A Guide to Effective Internal Management System Audits: Implementing internal audits as a risk management tool
By Andy Nichols
3/5
()
About this ebook
A Guide to Effective Internal Management System Audits provides a model for the management and implementation of internal audits that moves beyond simple compliance to ISO requirements and turns the internal audit into a transformational tool that the organization can use to assist with the management of risk, and implement improvements to management systems.
This book shows you how you can transform your internal auditing process to become a tool for development and continual improvement in your management systems. Buy it today and start adding value to your internal auditing program.
Andy Nichols
Andrew W Nichols has more than 25 years of experience of management systems, in both the UK and the USA. As a trainer, he has delivered hundreds of ISO9000 related courses to audiences ranging from shop-floor personnel to CEOs of Fortune 500 companies. He has also led and contributed to the development of 'best in class' training courses for a number of international standards. Andy is a regular contributor to the well-known Elsmar Cove internet forum for management systems.
Read more from Andy Nichols
Implementing ISO 9001:2015 – A practical guide to busting myths surrounding quality management systems Rating: 0 out of 5 stars0 ratingsExploding the Myths Surrounding ISO9000: A practical implementation guide Rating: 0 out of 5 stars0 ratings
Related to A Guide to Effective Internal Management System Audits
Related ebooks
Lean Auditing: Driving Added Value and Efficiency in Internal Audit Rating: 5 out of 5 stars5/5The Executive’S Guide to Internal Auditing Rating: 0 out of 5 stars0 ratingsAuditing Essentials Rating: 3 out of 5 stars3/5How to Audit the Process-Based QMS Rating: 5 out of 5 stars5/5Iso 9001 Audit Trail: A Practical Guide to Process Auditing Following an Audit Trail Rating: 5 out of 5 stars5/5Agile Governance and Audit: An overview for auditors and agile teams Rating: 5 out of 5 stars5/5Financial Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsISO 9001:2015 Audit Guide and Checklist Rating: 4 out of 5 stars4/5Auditing Beyond Compliance: Using the Portable Universal Quality Lean Audit Model Rating: 0 out of 5 stars0 ratingsThe Internal Auditing Pocket Guide: Preparing, Performing, Reporting and Follow-up Rating: 0 out of 5 stars0 ratingsQuality Management Iso9001:2015 Changes: A Guide to Implementation Rating: 5 out of 5 stars5/5ISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control Rating: 0 out of 5 stars0 ratingsIS Auditor - Process of Auditing: Information Systems Auditor, #1 Rating: 0 out of 5 stars0 ratingsInformation Systems Auditing: The IS Audit Follow-up Process Rating: 2 out of 5 stars2/5IATF 16949:2016 Audit Guide and Checklist 2nd Edition Rating: 5 out of 5 stars5/5Hardening by Auditing: A Handbook for Measurably and Immediately Improving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsCOSO Internal Control Integrated Framework A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsGuide to Audit Data Analytics Rating: 0 out of 5 stars0 ratingsISO 9001:2015: A Pocket Guide Rating: 4 out of 5 stars4/5Fundamentals of Assurance for Lean Projects Rating: 0 out of 5 stars0 ratingsISO 9001: A Pocket Guide Rating: 3 out of 5 stars3/5Health Safety Management Systems A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Information Systems Auditing: The IS Audit Reporting Process Rating: 5 out of 5 stars5/5Risk based internal audit A Complete Guide Rating: 0 out of 5 stars0 ratingsRisk-Based Internal Audit Rating: 5 out of 5 stars5/5Internal audit Third Edition Rating: 0 out of 5 stars0 ratingsA Step By Step Guide: How to Perform Risk Based Internal Auditing for Internal Audit Beginners Rating: 4 out of 5 stars4/5
Business For You
Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Lying Rating: 4 out of 5 stars4/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Nickel and Dimed: On (Not) Getting By in America Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Carol Dweck's Mindset The New Psychology of Success: Summary and Analysis Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5High Conflict: Why We Get Trapped and How We Get Out Rating: 4 out of 5 stars4/5Buy, Rehab, Rent, Refinance, Repeat: The BRRRR Rental Property Investment Strategy Made Simple Rating: 5 out of 5 stars5/5Grant Writing For Dummies Rating: 5 out of 5 stars5/5How to Get Ideas Rating: 5 out of 5 stars5/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Summary of Eve Rodsky's Fair Play Rating: 2 out of 5 stars2/5Financial Words You Should Know: Over 1,000 Essential Investment, Accounting, Real Estate, and Tax Words Rating: 4 out of 5 stars4/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5
Reviews for A Guide to Effective Internal Management System Audits
5 ratings1 review
- Rating: 3 out of 5 stars3/5
the content of the book was good and easy to understand
Book preview
A Guide to Effective Internal Management System Audits - Andy Nichols
A Guide to Effective Internal
Management System Audits
Implementing internal audits as a risk management tool
A Guide to Effective
Internal Management
System Audits
Implementing internal audits
as a risk management tool
ANDREW W. NICHOLS
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:
IT Governance Publishing
IT Governance Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernance.co.uk
© Andrew W. Nichols 2014
The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2014
by IT Governance Publishing.
ISBN 978-1-84928-561-2
FOREWORD
The word audit
comes from the Latin audītus meaning the act of hearing. A benign definition, so it’s strange then, that the idea of an audit is often viewed negatively by people. Typically, this comes from the spectre of an income tax audit or those performed by a regulatory agency, which is common in the food, pharmaceutical, and health and safety industries.
Since the early 1960s, it has become more and more common for purchasers to audit their supply chain, sometimes with terrible results! For example, the UK’s Ministry of Defence had ordered a maritime attack and patrol aircraft from the supplier BAE, known as the Nimrod MRA4.
Development started in 1996 and in 2010, the project was canceled at which point it was £789 million over budget and more than nine years late. The UK newspaper, the Financial Times, reported (in January 2011):
Safety tests conducted [in 2010] found there were still ‘several hundred design non-compliances’ with the aircraft. It was unclear, for example, whether its bomb bay doors functioned properly, whether its landing gear worked and, most worryingly, whether its fuel pipe was safe.
At no point did any of the auditors, who were evaluating the various subcontractors, formally report that any problems were being encountered!
Since the early 1990s, a number of international standards have been published that define requirements for management systems, including ISO9001 for the quality management of products, ISO14001 for environmental controls, ISO/TS 16949 for automotive product suppliers, ISO13485 for medical device manufacturers, and, more recently, ISO20000 for information services and ISO27001 for information security.
The requirements specified in each of the preceding standards describe many topics that are common with – and based on – ISO9001, specifically those that relate to:
management review
corrective action
preventive action
document and records control
internal audits
improvement
In most cases, the requirement for implementing management system internal audits is practically identical to that found in ISO9001.
Originally, ISO9001 (and its precursor, British Standard BS5750) was created to be the basis for agreement on how (product) quality would be systematically assured between customer and supplier organizations. At about the same time in the UK, the use of so-called Third Party Certification
became an option for purchasing organizations (typically the UK government-owned utilities and other agencies like the Ministries of Defence, Public Buildings and Works etc.) to use, in place of their own supplier evaluations.
The third-party certification bodies (or registrars
in the US), as they have become known, audited subscribing organizations for compliance to the ISO9001 requirements. At about the same time, training organizations started offering training courses for people to learn how to perform internal management systems audits. Furthermore, another auditor training course also became popular, the so-called lead auditor
course. Based on supplier Quality Assurance auditing techniques, this became the de facto training for certification body auditors, since it formed part of the accreditation criteria developed by the International Register of Certificate Auditors (IRCA). Auditor course accreditation became important in establishing credibility.
The lead auditor course, usually of 36 h duration, has become very popular over the past two decades, since it is often perceived as being a way to experience and learn how a certification body auditor will perform a certification audit. Attendees are, in many cases, those responsible for leading the implementation of a Quality Management System to meet ISO9001 to achieve certification or who have been identified as the internal auditor.
Internal auditor training courses usually cover the basic audit technical content of the Lead Auditor course, but in a reduced format, over a 16 or 24-h duration.
Although thousands of people have been trained through attendance at this type of course, what isn’t well understood is that the style of auditing experienced by the attendees is based on external audit principles and techniques, which focus almost exclusively on compliance to the ISO requirements. Many organizations have no benchmark for how internal audits really should be performed and those who experience customers’ quality audits recognize a good deal of similarity.
Unfortunately, much of the training content doesn’t fully address the needs of the organization’s audit program with the result that rarely are the true benefits of effectively managed internal audits fully realized.
This book gives guidance and a model for the management and implementation of internal audits, which moves beyond simple compliance to ISO requirements, dispenses with the typical external audit-based practices – which may be perceived as offering more style than substance
– and becomes a transformational tool that the organization can use to assist with the management of risk.
PREFACE
There is a lot of misunderstanding about the role of internal audits in the implementation of a management system. The range of expectations of internal audits ranges from confirming simple compliance of activities compared with documentation at one end of the scale, to that of identifying improvements at the opposite end.
Furthermore, it is commonly expressed that auditors should be somewhat god-like in their knowledge and understanding