Six Experts on Internal Audit Best Practices

By ,

Expert advice on Internal Audit

Most EHS professionals know that an efficient Internal Audit Program can drive profits for an organization. On the flip-side, a weak Internal Audit program can create chaos and tremendous physical and financial loss.

Nimonik’s goal is to spread audit best practices and help organizations stay compliant with the Health, Safety, Environment and, Quality obligations. We believe you can avoid disasters and improve operational efficiency at the same time. To help organizations re-focus their Internal Audit Program, we asked five critical questions from six EHS experts. Thank you to Maxime Laliberte, Ashley Lammle, Jean-Marc Leger, Paul MacLeanMaria Hernandez, and Richard DiNitto for taking time out to share their expertise and lessons learned.

Please find some excerpts from our interviews, to learn more, join us for a Free Webinar on Internal Audit Best Practices on March 14, 2017.

1.  For most significant risks, should an internal auditor attempt to engineer out the risk or should he/she rely on people to follow procedures and PPE?

Maxime : According to the principle of Hierarchy of Controls, procedures and PPE should always be the last line of defense as the risk is not really reduced. If you wear a harness as a fall protection method, it won’t reduce your chances of falling, it will only reduce the harm caused by the fall. Also, it is additional work to ensure that workers use the PPEs correctly. Risk elimination by investing in well-designed engineering methods is more cost-effective in the long-run than using constant surveillance with PPEs.

Paul : A well-known, overarching principle of risk management may provide a good simple answer to your question.  Often called the Hierarchy of Control, and applied most often to health and safety hazards, it sets out the sequence which should be applied in attempting to manage all types of risk. The order is;

  1. Elimination
  2. Substitution
  3. Engineering Controls
  4. Administrative Controls
  5. Personal Protective Equipment (PPE).

2. How many team members and with what skills should be deployed on an audit?

Maxime : Although, there are procedures in place that state the minimal number of hours for a certain size of a company, the number of auditors mostly vary with the type and complexity of an industry and the scope of the audit. To conduct a meaningful audit, an auditor or auditing team must have knowledge of the company’s processes and specific control methods for the audited risks, great communication skills and humility. By the latter, I mean that an auditor should not hesitate if something is not clear to him/her as at times people might use the auditor’s weakness to blur certain areas.

AshleyAs a rule of thumb, there should be a  minimum of two people in the audit team so that they can work collaboratively to review findings. An ideal audit team would have at least one auditor each with a background in Safety, Environmental Science, and Industrial Hygiene.

Richard : Square feet of floor space of the facility can be used as a starting point to determine the size of the audit team. A small audit team of  2 auditors require auditors with comprehensive knowledge in both safety and environment compliance as well as management systems. As the size of the team increases, skill sets can be isolated to individuals.

Paul : There is no one answer to this as the number of auditors depends on the geographic extent of the organization and the number of business units. I have led teams of 25 auditors on week-long audits covering EHS and management system elements which generated literally dozens of findings, as well as smaller audits involving only one auditor.  Essential skills are knowledge of the industry and its EHS risks, auditing technique and good interpersonal skills. If the auditor is from outside the company, then language would be an important skill as well.

Maria : The size of an audit team depends on the size of an organization, but I would say that 18 is a good number. It is also important to identify beforehand the auditors who would replace any member of the audit team should the need arise.

3. Should internal auditors use external experts on any audits and why?

Maxime : External experts are not always needed, but it doesn’t hurt to have a second pair of eyes on a complex process. Consulting an external expert on a specific question instead of including one in an audit team is also not a bad idea, just like when you want to consult your accountant before changing your investment strategy. Better have their opinion before than their judgement after.

Ashley Definitely! There is always an opportunity to do this. Not every organization has all the expertise needed for conducting an audit. The external auditors bring a fresh eye approach and outside experience which can prove very valuable to an audit. The external auditor can be from the same company or a consultant.

Jean : Sure. External auditors provide an objective view and eliminate many biases that could be present if the audit team is composed of just internal auditors. 

Paul : If the audit involves technical aspects which require specialized skills then absolutely yes.  The audit cannot be considered reliable if the subject matter is not adequately mastered by the audit team. 

Maria : Definitely! A few years ago our choices were limited as it was required to allocate extra budget for external advice but these days with social media it is so convenient to reach out to people on a specific issue, and they are more than happy to help. An organization, most of the times, lacks all the expertise needed for an audit so outside help can add great value.

4. What are the attributes of a well structured internal audit program?

Maxime : A meaningful internal audit should have a well-structured audit process that defines the scope of the audit and lays out a definite plan. In addition, it is essential that the auditors are chosen based on skills and competence alone, and they should be given sufficient autonomy. I have seen too many internal auditors being bullied by management to write softer reports.

AshleyA well-structured internal audit program should be risk-based. Planning ahead of time usually 6 to 8 months is essential. The personnel at the site should be informed much ahead of time about how long the audit would take, what all sites would be audited, and what documents they might need to provide the audit team. An audit should be started with a kick-off meeting between the senior management and the audit team. The senior management should also be kept informed of the daily findings to maintain transparency.

Jean : Planning is the most important parameter of a well-structured program. Most organizations should plan months in advance of an audit which would give them sufficient time to plan pre-audit activities, the audit budget, and the preferred audit team, all of which are crucial to the success of an audit.

Paul A well-structured internal audit program should follow a well-recognized standard such as ISO 19011; Guidelines for auditing management systems. It is all in there. The advantage of basing it on a standard such as this is that outside observers will immediately recognize the reference. Having said that, if it is truly based on ISO 19011, an internal audit programme should be documented, and it should contain sections which describe: management of the audit programme, performance of the audit during the three phases (pre-audit, on-site audit, post-audit) and, qualification of internal auditors.  

Richard : Auditors should be well-versed with standards against which the operations are being audited. Scope of the audit should be well-defined. Consistent guidelines should be followed for scoring and evaluating results and all must have well-documented record of the objective evidence to support the audit findings.

Maria : Auditor competence is the most important part of an audit. Training the auditors is essential, and management should allocate necessary budget for the same. Other than that, a good checklist comes in handy but the checklist should be revised from time to time. Communication among the audit team members is also important.

5. What change do most internal audit programs need?

Maxime : The programs need to be built in the business process not bolted out which is usually the case. Also, organizations should work to eliminate business audits in silos as they create miscommunication and make things unnecessarily complex.

Ashley Most audit programs are focused on compliance and legislation, but they overlook risk. The change most audit programs need is that audits should also be risk-based. For example, a while back I was working on a project that required the truck drivers to load and unload the truck. They had to climb 6 feet but there were no barricades in place because it was not part of legal compliance. I observed that this was a major gap and suggested the senior management the need of barricades. The management realized that there had been many injuries in the past and putting barricades was the most effective way to avoid these injuries even if the latter were not part of compliance regulations. 

Jean : Most organizations, in a bid to please the shareholders, focus so much on the bottom line that they fail to address other important areas like audits. In fact, successful audits are a great investment and have proven to bring substantial returns to many organizations. When organizations fail to understand the importance of audits, they either delay conducting audits or cut on the resource allocation. The Deepwater Horizon oil spill is just one example of an organization failing to address the importance of audits. Organizations need to plan and allocate sufficient funds to audits to expect returns, and this initiative has to come from the top management of an organization.

PaulInternal audit programs should be reviewed periodically to see if they are still suitable in light of changing circumstances. A good example is the arrival of ISO 14001:2015 roughly 18 months ago.  Internal EMS audits should be using audit protocols that are based on the new standard, and internal auditors should be trained on the new requirements.

Richard : Improvement in the evidentiary documentation of the basis of the audit findings.

Maria : Allocation of sufficient resources for training the auditors as well as to conduct an audit efficiently. Many audits are also not as well planned as they should be so it is important that the management of an organization realises the importance of an audit and prepares for it well in advance.

If you would like to learn more about an ideal Internal Audit Program then join us for: 

A Free Webinar on Internal Audit Best Practices