Determining the scope of the audit is the third step, in our 10 part series on how compliance officers can better manage the growing demands for audits.
The first tip is to get support from the top – if you’d like to read that article click here.
The second tip is setting up the right structure and workflows – if you’d like to read that article click here.
The purpose of this article is to help anyone involved with auditing to create questionnaires that will be effective in determining compliance to requirements.
An efficient audit process relies on both the auditor and auditee being clear on what the audit covers, that is, its scope. This sounds simplistic, but if there is a mismatch between the expectations of the parties, you can expect fireworks, and you will be hard pressed to build an atmosphere of cooperation and trust that makes an audit a positive process for everybody.
There are times of course, when the nature and purpose of an audit is investigative in nature and the scope is necessarily undefined and all-inclusive, but these audits, which may not even be announced, are not what we are writing about here. (Incidentally I have just set the scope of this article!)
By taking the time to identify the scope of the audit, before setting up the questionnaire you’ll be able to provide structure and clarity around the auditing processes helping the individual(s) understand where the audit process will begin and end, what’s expected in between and how much time it will take. This audit scope also assists the auditee to prepare for the audit, gather documents and records, and ensure ahead of time that the right people are available during the audit.
First, the scope of audit should be determined by considering a range of factors including:
- The assessed risk of non-compliance by the auditee or process being audited. High risk areas clearly deserve closer attention and a broader scope to cover all the identified risk factors or red flags;
- The nature of the business operations, and the impact on operations of the audit process. The amount of time practically available for the audit will often determine the scope.
Second, the intended thrust of the audit should be considered:
- Will the audit process be confined to a particular department, covering all activities, processes and records within that department?
- Alternatively, do you need to take random samples (eg orders) and follow each one through the entire process including; order processing, manufacture, warehousing, invoicing and delivery to the end customer to ensure that all actions have been performed according to established procedures?
- A “knowledge test”, where the intent is to test peoples’ knowledge of regulations, systems and procedures, vs a review of all available evidence to verify compliance.
Third, establish which regulations, standards and codes form the basis for the audit. For example, is the purpose of the audit to determine:
- The accuracy of financial transactions.
- That all quality assurance specifications are achieved.
- That all safety aspects have been adhered to in order to assure a safe workplace?
Finally, once these factors have been considered, the scope should be clearly documented, along with the audit methodology.
The scope should be communicated to all parties once the audit is scheduled, as part of the audit notification. This will enable sound preparation and form the foundation for an audit for which everyone is properly prepared.
In this article we have focused on the scope definition and the importance of a clearly defined scope for stakeholders. The scope is also critical to the formulation of audit questions – this aspect is the subject of our next article “How to set up meaningful audit questionnaires and audit checklists”.