A Guide to Effective Internal Management System Audits: Implementing internal audits as a risk management tool
By Andy Nichols
3/5
()
About this ebook
A Guide to Effective Internal Management System Audits provides a model for the management and implementation of internal audits that moves beyond simple compliance to ISO requirements and turns the internal audit into a transformational tool that the organization can use to assist with the management of risk, and implement improvements to management systems.
This book shows you how you can transform your internal auditing process to become a tool for development and continual improvement in your management systems. Buy it today and start adding value to your internal auditing program.
Andy Nichols
Andrew W Nichols has more than 25 years of experience of management systems, in both the UK and the USA. As a trainer, he has delivered hundreds of ISO9000 related courses to audiences ranging from shop-floor personnel to CEOs of Fortune 500 companies. He has also led and contributed to the development of 'best in class' training courses for a number of international standards. Andy is a regular contributor to the well-known Elsmar Cove internet forum for management systems.
Read more from Andy Nichols
Implementing ISO 9001:2015 – A practical guide to busting myths surrounding quality management systems Rating: 0 out of 5 stars0 ratingsExploding the Myths Surrounding ISO9000: A practical implementation guide Rating: 0 out of 5 stars0 ratings
Related to A Guide to Effective Internal Management System Audits
Related ebooks
Lean Auditing: Driving Added Value and Efficiency in Internal Audit Rating: 5 out of 5 stars5/5The Executive’S Guide to Internal Auditing Rating: 0 out of 5 stars0 ratingsAuditing Essentials Rating: 3 out of 5 stars3/5ISO 9001:2015 Audit Guide and Checklist Rating: 4 out of 5 stars4/5Financial Audit A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsIso 9001 Audit Trail: A Practical Guide to Process Auditing Following an Audit Trail Rating: 5 out of 5 stars5/5Quality Management Iso9001:2015 Changes: A Guide to Implementation Rating: 5 out of 5 stars5/5How to Audit the Process-Based QMS Rating: 5 out of 5 stars5/5Agile Governance and Audit: An overview for auditors and agile teams Rating: 5 out of 5 stars5/5IATF 16949:2016 Audit Guide and Checklist 2nd Edition Rating: 5 out of 5 stars5/5Auditing Beyond Compliance: Using the Portable Universal Quality Lean Audit Model Rating: 0 out of 5 stars0 ratingsAuditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control Rating: 0 out of 5 stars0 ratingsISO22301: A Pocket Guide Rating: 4 out of 5 stars4/5The Internal Auditing Pocket Guide: Preparing, Performing, Reporting and Follow-up Rating: 0 out of 5 stars0 ratingsISO 9001: A Pocket Guide Rating: 3 out of 5 stars3/5IS Auditor - Process of Auditing: Information Systems Auditor, #1 Rating: 0 out of 5 stars0 ratingsInformation Systems Auditing: The IS Audit Follow-up Process Rating: 2 out of 5 stars2/5ISO 22301: 2019 - An introduction to a business continuity management system (BCMS) Rating: 4 out of 5 stars4/5Information Systems Auditing: The IS Audit Reporting Process Rating: 5 out of 5 stars5/5ISO 9001:2015: A Pocket Guide Rating: 4 out of 5 stars4/5Hardening by Auditing: A Handbook for Measurably and Immediately Improving the Security Management of Any Organization Rating: 0 out of 5 stars0 ratingsInformation Systems Auditing: The IS Audit Study and Evaluation of Controls Process Rating: 3 out of 5 stars3/5Risk based internal audit A Complete Guide Rating: 0 out of 5 stars0 ratingsRisk-Based Internal Audit Rating: 5 out of 5 stars5/5Internal audit Third Edition Rating: 0 out of 5 stars0 ratingsWinning the Audit: 12 Proven Steps to Achieve Successful Customer & Third-Party Quality Audits Rating: 0 out of 5 stars0 ratingsA Step By Step Guide: How to Perform Risk Based Internal Auditing for Internal Audit Beginners Rating: 4 out of 5 stars4/5Internal Auditing A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratings
Business For You
The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Lying Rating: 4 out of 5 stars4/5Nickel and Dimed: On (Not) Getting By in America Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5Summary of J.L. Collins's The Simple Path to Wealth Rating: 5 out of 5 stars5/5The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers Rating: 4 out of 5 stars4/5Just Listen: Discover the Secret to Getting Through to Absolutely Anyone Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Company Rules: Or Everything I Know About Business I Learned from the CIA Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5The Everything Guide To Being A Paralegal: Winning Secrets to a Successful Career! Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Red Notice: A True Story of High Finance, Murder, and One Man's Fight for Justice Rating: 4 out of 5 stars4/5How to Get Ideas Rating: 5 out of 5 stars5/5Limited Liability Companies For Dummies Rating: 5 out of 5 stars5/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Thank You for Being Late: An Optimist's Guide to Thriving in the Age of Accelerations Rating: 4 out of 5 stars4/5
Reviews for A Guide to Effective Internal Management System Audits
5 ratings1 review
- Rating: 3 out of 5 stars3/5
the content of the book was good and easy to understand
Book preview
A Guide to Effective Internal Management System Audits - Andy Nichols
A Guide to Effective Internal
Management System Audits
Implementing internal audits as a risk management tool
A Guide to Effective
Internal Management
System Audits
Implementing internal audits
as a risk management tool
ANDREW W. NICHOLS
Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:
IT Governance Publishing
IT Governance Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA
United Kingdom
www.itgovernance.co.uk
© Andrew W. Nichols 2014
The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.
First published in the United Kingdom in 2014
by IT Governance Publishing.
ISBN 978-1-84928-561-2
FOREWORD
The word audit
comes from the Latin audītus meaning the act of hearing. A benign definition, so it’s strange then, that the idea of an audit is often viewed negatively by people. Typically, this comes from the spectre of an income tax audit or those performed by a regulatory agency, which is common in the food, pharmaceutical, and health and safety industries.
Since the early 1960s, it has become more and more common for purchasers to audit their supply chain, sometimes with terrible results! For example, the UK’s Ministry of Defence had ordered a maritime attack and patrol aircraft from the supplier BAE, known as the Nimrod MRA4.
Development started in 1996 and in 2010, the project was canceled at which point it was £789 million over budget and more than nine years late. The UK newspaper, the Financial Times, reported (in January 2011):
Safety tests conducted [in 2010] found there were still ‘several hundred design non-compliances’ with the aircraft. It was unclear, for example, whether its bomb bay doors functioned properly, whether its landing gear worked and, most worryingly, whether its fuel pipe was safe.
At no point did any of the auditors, who were evaluating the various subcontractors, formally report that any problems were being encountered!
Since the early 1990s, a number of international standards have been published that define requirements for management systems, including ISO9001 for the quality management of products, ISO14001 for environmental controls, ISO/TS 16949 for automotive product suppliers, ISO13485 for medical device manufacturers, and, more recently, ISO20000 for information services and ISO27001 for information security.
The requirements specified in each of the preceding standards describe many topics that are common with – and based on – ISO9001, specifically those that relate to:
management review
corrective action
preventive action
document and records control
internal audits
improvement
In most cases, the requirement for implementing management system internal audits is practically identical to that found in ISO9001.
Originally, ISO9001 (and its precursor, British Standard BS5750) was created to be the basis for agreement on how (product) quality would be systematically assured between customer and supplier organizations. At about the same time in the UK, the use of so-called Third Party Certification
became an option for purchasing organizations (typically the UK government-owned utilities and other agencies like the Ministries of Defence, Public Buildings and Works etc.) to use, in place of their own supplier evaluations.
The third-party certification bodies (or registrars
in the US), as they have become known, audited subscribing organizations for compliance to the ISO9001 requirements. At about the same time, training organizations started offering training courses for people to learn how to perform internal management systems audits. Furthermore, another auditor training course also became popular, the so-called lead auditor
course. Based on supplier Quality Assurance auditing techniques, this became the de facto training for certification body auditors, since it formed part of the accreditation criteria developed by the International Register of Certificate Auditors (IRCA). Auditor course accreditation became important in establishing credibility.
The lead auditor course, usually of 36 h duration, has become very popular over the past two decades, since it is often perceived as being a way to experience and learn how a certification body auditor will perform a certification audit. Attendees are, in many cases, those responsible for leading the implementation of a Quality Management System to meet ISO9001 to achieve certification or who have been identified as the internal auditor.
Internal auditor training courses usually cover the basic audit technical content of the Lead Auditor course, but in a reduced format, over a 16 or 24-h duration.
Although thousands of people have been trained through attendance at this type of course, what isn’t well understood is that the style of auditing experienced by the attendees is based on external audit principles and techniques, which focus almost exclusively on compliance to the ISO requirements. Many organizations have no benchmark for how internal audits really should be performed and those who experience customers’ quality audits recognize a good deal of similarity.
Unfortunately, much of the training content doesn’t fully address the needs of the organization’s audit program with the result that rarely are the true benefits of effectively managed internal audits fully realized.
This book gives guidance and a model for the management and implementation of internal audits, which moves beyond simple compliance to ISO requirements, dispenses with the typical external audit-based practices – which may be perceived as offering more style than substance
– and becomes a transformational tool that the organization can use to assist with the management of risk.
PREFACE
There is a lot of misunderstanding about the role of internal audits in the implementation of a management system. The range of expectations of internal audits ranges from confirming simple compliance of activities compared with documentation at one end of the scale, to that of identifying improvements at the opposite end.
Furthermore, it is commonly expressed that auditors should be somewhat god-like in their knowledge and understanding