Internal Audit – What Does It All Mean?
As an organisation that embarked on attaining an International Standard on Data Security in 2011 we have become very familiar with the term “Internal Audit”.
What does this mean?
For us, like many of the customers we serve in the various markets we operate, it means having one of our own staff becoming an expert in driving the operation, auditing and following through on the policies and procedures we agree to.
The purpose of this process is not only to ensure you are delivering on your commitment but also to help identify where these processes may be bettered to further improve your business. Having an internal staff member complete this allows for everyone to be involved in making processes better, not just a dictum from management.
Don’t be intimidated
A common mistake some organisations make is viewing an internal audit with fear! I wondered why this might be and the only valid theory I could make work was those Hollywood movies where the “Internal Affairs Department” was the most hated department as they investigated the good guys!
As part of our ISO 27001: 2013 we have at least one internal audit a quarter, this is on top of a continuous review of ongoing processes. Before we embark on any new projects we identify if we have considered all potential risks in advance of commencement. In the past, we have been apprehensive purely through fear of failure. However, after a number of audits, we realised that the overall aim of the process was to make us better. So now if we do identify a weakness then our response to it becomes the most important thing. It’s not possible to do business without risk but if you know the risks you face you can put steps in place to monitor and address them.
How do we ensure we are ready for an internal audit?
Awareness and training should be the first step we take to ensure our processes have a reduced risk. If we can identify risks and how to mitigate these risks, we have achieved the primary goal of the Internal Audit process. Our staff presents the greatest risk to our processes as they are the ones implementing them and therefore we should ensure that they are properly trained to do what is required, including the internal audit function. An organisation chart with the functions and skills required is a simple way of verifying whether staff has the required skill level to complete the duties they are tasked with.
How do we improve?
Well, one way we’ve improved is to increase the training we’ve given to our internal auditor. This will allow us to identify what areas we can improve so that we’ll find our main external audits much easier to address and ensure our business is fit to service the regulated industries we serve.
A lot of our customers, Credit Unions and Livestock Auction markets and medical device companies which are now regulated frequently aren’t sure what to do or how far to go. Compliance is becoming a significant cost of doing business. In the last twelve months, we in Intuity have experienced a significant rise in compliance related queries. Our analysis tells us that between 30 -40% of our time is spent on compliance matters. This is set to increase further with the forthcoming EU directives which will require companies to sign declarations of best practice compliance and data protection. We see this as a good thing as it enables the whole area of Internal Auditing to be better regulated, compliant and of an agreed standard. This leaves little room for error or doubt in either internal and external understanding or perceptions and this can only be good news – right?