3 tips for upskilling your internal auditors (with free resources)

Alex Pavlovic Mon, Dec 10, 2018

ISO 19011, GRC, Internal Auditing

You can't certify to ISO 19011.

But you can think of it as a powerful tool for overhauling and upskilling your internal audit team.

As the ISO standard for internal management system audits, it provides a comprehensive framework of:

  • audit principles
  • programme management
  • competence evaluation

We put together 3 ISO 19011 tips for a stronger, more collaborative audit team. 

 audit team

 

1. Introduce risk

Auditors are sharp, perceptive people.

They're trained to think analytically, delve into processes and explore potential areas of weakness.

ISO 19011:2018 encourages auditors to add an extra layer to their thinking.

The primary difference between the 2011 and 2018 versions of ISO 19011 is the introduction of the risk-based approach as a core auditing principle.

'Risk-based thinking' is now a crucial mindset to instil in your auditing team.

As a phrase, it's vague and sounds like - dare we say it - management speak.

What does it actually mean in practice?

In short: your internal auditors need to constantly link their activities to your company's general risk management framework.

Identifying non-conformances and passing on recommendations for improvement isn't enough anymore.

19011-compliant auditors need to think about how risks and opportunities are:

  • identified and contextualised
  • analysed
  • evaluated
  • treated

... and audit your management systems accordingly.

risk process

That means:

  • Understanding risk management tools and techniques
  • Staying informed about how your board/senior management manage risk
  • Ensuring risk data is accurate and up-to-date
  • Performing targeted audits for each section of the risk management framework
  • Drawing risk-focused conclusions and action plans from each audit

 

 Risk based thinking

Training your audit team to embed risk thinking into their day-to-day work adds a 'bigger picture' to shape work around and encourages a more proactive approach, making them a powerful risk mitigation tool for your business.

 

Want to understand more about risk management? 

Get started with our November 2018 risk management webinar recording.

 

2. Make them demanding

Quality professionals, including auditors, often fall into the 'silo trap'.

Reviewing documents, processes and procedures can be inherently isolating.

But working in isolation from other areas of the business makes driving change and working to broader business goals tricky.

ISO 19011 means audit team leaders are now expected to possess the competence to discuss strategic issues with top management. 

This includes:

  • Sharing how audit programmes align with business goals and strategy
  • Demanding risk information in turn (see tip #1!)

Audits need to be focused on matters that are significant for the auditee and for achieving your audit programme objectives - so 2-way communication outside the team is key.

Demanding information to support your audit programme can be a difficult skill, depending on how hierarchical your business culture is.

ISO 19011 is also a powerful tool to challenge the status quo and encourage change if need be.

A vocal, risk-conscious team capable of expressing opinion and driving change can be the key to a mature and efficient audit programme.

Encourage your team to request and challenge information, not just provide it.

 

Having trouble with communication silos and aligning with your colleagues?

Download our culture of quality toolkit to learn more.

 

3. Empower them

Clause 6.4.7 of ISO 19011 recognises that in the Annex SL world (based on documented information and not documents and records), not all information can be 100% verified.

This introduces the concept of professional judgement, which an auditor now needs to employ to determine the extent to which they can rely on information.

Giving your auditors empowerment to evaluate data independently accomplishes a few things:

  • It boosts their confidence
  • It opens the door to an expanded auditing programme by allowing your auditors to operate their own independent pathways
  • It encourages evidence-based thinking and professional care

ISO 19011's alignment with Annex SL also means management system-specific skill sets are now discouraged.

In the past, an audit team might have incorporated a range of specialised auditors: one strong in ISO 9001, one with a preference for ISO 27001, and so on.

The common Annex SL structure encourages you to empower your auditors with general management system auditing competence, not just strength in a particular standard.

This makes for a more flexible, skilled team - and should your business aim for a new standard in future, your auditors should already have a strong understanding of the groundwork.

 

Need some more info on Annex SL?

Download our Annex SL booklet here.

 

Further resources

Kingsford Consultancy Services MD Richard Green ran a half-hour webinar with us to dive into ISO 19011. 

Access the recording here:

ISO 19011 webinar

Topics: ISO 19011, GRC, Internal Auditing

Share your thoughts on this article