goal.
ó
ó
ó
audit field:
Scope and limits of an audit.
audit plan:
Description of the activities and the necessary arrangements to carry out an audit.
Audit criteria:
Set of policies, procedures, or requirements used as a reference.
of which the objective evidence is compared.
ó
ó
Audit evidence:
Records, statements of fact or other relevant information for the criteria
auditable and verifiable.
Audit findings:
Results of the evaluation of audit evidence collected, against the criteria
audit.
ó
ó
ó
Audited
Organization that is audited.
Auditor
Person with the necessary skills to carry out an audit.
Audit team
One or more auditors conducting an audit, assisted if necessary by experts.
techniques.
The program audit manager
Must have the skills and competencies in the following areas:
ó
the activities, products, and processes of the audited;
the legal requirements and other appropriate requirements related to activities and products
of the audited;
ó
ó
ó
A general knowledge of the principles of auditing;
An understanding of management system standards and the documents of
Responsibilities of the program manager
ó
The appointment of the responsible auditor for each audit based on the objective.
and the nature of the audit, the date considered, the availability of staff, etc.;
The allocation of adequate resources for the conduct of audits, namely the
availability of auditor(s), the necessary budget, the required time, and the means
appropriate;
ó
ó
ó
ó
Support to the audit team if they are facing ongoing issues.
of the audit;
The conservation of audit documents to ensure continuity in the program
of audit ;
The aspect of improvement of the entire audit program, namely training and evaluation
listeners.
The audit team
ó
preferably an audit team, with a minimum of two auditors:
ó
this ensures better objectivity;
ó
obtain a second opinion if he has doubts about an aspect.
ó
a responsible auditor for each planned audit.
Responsibilities of the audit manager
ó
ó
ó
ó
ó
ó
ensure to clearly define the purpose and scope of the audit;
form the audit team;
proceed with the preparation of the audit;
act as an auditor during the audit;
prepare the audit report;
carry out the audit follow-up.
Auditor's responsibility
ó
ó
ó
ó
ó
attend the opening meeting;
go out into the field to question people;
observe the activities related to the audit;
gather the necessary evidence to support one's observations;
documenting his observations and making an objective assessment regarding his
compliance;
ó
participate in the preparation of the preliminary report that will be presented to the audited during
the closing meeting
ó
ó
participate in the drafting of the final audit report;
In any case, he must provide his assistance to the responsible auditor.
The work of the auditor
Throughout the audit, the auditor will need to inquire about certain aspects such as:
ó
ó
ó
Are the procedures and other work instructions being followed in the
progress of activities;
Can the auditor assess whether the staff has the necessary equipment?
environment and all other adequate resources to achieve the
tasks assigned to them;
ó
Is it possible to assess the effectiveness of systems based on observations?
do it.
Responsibilities of the audited
ó
Informing employees about the audit being conducted;
ó
Throughout the audit, he must cooperate with the audit team by responding to their inquiries.
requests; he must therefore be available and make it easier for them;
As the audit aims to improve the SMS, it must provide all the
requested information;
Following the audit, the sector manager is responsible for preparing a plan
corrective actions to address any situation that would have been deemed non-compliant.
ó
ó
THE AUDIT PROCESS
The audit program
Objectives and scope of a program
ó
ó
ó
ó
ó
ó
ó
The priorities of management;
Trade policy.
The requirements relating to management systems;
The legal and regulatory requirements;
The client's requirements;
The needs of other stakeholders;
the risks for the organism and the workers.
Audit program management
ó
ó
ó
ó
ó
ó
ó
ó
ó
Management of the internal audit program;
The audit procedure possibly;
Internal audit plan;
Field of application;
Frequency;
Duration;
choice of listeners;
audit follow-up;
Mastery of documents.
Implementation of the audit program
ó
ó
ó
Report to management.
Establishment of the audit program (5.2; 5.3)
ó
ó
ó
ó
Objectives and scope
Responsibilities
Resources
procedures
Implementation of the audit program (5.4; 5.5)
ó
ó
ó
ó
ó
Audit scheduling
Evaluation of the auditors
Formation of audit teams
Management of audit activities
Recording conservation
Surveillance and review of the audit program (5.6)
ó
ó
ó
Surveillance and review;
Determination of needs for corrective and preventive actions;
Identification of improvement opportunities.
6
Internal audit training/QCM/AYAT
Factors affecting frequency
ó
ó
ó
ó
Processes that have known or potential problems;
the uncontrolled processes that could create problems;
the processes for which training is an important factor;
the work environments where staff changes frequently.
Factors influencing frequency
ó
ó
ó
ó
ó
the areas where new or significantly modified processes have been introduced;
security
the risks;
reliability
new design features or innovative techniques.
THE PROCActivityand of audit
Triggering of the audit (6.2)
7
Internal audit training/QCM/AYAT
ó
ó
Appointment of the head of the audit team;
Definition of the objectives, scope, and criteria of the audit (standards, legal texts and
regulatory, internal procedures, etc.
ó
ó
ó
Determination of the feasibility of the audit;
Formation of the audit team;
Establishment of first contact with the audited.
Preparation of audit activities (6.3)
The preparation objectives:
ó
For the listener: make the listener aware:
ó
ó
ó
of the objective of the audit,
of the scope of application,
take the time to conduct a preliminary audit investigation.
ó
ó
ó
For the audited: make them aware:
of the objective and the scope of application,
of the audit schedule.
ó
Review of relevant management system documents, including
records, and determination of their suitability according to the criteria
of audit;
Preparation of the audit plan
ó
Distribution of tasks within the audit team;
ó
Preparation of working documents: during the preparation of the documents
work (, it is appropriate for the audit team to ask the following questions for
each document
‹
‹
‹
‹
What audit record will be generated with this working document?
Which audit activity is concerned with this particular working document?
Who will be the user of this working document?
What information is needed to prepare this working document?
Implementation of on-site audit activities (6.4)
ó
ó
ó
ó
ó
ó
ó
ó
Conducting the opening meeting.
Conducting a document review during the audit.
Communication during the audit.
Assignment of roles and responsibilities of guides and observers.
Collection and verification of information.
Production of audit findings.
ó
The audit is finished when all the activities described in the audit plan have been completed.
carried out or otherwise agreed upon with the client (for example, unforeseen circumstances not
not allowing the audit to be completed according to the plan).
Audit follow-up implementation (6.7)
ó
The conclusions of the audit may mention, depending on the audit objectives, the
need for corrections and corrective actions, or improvement.
These actions are generally decided and carried out by the auditee within deadlines.
If applicable, the audited party should inform the responsible person.
the management of the audit program and the audit team on the progress of
these actions.
ó
ó
It is important to verify the completion and effectiveness of the actions taken. This
Verification can be an integral part of a subsequent audit.
The initial (opening) meeting
ó
ó
ó
ó
ó
The introduction: presentation of the audit team to the members of management
audited participant in the meeting.
The purpose and scope of the audit: it must confirm the purpose and scope
of the application of the audit, of which the audited party had previously been informed.
The confirmation of the audit plan: it must confirm that the audit plan that has been
sent to the audited is always acceptable.
The confirmation that the various services have been informed and that a representative
The management will be available in each department visited.
The clarification and explanations: provide the audited management with the
necessary explanations regarding the audit process so that the conduct of
this one takes place without incident.
ó
The organization of the closing meeting: he must confirm the time and place where it
will hold the closing meeting and request the presence of all participants.
The audit report
The auditor must try to express non-compliance with the following elements:
ó
ó
ó
the requirement;
the nature of non-compliance;
tangible evidence (documents, products, contracts, etc.).
The methods of gathering information
ó
ó
ó
Interviews;
The observation of activities, and
The document review.
The closing meeting
The program contains:
‹
‹
‹
‹
Acknowledgments.
Participation.
Object and limits of the audit.
Importance of the audit sample.
‹
‹
‹
‹
‹
The findings of non-compliance.
Summary of the audit.
Clarification of non-conformity findings.
The follow-up.
Closure of the meeting.
The audit report
V
V
V
V
V
V
V
V
Information related to the audit.
The object.
The scope of application.
The audit team.
The summary.
The initial meeting.
The closing meeting.
Requests for corrective actions.
The process of corrective action
10
Internal audit training/QCM/AYAT
The designated person of the audited is responsible for:
ó
ó
ó
ó
ó
The determination of the extent of the problem.
The correction of non-conformities.
Establishment of the root causes.
The implementation of the corrective action.
The formal modification of operational procedures or rules
professionals to prevent a resurgence of the problem.
The audit manager is responsible for:
ó
ó
ó
Verify that the corrective action has been taken.
Check that the corrective action is effective.
Close the non-compliance file.
the audit process
AUDIT TECHNIQUES
Basic knowledge
It is important for the auditor to know and apply the following elements:
‹
the scope of the audit, which will allow it to limit the covered points to those that
are relevant;
‹
the domain of the applicable system standards, in order to be precise in
the examination of the system;
‹
‹
‹
‹
the contractual and regulatory requirements.
a minimal knowledge of the products or processes involved,
a working method that promotes a systematic and orderly approach;
the knowledge of the audit process and the art of asking questions.
This last element is important, because even if it has the first elements, its
the task will be more difficult if the listener is not a good communicator or does not know
not the audit process.
Requirements for an auditor
ó
ó
ó
ó
The knowledge of standards and reference documents.
A general knowledge of the industry.
Knowledge of specialized industry.
Applicable legal and contractual requirements, and other applicable requirements
to the audited.
ó
ó
ó
ó
ó
ó
ó
ó
An experience of auditing processes.
Maturity and professionalism.
The analytical faculties.
Communication process
ó
ó
ó
ó
7% by the words
38% by the tone of the voice
55% through facial and body expression
It is just as important to listen as it is to speak when one ...
communicate with someone.
Communication during the audit
ó
It may be necessary to establish formal arrangements for communication.
during the audit within the audit team and with the audited.
ó
The audit team should regularly meet to exchange information.
assess the progress of the audit and redistribute the tasks among the auditors
if necessary.
ó
The head of the audit team must regularly inform the audited party, if
necessary, the client of the audit, the progress of the audit and any
difficulty (e.g., the report to management at the end of the day).
Communication must be done regularly.
The auditor must immediately inform the audited party, if necessary, the client.
from the audit, of any evidence found during the audit that suggests a
ó
ó
12
Internal audit training/QCM/AYAT
immediate or significant risk (e.g., related to safety, the environment, or to the
quality).
ó
ó
ó
Any issue regarding a question outside the scope of the audit must be
noted and communicated to the audit team leader to determine the
appropriate actions.
When the available audit evidence indicates that the audit objectives are...
unachievable, it is appropriate for the head of the audit team to report them
reasons and obtain approval for any necessary changes.
It is necessary to review with the audit sponsor and to get approval.
by this one and, where applicable, the audited, any need for modifications to the field of
the audit.
The behavior
ó
Positive and negative behaviors have effects on sponsors,
audited and the auditors.
ó
Behavior breeds behavior, that is to say, the way we act
has a direct effect on the behavior of others (our interlocutor will
tendency to imitate our behavior).
ó
One must know how to choose one's behavior: if one opts for courtesy and politeness,
our interlocutor will do the same towards us
The reluctance
ó
Reluctance is a natural human reaction of a person who feels threatened.
challenged or evaluated in one way or another.
Some people have a negative reaction when they are offered help.
it is often about the type of people "who know everything" who often lack
of insurance.
ó
ó
ó
Most people are reluctant to face difficult problems; most of
we fear confrontation, while others are uncomfortable in such
situations.
Reluctance often manifests when there is a breakdown in communication between two
people.
During the audit, it is likely that the auditor will encounter reluctant individuals;
for example, a person who:
ó
constantly asks for more details or always asks for clarification
the questions;
ó
prefer to remain silent, giving very few answers (or not offering
not even any) ;
ó
ó
ó
ó
attack the listener;
is said to be bewildered;
questions the methodology;
affirms that the problem no longer exists.
How to react to reluctance?
ó
Give the opportunity to the sponsor or the audited to express themselves openly.
hesitation without interrupting her—this can help to calm her fears.
Stay attentive to non-verbal messages, which usually constitute the
true answers.
ó
ó
Do not take this attitude personally, as it is rather functional.
of the situation or the process—or the role of the auditor;
simply trying to master one's own behavior in order to remain in control of it.
situation and to complete the audit.
Obstacles to communication
ó
Physical obstacles such as background noise during discussions in a
noisy environment where information obtained from a secondary source can result in
erroneous observations;
ó
ó
Words can take on different meanings depending on the person who uses them or
who hears them.
We perceive different things from the same information; our
instruction, our education, our work environment, our culture are all the more
elements that will affect our way of perceiving things.
Regardless of the importance of the audit, the auditor must pursue the objectives of
the audit and, above all, to maintain control.
ó
ó
The auditor also has a responsibility, which is to provide assistance and support.
complete cooperation throughout the audit.
The questions
ó
Formuler les questions avec les mots :qui; quoi, pourquoi, où, quand, comment,
how much.
These ask for a precise answer.
Follow a logical order:
ó
either by starting from the beginning to the end
either by going back from the end to the beginning.
ó
ó
ó
Avoid answering your own questions.
Do not ask a question whose answer is known by tangible evidence.
Ask the question to the one most capable of answering it (the one who accomplishes the)
task);
ó
Restrict the intervention of managers during employee interviews.
The auditor, while remaining diplomatic, must strive to obtain the response from
employees
Types of questions
Open questions:
What do you do when...
Explain to me how you....
What are the advantages of ...
Closed questions
Do you do this when....
Do you use the procedure...
Hypothetical questions
If it were to happen that...
Let's assume the following situation...
fourteen
Internal audit training/QCM/AYAT
Describe the procedure in the case where...
Verification and confirmation questions
I do not understand your answer.
Can you explain it to me again...
give me another example...
- Did I understand correctly when...
Systematic questions
follow the progression of the work or process
who does what, when, how, why?
Attitude to adopt when asking questions
ó
ó
ó
ó
ó
Speak clearly and carefully;
Watch the audited;
Be attentive to the response;
Give credit where it is due;
Lighten the atmosphere.
Listener behavior
ó
Be calm and polite
By disturbing you or showing his emotions, you reveal a lack.
of control.
ó
Be punctual
Being on time shows that you are aware of the importance of the audit for
the audited.
ó
ó
Be precise
Ask direct questions that require short and precise answers;
please clarify vague answers before proceeding;
Be prepared
Have all the necessary documentation; good preparation makes it easier.
work and engenders respect.
ó
ó
Keep the sense of proportions
Make sure that small mistakes do not take on exaggerated proportions.
Being human
The audit is a source of intense stress for the audited; make them comfortable in the.
measurement of the possible.
ó
ó
ó
Being decisive
Make a decision as soon as you have enough information.
Stick to the audit
Keep control of the audit to minimize time loss;
To be just
Base your judgment on real facts, not on preconceived ideas or
prejudices;
ó
Being attentive
Listen, understand and analyze the response of the audited before worrying about
the next question.
15
Internal audit training/QCM/AYAT
Difficulties with an audit
Way of doing
Waste of time
Attitude to adopt
Mention the fact to the audited
Ask specific questions
Stay calm and polite
Provocation
• Refuse and collect your samples
for evaluation.
Sample provided for analysis
Be well prepared; know the
facts, be firm.
Show a little sympathy (by
politeness) and continue.
Test of strength
Mercy
Appeal to the higher level
to explain to you the reason or
provide a substitute.
Absenteeism
CONCLUSION
ó
ó
ó
ó
ó
Having a clear objective
Strictly use the methodology
Inspire the desire to progress
Informer
Working in a group
16
Internal audit training/QCM/AYAT