Have you ever received an internal audit report with these types of statements in it?
· Some forms in the files were not completed correctly, for example, not dated.
· The support plans for the clients whose records were audited did not include a review date.
· Incident reports sighted in the timeframe audited did not follow correct documentation protocols.
Poor internal audit reports can have a big impact on your organisation. The examples above will often lead to:
· A memo going out to staff reminding them to date forms.
· A staff member being told to go to the audited client files to put review dates in.
· No action at all.
Internal auditing done this way means that, at best, staff will go back to the files you’ve audited and fix the issues you wrote about in the report. But this does little to add value to an organisation and redirects management focus from bigger picture issues, like how the issues impact on clients, services, and
Having a value-adding internal audit program isn’t just about the reports, it starts back at the planning—the audit scope, objective and criteria. Auditors must then have the right skills to look at issues as part of a process and/or system. Audit reports must ensure that the findings link back to the scope, objective
and criteria, and that conclusions are drawn at a higher level. I find that it is better to document the issue first, list examples, then describe the potential risk or impact.
And, of course, internal audit reports can’t exist by themselves—results must be collated to show management what the current and emerging issues are.
If your organisation would like support to implement an internal audit program, please feel free to contact me.
Thanks for reading,
The Quality Nerd loves all things Quality Management and Internal Audit...too much is never enough!