Regardless of the size or complexity of any organization, the best practice to adopt in monitoring and measuring compliance is that of conducting internal audits on a regular basis to identify any “variables” as may exist.
Such audits can be done using various criteria – either separately or combined in assessing the organization’s “compliance” status as per requirements. Note compliance in the context of an audit program is not limited to only regulatory or statutory requirements, but can also refer to any internal processes, procedures, or activities as documented by the organization as part of their operating agreements and obligations.
The main advantage of conducting internal audits is that the results provide input to the analysis aspect of business planning and further contribute to the identification of improvement needs and activities and should therefore be an accurate reflection of the current status of adherence to organizational commitments. It is thus imperative that the results of such audits be as accurate and objective as possible with the goal always being to ensure continuous improvement.
One of the pitfalls while conducting internal audits, specific to this being part of an internal process where audits are conducted by an internal resource, is possible “fear” and or concern of the internal auditor as not to “expose” any deviations – and thus having the organization or a Department within the organization “look bad” if there are many non-compliance findings. To mitigate the severity of the consequences of such findings, the internal auditor might overlook or downplay the significance of the finding to achieve a better audit score. This can be easily mitigated by clearly defining the audit criteria and objectives and assuring the auditor that an accurate audit far exceeds the need for a “clean sheet”.
Internal audits should not be done merely as a record-keeping or paper exercise as the value of properly conducted internal audits lies in the identification of potential risks, highlighting areas that require attention in terms of their outputs and or performance against the agreed requirements.
While organizations have the option to conduct internal audits using either internal resources or outsourcing to an external service provider, it remains fundamental that the auditor can confidently conduct the audit without undue bias and or subjectivity, thus allowing the audit results to reflect on the current status as accurately as possible as the main objective of any audit – regardless of scope or resources – should be to realistically indicate the organizational performance against the set criteria.
It is interesting to note the difference in approach to internal vs external or 3rd party audits. Organizations tend to be far more attentive to time and effort in preparation for external audits in comparison to the general attitude and effort shown to that of the internal audit, whereas in practice if managed properly, effective internal audits can significantly contribute to the time and effort spent if the internal audit processes are revered with the same approach as that of 3rd party audits. If the results of the internal audits are indeed efficiently addressed and attended to, this deems in support of external audits and the possible outcomes and results as such.
In general, internal audits prove invaluable if adapted as normative organizational practice as the results thereof can further drive, not only the traditional “measurement against compliance”, but further identify and highlight possible risks and opportunities for improvement.
A low internal audit score/outcome should therefore not be considered a “bad report card” but rather accepted as a positive indicator as to which areas of operations need attention. Furthermore, if internal audits are used in comparison to previous audits, these results can further be used by the organization to determine trends in performance and the significance of such indicators.
As a solution to effectively manage Internal Audits, ARISCU can assist with the compliance management of both statutory and/or regulatory as well as operational compliance with the use of our Audit and Checklist Modules.
The ARISCU Audit Manager module is expertly linked to all legal requirements as per assigned compliance registers with pre-populated audit questions drafted by our team of legal experts, complete with the Audit Exposure Feature which, where applicable indicates the penalties due for non-compliance.
The Checklist Manager is 100% customizable and can be utilized as an audit tool to manage all operational activities in terms of required compliance.
Both these modules are automated in terms of assigning responsible persons, due dates, types, and locations (applied filters allow for easy tracking) with automated compliance scoring and generated reports.
In conclusion, should an organization commit to conducting internal audits at regular intervals, attending to the results, this will not only contribute to organizational transparency and continuous improvement but can also significantly reduce the cost and effort when contracting external Second and even Third Party Audits.
ARISCU has a team of legal experts including admitted Attorneys who are qualified auditors with many years of experience in various industries including Mines should your organization be in need of an external legal audit as well as legal liability and awareness training.
Tania van Staden is the Head of Legal, Ariscu leading a team of Legal & Compliance experts. Contact legal@ariscu.com.