Conducting internal audits. Internal audits

3. Normative references

ISO 9000:2005 – “Quality management systems. Fundamentals and vocabulary."

ISO 9001:2008 – “Quality management system. Requirements".

ISO 19011:2002 – “Guidelines for the audit of quality and/or environmental management systems.”

4. Terms, abbreviations and symbols

Terms and Definitions:

Audit (verification) is a systematic, independent and documented process of obtaining audit evidence and evaluating it objectively in order to determine the degree of fulfillment of agreed criteria (ISO 9000:2005).

An auditor is a person who has demonstrated the personal qualities and competence required to conduct an audit (ISO 9000:2005).

Group of auditors - one or more auditors conducting the audit with the assistance (if necessary) of technical specialists.

Abbreviations used:

DP – documented procedure

QMS – quality management system

Legend:

Branching/merging process operations

5. Process description

5.1 Fundamentals

The QMS audit at KPMS is carried out with the aim of:

• determine the level of compliance of the QMS with the requirements of the ISO 9001:2008 standard;
• determine the level of compliance of the QMS with the requirements of internal regulatory documents.

The audit can be carried out scheduled (based on the annual audit plan) and unscheduled (based on the order general director).

The frequency of scheduled audits should be at least once every six months.

The quality officer is responsible for organizing audits.

The lead auditor is responsible for conducting audits.

The annual internal audit plan is developed and approved no later than December 20. The annual internal audit plan is developed by the quality officer. When planning internal audits of the QMS, a mandatory audit of each of the departments, each of the processes and each of the requirements of ISO 9001:2008 is provided.

Before the start of each audit, an audit schedule is developed. The schedule is developed one week before the audit date.

To conduct internal audits, a leading auditor, auditors and technical specialists are appointed from among the company's employees. The candidacies of the lead auditor and auditors are determined by the Quality Commissioner. The appointment of the lead auditor and auditors is carried out by order of the General Director for Personnel. The order may indicate the duration of the appointment. If the term is not specified, then the lead auditor (auditors) are considered to be appointed for an indefinite period and lose their status as an auditor only on the basis of an order from the general director to appoint a new lead auditor (auditor) or upon dismissal from the company.

Technical specialists are assigned (if necessary) to each audit upon the recommendation of the lead auditor. The appointment of technical specialists is carried out in an order for the organization to conduct an internal audit.

When drawing up an audit schedule, the distribution of auditors and technical specialists among the objects of inspection should exclude the possibility of them inspecting the units in which auditors and technical specialists work.

Today, the concept of “internal audit” has become widespread in business. Many large enterprises and companies prefer to create their own internal audit services and departments, training their employees. In addition, in the labor market there is a constantly growing demand for specialists who have the relevant knowledge and have an international diploma.

Tasks of internal audit at the enterprise

Internal audit in an enterprise is an activity that is aimed at providing objective and independent advice and guarantees to improve the activities of the enterprise. The purpose of internal audit is to assess risks, find ways to reduce them, and also increase the profitability of business processes.

Auditor consultations include assessing, analyzing and reporting on the productivity and reliability of processes. They are addressed directly to the administration of the organization.

The main tasks of internal audit at the enterprise:

• checking internal control systems to determine the level of efficiency of departments;
• development whole system risk management, analysis of its work, as well as the creation of measures to reduce them;
• control over compliance with corporate governance principles.

The need to introduce internal audit

IN Lately In Russia, there is a focus on separating the functions of management and business ownership. The owners implement one general strategy for the development of the organization and manage the main directions, and, as a rule, hire top managers to solve small and everyday problems. In this case, the enterprise uses a tool to monitor the state of affairs - internal or external audit. It allows owners to receive complete and objective assessment activities of the entire organization.

To implement internal audit in Russian companies influenced no less the federal law“On accounting” dated 06.12.2011. According to Article 19, from the beginning of 2013, absolutely all economic entities must conduct internal control economic activity.

Checklist for internal audit

Controlling accounting and management accounting, as well as other areas of management, should occur in absolutely all enterprises. However, it is important to know about the features of this procedure. All processes must follow each other in an orderly manner. Because it is precisely thanks to compliance with this requirement that many mistakes and problems can be avoided when conducting an audit by regulatory authorities. Filling out a checklist greatly simplifies the process. It is very difficult to exaggerate his role.

What you need to know about the checklist

This document consists of a list of detailed questions regarding the audit being conducted. The checklist does not have a specific format established by law. However, it is necessary to follow some rules when drawing up and filling it out. This is what will reduce the likelihood of problems during the audit process.

In fact, with the help of a checklist, you can solve a fairly large number of issues and tasks not only during the audit, but also during the ongoing activities of the enterprise. This document can be used by various organizations, regulatory agencies and their officials.

Using the checklist you can solve the following problems:

• correctly plan the audit in accordance with legal regulations;
• carry out intermediate and selective control, conduct effective time management;
• ensures that important parts of the audit are not missed;
• is one of the means of memory;
• simplifies auditing;
• with its help, the audit is comprehensive, structured and holistic, etc.

The legislative act that governs the preparation of this document is Federal Law No. 307 of December 30, 2008 “On Auditing Activities”.

An example of a checklist for internal audit can be found.

Internal audit of QMS

QMS - quality management system - one of the parts of the entire company management system, which was created to ensure and control the stability of economic activity, High Quality and minimizing the costs of producing products or providing services.

According to the QMS, the structure of the documentation is as follows:

• quality requirements (quality manual);
• goals and policies in the field of quality of products and services;
• required documented processes;
• regulations of procedures, work instructions;
• quality records.

The audit of quality management systems is not regulated by either federal or international legislation. Therefore, there are no mandatory legislative norms that define the procedure and rules for conducting an audit of quality systems at an enterprise. This is explained by the organization’s voluntary desire to certify quality systems. And all the work that accompanies the construction and implementation of a quality system is also a voluntary initiative.

Consequently, organizations that engage in QMS audits can carry out their activities without additional licenses or other permitting documents. And even more so, these documents are not needed to carry out internal audit. Despite this, there are special rules that govern the conduct of QMS audits. For example, ISO 19011:2011, which is called “Guidelines for auditing management systems.” It can be used for internal and external auditing.

Order on conducting an internal audit

An order to conduct an internal audit is an internal document that is drawn up by the head of the company and establishes:

• dates of the audit;
• a group of internal auditors and specialists responsible for its implementation;
• providing conditions for conducting internal audit;
• control over the audit.

How to become an internal audit specialist

Every day the demand for specialists who are able to carry out internal control of an enterprise is growing. But the requirements for them are also increasing. They must have knowledge in the financial sector, understand internal control and corporate governance, know national and international standards internal audit, as well as understand the specifics of the activities that need to be analyzed.

Online training comes to the rescue of always-busy financial professionals. Online courses allow you to study without interrupting your main activity, at home or at work in convenient, comfortable, familiar conditions. The quality of distance learning is not inferior to, and often exceeds, its face-to-face counterparts, due to the involvement of highly qualified teachers, a modular course system, online tests and much more.

Diplomas and certificates in internal auditing

To obtain a diploma that confirms your qualifications in the field of internal audit, you should choose an international program from a foreign institute. Today, Russian specialists have access to such programs as IPFM, IFA, ICFM and CIA.

International professional standards internal audit (IPA) require the formation of a risk-based internal audit plan, in particular, based on a formalized risk assessment conducted at least once a year.

Canonical approach.

Of course, the canonical approach can be called an approach that is based on an existing risk assessment. There is quite a website on this site where I will show approaches to creating an internal audit work plan for the year.

So, there is a risk register with calculated mathematical expectations of the current and residual risk. You need to start by ranking the risks for internal audit.

The first thing that needs to be determined is which mathematical expectation should be used to rank the risks. My opinion is that you need to rank according to the current one. The logic is roughly as follows: management will always insist that “yes, everything is bad with us now (or, well, everything is good), but in the near future it will get worse (well, or it will become even better).” As practice shows, the near future does not always arrive quickly (after all, the duration human life is insignificant in terms of the time of existence of the universe, and on this scale the near future is 100 years). Therefore, the inspection plan was drawn up based on the current mathematical expectation. But theoretically, I allow a situation where the audit plan is drawn up based on both the mathematical expectation of residual risks and the change in the delta between the mathematical expectation of the current and residual risk. The logic of the latter is to audit the effectiveness of the efforts made by management

When determining labor intensity, there is no need to take into account the speed of decision-making by management. If a particular manager took a break for three weeks due to vacation, the person from the internal audit department needs to be busy with something else. Yes, there are different psychological types, and among internal auditors too. I feel like the more things I have to do, the more I get done. Perhaps this is just my peculiarity: stress helps some people, and hinders others. But resistance to stress seems to be required for all vacancies.

Scheduling.

Some obvious scheduling tips.

Tip #1. If large changes in process curves are planned during the year, it is advisable to schedule the audit for January-February (a clear example from the program above is the audit of the current procurement system).

Tip #2. If management indicated the execution date of March 33, then it is advisable to begin the process execution audit on March 34.

Tip #3. Do not plan business trips for July-August. Of course, excursions in summer are much more interesting than in winter (although for me it’s more comfortable in winter because you don’t get wet with sweat). But tickets and other accommodations are much cheaper in February or November. We are not talking about unscheduled tasks - here, if something is needed, it is needed immediately.

If you find an error, please highlight a piece of text and click Ctrl+Enter.

The need for internal audits has already become commonplace for medium and large organizations. Small companies do not always conduct audits due to the smaller volume of work processes, but for some of them such control could bring a lot of benefits. Read about improving the process, planning and preparation in this article. Here you will also find information about conducting an internal audit at an enterprise, using an example.

Internal audit program and schedule

Planning an inspection is one of the very important stages preparation. At this time, it is necessary to assess the total scope of work, determine the schedule and timing of the audit, draw up a control program, select an appropriate methodology and first identify the most problematic units.

The internal audit program is drawn up together with the plan. Most often, the program has a personal form that takes into account the most important aspects subject to control in a particular company. This document describes all the nuances of the auditor’s activities and includes the following points:

1. The main purpose of conducting an internal audit.
2. Application area.
3. Definitions and abbreviations.
4. Information about additional documents.
5. List of those responsible for the application.
6. Description of the audit process.
7. Schedule and frequency of control checks.
8. Preparation of a detailed audit plan.
9. Preparation of necessary documents.
10. Sequence of information collection.
11. Nuances of preparing final reports.

Order to conduct an internal audit (sample)

Order to conduct internal audit - 1

Order to conduct internal audit - 2

When an internal audit is carried out by a third-party company, an agreement must be added to the order. Only on the basis of this document is it possible to sign a contract for conducting a VA.

The rules and procedure for conducting internal audit are described below.

Conducting an internal audit of the QMS in order to comply with ISO 9001 is shown in this video:

Rules

There are certain international and Russian standards for conducting internal audits. At the same time, it is not legally prohibited to develop your own internal VA rules. The main part of the federal standards concerns the activities of third-party auditors, regulating their work to ensure the quality of the services provided.

At the same time, internal audit standards created by a particular company cannot contradict federal and international rules. Regardless of the level of rules, they are all divided into several blocks. Of these, 3 are mandatory:

1. Block No. 1 reflects the nuances of the organizational and economic activities of auditors.
2. Block No. 2 specifies the responsibilities of auditors, how to obtain audit evidence and the procedure for drawing conclusions.
3. Block No. 3 contains rules for the selection of methods, documentation, and work instructions.

It is important to understand that in order to obtain reliable data from an audit, it is necessary to have an audit structure with clear rules. Only systematized activities according to certain standards can demonstrate clear results.

Step by step steps

At first glance, conducting an internal audit is quite simple. This procedure includes only 3 steps:

1. Preliminary preparation.
2. Collection of audit evidence.
3. Registration of inspection results.

Often these stages are called: preparatory, working and final. Elimination or neglect of any of the stages deprives internal listening of any meaning.

• At the preparation stage, it is necessary to plan and collect the necessary data, documents and various information about the control object.
• The working stage involves the direct application of selected control methods, conducting tests, searching for evidence and documenting the activities carried out.
• At the final stage, the results of the audit are summed up, an analysis of the audit is performed and the preparation of documentation is completed.

Implementation results

• All VA results must be in documented form for subsequent study. Most often, documents mean smaller forms. It indicates not only information about the detected deficiencies, but also proposed ways to eliminate them. Also, the results of the internal audit necessarily reflect potential ways to improve the efficiency of work processes.
• In addition to drawing up reports and other audit documentation, another procedure is necessary. It is important to clarify in advance the criteria for the effectiveness of the work of inspectors and, upon completion of the internal audit, to analyze the quality of the control performed.
• Often these criteria include compliance with the stated inspection time frame, the presence of complete and clear comments on all points studied, and an indication of potential problems in the future. It is also necessary to analyze the activities of auditors for compliance with inspection regulations and correct use various control methods. Another criterion is the availability, completeness and timeliness of providing documentation on the inspection performed.

When conducting an internal audit, a large role is played by its preparation (and don’t forget about!). Without properly carried out preparatory part it is impossible quality work inspectors. There is no unified audit system; each company independently combines control methods, so it is worth paying special attention to the preparation, the audit itself, and the analysis of work efficiency.

Conducting an internal audit of the management system is described in this video: