ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing

1. Overview

The internal audit is a systematic, independent and documented process to obtain audit evidence (records, statements of facts or other information that is relevant and verifiable) and their objective evaluation  to determine the extent to which audit criteria are fulfilled (overall policies, procedures or requirements).

2. Programming the internal audit

Programming in the field of internal audit, as in any economic field of activity, has little space of time – month, week, day, setting in great detail the actions to be undertaken, means and resources used, deadlines and responsibilities for achieving the annual internal auditplan. Programming has as a result the development of one or more programs in order to manage a unitary concept of available audit resources, achieving a clear understanding of accomplished performance indicators, and to present a true picture of the capabilities available to each audited structure.

Setting the componence of audit teams always respect the principle of balance between the complexity of objectives and available working time , as well as that of ensuring a perfect correspondence between the specialization of each team member and the objectives of audit.

The benefit of involving an outside expert allows the objectivity of the results and the reduction of the involved resources in conducting the audit.

3. Organization of internal audit

Organization of internal audit function involves the immediate combination of human resources and, indirectly, of material, informational and financial resources, on organizational structures and jobs, in order to achieve, in as good conditions, the objectives set.

4. Internal audit: Control evaluation function

Control-evaluation function can be defined as a set of processes by which the performances of the internal audit are measured and compared to the initially set objectives and standards, in order to eliminate deficiencies and the integration of positive objectives.

This function answers the question: which are the results of the work done?

Need for the control activity resulting from the internal audit task complexity, the requirement to combat waste, any form of discipline, the role it has in shaping a positive attitude towards the fulfillment of functional attributions in stimulating the spirit of initiative and professional responsibility.

The managerial checking and review by internal audit is not only “feedback” for the system (past orientation), but also as a “feed-forward”, meaning to prevent irregularities and correct orientation of the company, according to the tasks designed in the planning-programming process.

We believe that in order to have an increased efficiency, control and assessment shall have a continuing character, not limited to the periods ending the internal audit plans and programs.

In order to obtain assurance that the objectives of the audit mission are achieved in terms of quality, there should be planned and performed activities of guidance, supervision and checking on the work of audit teams on mission, throughout its unfolding.

In the modern internal audit, control –  ascertaining evaluation type would be gone, being replaced by an assessment based on the analysis of relationships cause – effect, with an active control, resulted in effective and opportune decisions and actions.

It is very difficult for internal audit to quantify in numbers all the results of his actions and demonstrate that it is profitable, position outside which it risks being perceived as a spectator outside the company to their major concerns.

We appreciate that the obligation to express in figures the results of internal audit is sometimes dangerous „…because it require the auditor to give shots, practice mainly running after nonconformities and scrap, while its role should be primarily preventive”.

The solution lies in a attitude expressed in figures those results that can be reflected (recovered damages, losses avoided, its earnings), but not looking sensational at any cost and results that are important but can not be expressed in figures (pertinence of submitted recommendations , updating of entity risk, highlighting the opportunities identified). In the internal audit field, in recent times is speaking increasingly more about added value created by internal audit. It is an undeniable reality that, by evaluating the management and internal control systems, based on risk analysis, internal audit adds value to the management process by contributing to the increase of its performances.

In the internal evaluations, and in the external ones, is operating with a number of measuring instruments, of which the most important and commonly used are the indicators of activity and quality benchmarking and survey.

Benchmarking “is the use of qualitative and quantitative criteria in order to situate you among the members of the same profession, the same branches”.

The survey is a procedure that aims to gain the beneficiaries of internal audit position in relation to the quality of internal audit function exercise.

It is important to make available to the leader of the audited entity a tool for evaluating the internal audit team. Such a tool can be “Internal audit report“.

5. Methods for carrying out internal audit

The internal audit can be conducted from two points of view:

Self-assessment is the activity by which internal audit is performed by the company which appreciates the efficiency of their activity, strengths and weaknesses, and reserves and solutions to improve it. It has no great relevance because of the massive presence of the subjective factor in making evaluation.

Auditing the audit by external auditors means involving the services of an external audit office to carry out the assessment of internal auditing within the organization. By using this method, there are created favorable conditions for increasing the efficiency of internal audit and extrapolation of the positive experience gained by the external auditors in performing audit of the internal audit from other organizations.

Peer-review means the audit of the internal audit conducted by internal auditors. Thus, a head of internal audit structure of a company is elected and he must iaudit the system of another company, in exchange for consideration. It looks like a kind of exchange of experience through which looking to know and to generalize the positive experience gained in carrying out the internal audit within the two companies. It is recommended for companies within a holding or similar area.

Intervention of some qualified teams outside the organization is the latest achievement in the field and means assessment of the internal audit by teams qualified for this purpose from outside the organization. These teams are created within professional bodies, industry associations, etc.

6. The indicators of the internal audit

The indicators are the most important instrument for assessing the effectiveness of of the internal audit, which are:

–            The degree of realization of annual audit plan– calculated as the ratio between the number of tasks performed and the number of tasks specified in plan. The indicator can be detailed by measuring, in report with the plan, the number of missions in progress, the number of missions delayed or the number of missions not made, but also those made ​​and unexpected;

–            The average of audit missions – measured as the ratio between the number of audit days and number of missions;

–            The share of audit time in total available time – is calculated as the ratio between the number of audit days and number of days worked. It is an important indicator because his pursuit allows the identification of the evolution of time intended for carrying out audit activities compared to the total available work time;

–            The share of time allocated for professional training   – calculated as the number of days of training compared to number of days worked. It measures the evolution of training time allocated to each auditor;

–            The average number of pages of audit reports – is calculated as the ratio between the number of pages of internal audit reports and number of reports. It allows measuring the evolution of the average number of pages of audit reports, from one mission to another. It is extremely dangerous to define what it may mean “appropriate development” or “optimal development”. It is clear that an audit report should contain no more, no fewer pages than are necessary to express clearly, unequivocally assure the audit objectives. There is an unproductive and inefficient conception, in our opinion, according to which the audit report must have a minimum number of pages.

–            The degree of acceptance of recommendations – is calculated as the ratio between the number of recommendations not accepted (rejected) and total number of recommendations made. It expresses the relevance and the degree of appreciation of the recommendations made ​​by representatives of audited entities;

–            The degree of implementation of recommendations – calculated as the ratio between the number of recommendations fully implemented and the number of accepted recommendations. It offers a vision of the quality of the implementation of recommendations, but also on their relevance by observing that althoughsome recommendations were accepted, it is impossible to implement them because this process depends not only by the audited entity. In our opinion the formulation of such recommendations should be avoided;

–            Completeness of audit files – is calculated as the ratio between the number of incomplete audit files and the number of missions. Expresses the quality  of performing the closing stage of audit engagement;

–             Prevented damage – calculated as the ratio between the amount of prevented damage and the certain value of damage. Expresses the evolution of quality of preventive activities undertaken by internal audit;

–            The share of certain damage in total alleged damages – is calculated as the ratio between the amount of certain damages found due to internal audit and the total amount of damages alleged. Expresses the accuracy of calculations and internal audit findings and of recommendations made ​​and the quality process implementation;

–            the degree of implementation of recommendations in audit during deployment – is calculated as the ratio between the number of recommendations implemented during deployment and total accepted audit recommendations;

–            The recoverability rate of the damage during deployment audit – calculated as the ratio between the value of certain damages recovered during deployment of audit and the total alleged damages discovered during the of audit missions;

–            The relative efficiency of internal audit – is calculated as the ratio between the total value of certain damage plus the prevented damage and the total value of the cost of conducting the audit mission. Expresses the economic ‘return on’ the internal audit, respectively degree of covering his expenses. Efficiency is “relative” because it fails to include in figures other important aspects of internal audit quality (the relevance of recommendations, the impact of counseling, updating the geography of risks, risk analysis, etc.).

7. The roles of internal audit

The role of observation of the internal audit is a fundamental and matter most. Internal audit is able to shape the organization’s real situation to determine the appropriate changes that are to be made. This role is not only the simple task of looking around, but requires analysis of phenomena, processes, operations, activities on a critical position, and quantification and interpretation of their performance in terms of legal regulations or existing standards. Being an effective and efficientobserver is the first and most important task of the internal audit from his position as agent of change.

The role of diagnosis is the most burdensome and demanding of all of the internal audit roles. In this role internal audit analyzes collected relevant observations, so they can reach conclusions about the necessary changes to be implemented. To fulfill this role internal audit uses methods, techniques and specific instruments, as well as experience and communication skills of internal auditors in order to formulate solutions and proposals that aim to carry out organizational changes, without being influenced by the desires of managers, or of the employees.

The advisory role objectifies through the work performed by internal audit, designed to create added value and improve the management entity, risk management and internal control, without the internal auditor to assume management responsibilities.

The assurance role of internal audit provides to the management of the entity confidence in the necessity of change. Internal audit provides  conclusions on accurate identifying in needs of change, the correct assessment of priorities in the field, the quality of designing and implementing of changes, and particularly, the level of performance to be achieved, which was reached or will be achieved.

The role of stimulator is the least understood role of internal audit. It can become operational only if all other four roles set out above have been fulfilled to a satisfactory level at least. In the opposite situation, the internal audit can turn into a genuine instrument of resistance to changes, thus preventing the entity to operate efficiently and effective.

8. Responsibilities in conducting internal audit

Leader / manager of the audited entity	1. Presents the main advisors and responsibles. 2. Gives information on specific activities in the period subject to audit. 3. Prepare proposals of objectives, activities and operations to be audited first. 4. Express consent of the date of the “Opening session”.
Head of audit team	5. Introduce the audit team composition. 6. Presents the general objectives of the audit mission; 7. Inform the activities to be performed following the procedure for collecting and processing information; 8. Ask the leader / manager of audited entity, and all those present to make clarifications in terms of its objectives that management of the entity wants to be audited with priority; 9. With the management of audited entity evaluate whether the proposed date through “Notification” to conduct “Opening session” can be complied, setting another date if necessary; 10. Specify the necessary documents to inform auditors; 11. Work spaces  for auditors are established;
Audit team	12. Attend the meeting presentation.

9. In conclusion we can say that:

–            The effectiveness and efficiency of internal audit is the result of a joint action of organization the audit team and the degree of its integration in the entity, coupled with the quality of human factor and their performant management;

–            The efficiency of operational audit can be expressed on one side by numbers (damages recovered, avoided losses, realized gains), but also in other results at least as important: the relevance of recommendations submitted, updating entity risk, highlighting identified opportunities and improvement of the internal control;

–            Audit structure, in general, generates performance and efficiency to the extent that brings new elements of good practice, formulates and promotes relevant proposals to improve the organizational framework that are agreed and implemented;

–            The internal audit is a proven tool to change mentalities of management and employee from entities.