Internal audit is a tool used by business area organizations as well as public administration sector units. The purpose of the mechanism is to conduct an independent assessment and gather evidence of the achievement of the audit objective in relation to the criteria for its achievement.
Audit is a practice implemented both in management systems based on the requirements of ISO standards and on the basis of legal requirements. Regardless of the basis for conducting the audit, each time it results in a report containing the results of the audit activities performed.
Audit documentation kept in a paper form is a material that is difficult to compare on the scale of the entire organization and in relation to other analysis criteria. The introduction of an IT tool that enables electronic planning and documentation of audits is a solution that streamlines the analysis of collected data and their comparison.
Blue Energy, using its many years of experience in conducting audits in various areas of operation, offers an innovative BPM Audits module, the functionalities of which enable fully electronic development and approval of the audit schedule, the plan for each audit and the audit report.
BPM Audyt module provides comprehensive services in the field of planning and conducting internal audits.
The entire audit cycle, from its initial planning to approval of the report and handling of post-audit activities, is reflected in the system. The software supports the process of conducting audits, both carried out on the basis of criteria resulting from the standards constituting the basis of the management system, as well as operational audits carried out on the basis of internal regulations.
The system includes a mechanism that allows authorized users of the system to create a database of audit questions divided into various categories. Auditors will be able to use this database of questions when planning and implementing audits.
The software allows different parts of one audit (audit tasks) to be performed by different auditors. For this purpose, it is possible to divide the audit into tasks (the audit task is to audit a given area in an organizational unit). The system itself generates audit tasks on the basis of areas and places of the audit indicated by the person defining the audit (from the organizational structure) and on this basis the lead auditor may assign tasks to the auditors participating in the audit when starting the audit.
The system has a functionality that allows you to define audits to be included in the schedule of audits (program) or ad hoc audits (performed outside the schedule).
In the system, it is also possible to plan audits of suppliers (audit of the other party), in which the audited entity is the contractor. In this case, it is necessary to indicate the contractor from the database, which must be completed in the system, and the organizational unit responsible for supervising the contractor.
After the introduction of the above-mentioned data, it is possible to proceed to creating an Audit Schedule (audit program) from all audits defined in the system in the Audits module, which are in the appropriate status, or to start the preparation of an audit notification (without developing an audit schedule).
For each of the audits entered into the system, subsequent tasks related to the planning of its details and plan approval are launched. In the part of the system related to the development of audit details, the lead auditor introduces the agreed audit plan and prepares an audit notification.
After approval of the lead audit plan prepared by the auditor (approval is possible only by a user authorized in the system), it is sent by e-mail to the indicated system users. It is also possible to send an audit notice to users outside of the system.
Until the lead auditor starts the audit process in the system, it is still possible to modify the audit plan and re-distribute it after approval. If the lead auditor starts the audit execution processes, it is not possible to make changes to the audit plan.
After the lead auditor has started the process of carrying out the audit, he assigns tasks to individual auditors included in the study, at the same time the system suggests which improvement actions are in progress in relation to the results of the previous audit in the unit subject to assessment and suggests issues to be examined (if requirements have been specified). resulting from the audit criteria and issues in the BPM Compliance module (link).
On the basis of the lead auditor’s assignment, the auditor conducts an audit in the indicated unit, and then enters the results of the completed task into the system, including defining non-conformities and other observations requiring post-audit activities.
After completing the implementation of all audit tasks to be documented as part of the audit, the Lead Auditor prepares an audit report.
After the audit report has been prepared, the lead auditor can submit it for approval. The approved report in the form of a pdf file generated by the system is sent in the form of an e-mail to the indicated persons. For all defined non-conformities and audit observations, processes related to the planning and implementation of post-audit activities in the BPM module Improving actions (link) are launched.
The audits module also has the functionality of reporting non-compliance or non-audit observations in the system and conducting the assessment of auditors, both by the person responsible for the implementation of audits in the organization and by the audit participants.
The module integrates:
- with the Compliance module (link) – from which, for the indicated audit area and organizational unit, it downloads issues to be examined as audit questions;
- the Document library module (link) – from which it downloads audit criteria for the indicated audit areas and organizational units in the form of names of internal regulations;
- the Improving actions module (link) – in which the actions taken in relation to the audit results (non-conformities and observations / observations) are documented;
- Risk management module (link) giving the possibility of linking identified risks with the audit;
- The Incidents module (link) that enables the incidents identified and reported during the audit to be linked to the audit;
- And many others, on the basis of document connections.
Conducting an assessment of auditors is not a common practice, however, when this mechanism is used in an organization, it is necessary to clearly define the principles of conducting this assessment and the criteria for assessing auditors.
The BPM system, the Audits module enables the assessment of auditors based on self-configured auditor assessment surveys. Configuration of surveys is a functionality provided in the module. All performed assessments are archived in the auditors’ cards. Each of the assessed auditors has access to the results of the conducted assessments in the system and, where possible, may appeal against the performed assessment.
Sometimes, despite the use of electronic document flow and conducting the planning process and documenting audits in electronic form, it is necessary to present an audit plan or report in the form of a printable file. Such an expectation may arise during controls or audits conducted by external entities that do not have access to the system.
The BPM Audits module meets these expectations and archives both the audit plan and the report in pdf form. When necessary, the report can be downloaded, printed or forwarded to appropriate persons, e.g. controlling entities.
A large enterprise in the energy industry, which conducts audits on many levels among its suppliers, has identified difficulties in managing the results of audits and progress in their implementation. The implementation included the use of the BPM Audit module. The goal set for the implementation in the form of electronic supervision of supplier audit results and progress in the implementation of corrective actions was achieved.
A public administration unit that carries out both organizational audits, audits of the management system and internal controls. The results of all these activities are documented in the traditional form. The implementation of the BPM Audits module was aimed at minimizing the amount of documentation generated in the audit and control processes and introducing electronic, easily searchable records of audits and their results as well as the undertaken corrective actions. The goal has been achieved.
An organization that maintains an integrated management system, identifying a problem in supervising the implementation of activities in relation to internal and external audits. The implementation of the BPM module included the use of the workflow for recording inconsistencies and observations from internal and external audits in the system. Moreover, the documentation and supervision of corrective actions taken in relation to them are fully automated. Since the implementation of the system, no situation related to the lack of supervision over the audit results has not been identified.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?