NZ Transport Agency Waka Kotahi logo

How to do an internal audit

Initiation and planning

The customer of the audit is the person (or group) who agrees to the audit purpose and scope, and who’ll be given the audit results. They have responsibility for making sure remedies are put in place for any issues found. The customer might be the business owner or board or, for small audits, a manager.

First establish what you’re trying to achieve. Examples include:

  • verifying that your organisation continues to meet specified requirements
  • evaluating your organisation against system standards
  • verifying that your organisation is fully compliant with safety legislation.

Once you’ve done this you can start planning your audit, which includes:

  • selecting the specific activities to be audited
  • selecting the audit type (procedures or high-level processes)
  • selecting the dates, auditors, and areas of the business to audit
  • creating an audit timetable and schedule.

You should also set an audit frequency that suits your organisation, meets required standards and is based on the safety risk of the areas being audited.

Performance analysis

When you review the finding and recommendations of the audit, confirm whether they’re:

  • against a company procedure or policy (non-compliance finding)
  • against legislation or a regulation (non-compliance finding)
  • against a safety standard or are a safety concern
  • an area for improvement.

Ask, what the risk is to the business if nothing is done?

Each finding or recommendation needs to have its cause identified, which can be done by asking:

  • why was the observation made?
  • where was the failure in the system?

Note: latent conditions within a system can cause system defects. They need to be investigated so the auditor can set realistic and effective corrective or preventive actions.

Once the cause of a finding or recommendation is established, you should assign an action to address it. These actions should:

  • describe and classify the finding
  • reference the finding to the most applicable requirement (eg the standard, policy, etc)
  • describe the agreed corrective action
  • specify the agreed implementation date
  • specify the agreed follow-up action.

Preparation

Scope

Preparing well is important for a successful audit. You’ll first need to select the auditor – ideally someone who has completed an auditing course. This person must be independent of the areas being audited, that is, doesn’t work in the area.

You or the auditor will then need to confirm and document the scope, which will be based on initial planning. This involves:

  • identifying the processes and/or procedures to be audited
  • identifying the documents to be used
  • identifying the people, equipment, information and materials required, and
  • determining the process relationships with other stakeholders.

Note: the scope should include a review of the safety processes and procedures included in the organisation’s safety case and safety system.

The number of activities covered by a documented system is often too large to cover in a single audit, limit your audits to a relatively small sample of an operation. It’s helpful to include processes that address the following areas:

  • routine activities
  • non-routine activities
  • methods of dealing with problems in activities.

You can also do spot checks on items that have been inspected or tested by the auditee.

Documentation review

Only by reviewing the documentation can an auditor decide how to progress the audit and develop the questions they need to ask.

Documents you should review to understand what needs to be done include:

  • manuals
  • work instructions
  • hazard and risk registers
  • policies (eg drug and alcohol)
  • relevant regulations and/or legislation
  • safety cases.

Other supporting documents you should review include:

  • previous audit reports (including previous assessments undertaken by your organisation and NZ Transport Agency Waka Kotahi Safety Assessments)
  • follow up reports
  • inspection records (For example, eg maintenance schedules and reports, training registers, pre-start checks)
  • failure, accident or defect reports.

Performing a desktop review of the documentation prior to the site visit will save a lot of time and effort during the audit. Familiarising yourself with the documents will enable you to ensure they comply.

Questions and checklists

Checklists are one way to ensure that the audit will be performed according to your specified audit objectives.

Note: a checklist is an aid to an internal audit. Internal audits are not a tick box checklist exercise.

Checklist benefits:

  • provide a guide for the auditor
  • provides objective evidence of the task working
  • used to collect notes during the audit.

Care should be taken to only include questions that address the purpose and scope of the audit. Each question should be based on a documented requirement of the system.

Performance review (on-site)

A good audit will start with an opening meeting, which:

  • outlines the objectives of the audit
  • confirms the interviews that will take place
  • confirms the areas that are being audited
  • outlines the audit timetable
  • clarifies any problems or conditions relating to the audit, and
  • explains what will be done with the findings.

When you move on to the examination of the system, ensure you:

  • follow your plan
  • interview key staff
  • examine evidence
  • follow natural leads
  • make sure you take notes and record evidence.

Inspection is a big part of an internal audit. This is when you look at results to ensure compliance is happening and that a system is reliable. The result of inspection should be confirmation of compliance and objective evidence to support any identified non-compliance.

There are two main methods to get objective evidence:

  • reviewing documents, reports, records, item numbers and equipment details, and
  • observing how work is done in the workplace.

The way you do interviews during an audit can directly influence its success. Some helpful interview techniques include:

  • being courteous
  • asking the interviewee to explain what they do
  • making sure that if others are attending the interview, that person doesn’t answer questions on the interviewee’s behalf
  • listening for responses
  • validating – asking can you show me?
  • ensuring you and the interviewee both understand what you have observed – summarise their responses
  • asking open questions – who, how, why, what happens when etc.

Lastly, keeping control of the audit. Good ways to keep control are:

  • keeping to schedule
  • preventing distractions
  • not becoming argumentative
  • not becoming bogged down with trivia.

Reporting

It is important your audit findings make references to objective evidence. This means for each one you should state:

  • the observation made
  • the cause, and
  • the required action.

The finding should also include:

  • a due date for the completion of the action
  • reference to the standard not being met – procedure, work instruction
  • who’s assigned the action to complete
  • the importance of the finding
  • facts and comments which substantiate the existence of the finding
  • the location of where the finding was observed.

When writing the audit report, the findings must be clearly documented and should provide a clear description of the events that were witnessed during the audit. It should also:

  • be uniquely identifiable
  • restate the audit scope and objective
  • identify the criteria against which the audit was conducted
  • list key personal, dates and locations
  • detail any follow-up intentions, and
  • state the overall outcomes and overall compliance of the audit.

You should write your audit report with your audience in mind, accounting for their technical understanding, authority and responsibility. For example, a report for a manager could be a lot more technical than one for a board, but would need to recognise the limits of their authority to remedy issues that may have a root cause elsewhere in the business.

Follow up

Corrective action, required because of performing an audit, must be followed up and closed out.

The follow up phase of an audit is where the auditor monitors the closing of the actions. This includes ensuring accountability for completing the actions lies with appropriate management. It’s important the auditor accepts or rejects all actions taken to address the findings. For example, whether the action taken was appropriate to address the finding and stop any repeat findings in the future.

Traffic and travel information
Driver licences
Vehicles
Roads and rail
Commercial driving
Safety
Walking, cycling and public transport
Planning and investment