According to the Institute of Internal Auditors, North America, the mission of an internal audit is “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
Management systems, like the International Organization for Standardization (ISO 14001 ISO 9001), provide guidance. They specify documented schedules for internal audits.
They stress that those audits should occur at planned intervals, but they do not recommend a certain frequency. Nor do they state which processes should have a yearly internal audit.
The reason? Each organization must establish the frequency that is appropriate for the business. Your organization can perform audits monthly, quarterly, twice a year, or once a year.
Here are some factors to consider when designating the frequency of internal compliance audits.
How Complex Are Your Processes?
Most standards do not require an organization to audit all processes every year. But you’ll find that it’s a common practice to do so.
Some organizations schedule their audits over a three-year time period. They do this, even if their management systems are well-established.
In most cases, the complexity of your processes influences your audit and compliance. You need to consider the following factors as they pertain to your organization.
Quarterly or Twice a Year
You should audit high-risk and other crucial processes at least quarterly or twice a year. Your compliance auditor will recommend auditing newly developed processes quarterly.
Audits become less frequent as process become refined and stable. Likewise, an organization should audit processes quarterly or twice a year if they have a history of deficiencies or “glitches” in the system.
Once a Year or Twice a Year
Low-risk process audits can occur once a year or every other year. Well-established processes fall into the low-risk category if they run well.
Another factor influencing the frequency of auditing is your budget. Regulatory compliance is also an influencing factor, as are your customers’ requirements.
For instance, your company may hold a certification from an industry standards organization. If so, you must conduct an annual internal audit. The audit ensures that you remain in compliance.
Part of your risk-management solutions may include internal audits for quality assurance. For example, audits of products before you ship them out to clients and customers.
Auditing control measures may include internal auditing of production procedures and products. These audits can occur on a monthly or weekly basis as needed.
Institute a Rational Schedule
When establishing a practical internal audit schedule, organizations need to review several things. They should understand their processes, management systems, and other relevant requirements.
From there, they can set a schedule in place that fits their needs. There is rarely a need to audit every process all at once. It is more practical to spread internal audits throughout the year.
Auditing too much at once is a daunting task that only leads to errors in reporting.
Set Your Own Rules for Internal Compliance Audits
All in all, there are no hard-set rules for often you should perform an internal compliance audit.
Organizations, like ISO 14001 and ISO 9001, provide guidance and recommendations. They provide the base from which you build your internal audit schedule.
If you have any questions about internal compliance auditing, please contact us.
Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.