4 Steps to Effective Auditing
The serious repercussions of a lack of compliance controls really came to our attention in 2017. With the Grenfell Tower tragedy and a range of misconduct allegations, a wide variety of organisations have been exposed as lacking the controls needed to keep people safe and secure. This equally applied to keeping the organisation itself secure and effectual.
The trend towards tighter compliance controls throughout firms in a range of sectors is gathering pace, partly due to the fallout from the aforementioned but also due to the increased media scrutiny following the banking crisis and MP’s expenses scandal.
A strong quality assurance and auditing culture is one way to identify and avoid potentially hazardous situations when combined with effective risk identification, change management and controls. This article focuses upon auditing, I’ll give you four quick steps you can follow to ensure that the audit is effective.
Step 1 – Define your threats
Make sure you list all the possible threats in your audit area. For example, if you are undertaking a security audit, threats would include:
Loss of equipment
Poor password protection
Following this you can list each “touch point”, i.e. the place in the business where the threat materialises, you are then able to create your audit questions.
Step 2 – Questions
The standard advice we are used to seeing is “It’s important to spend a good amount of time and effort preparing your audit”, whilst very true, I am going to focus upon one particular area of your preparation - the audit questions.
Knowing what you will ask, in advance, allows you to plan how you may ensure that people are telling you the truth. Asking questions in a particular order or asking different people the same questions can, occasionally, catch out anybody who is telling the auditor what they want to hear.
At this point it’s also really worth taking a step back to assess whether the scope of the audit is wide enough to be effective, ask yourself:
“Is there any business area we are not covering which impacts on my audit topic?”
“Does the audit topic cover all relevant risks?”
“Are there risks to the business or people we have not identified and factored into our questions?”
Step 3 – Assess current performance
Here you begin questioning. I’d advise you start with a pre-audit questionnaire where you ask for relevant documentation. This allows you to identify where the organisation has no knowledge of what they should be doing (where they have answered incorrectly), where documentation is missing and it allows you to understand their processes.
Understanding a firms processes is important as your audit should not be solely against compliance standards but also against internal policy / procedures.
Step 4 – Prioritise
Once you have undertaken an initial assessment you can prioritise areas to place your auditing resource, whether this is the highest risk to customers, health or the organisations performance or based on the results of the pre-audit questions.
We have helped numerous firms achieve and maintain authorisation from the Financial Conduct Authority (FCA). The FCA expect that firms maintain a strong cycle of auditing. From our experience, if you follow the above steps you will be in a good place compared to our counterparts within the industry.