Preparation, preparation, preparation

[a]How the checklist is structured

The checklist (and supporting commentary) is divided into three sections - hence the appendix is called ‘preparation, preparation, preparation’:

Before the audit

During the audit

After the audit

[b]Before the audit

  1. Confirm with internal audit manager the requirement for an audit

As a lead auditor, it is essential that the requirement to participate in an audit is confirmed (ideally this will be in writing). You’ll need the audit duration and intensity (i.e. the number of auditor days that have been allocated to the assignment).

If you are providing this service as a consultant or contractor, this confirmation constitutes your work order. Agree budgets and the class of air travel if this is necessary.

If you are being seconded from another department to the audit team, this is the time you’ll be away from your own job and cover for your absence may need to be arranged.

Pursue a work order. Without this, you may not be paid. Another important request at this time is for the draft terms of reference (ToR).

2. Confirm the audit dates

Propose and later confirm the dates for the audit with the nominated individual at the location or process (as per the ToR scope) to be audited. If no specific individual is nominated, the site manager (or similar) is likely to be the auditee. A good way of thinking about the likely auditee if they are not named is to consider them as the manager with the closest responsibility for the scope area.

Confirm the audit dates to the auditee in writing. Add a read receipt if it is sent by email. Mention the intention to make a pre-site audit visit if this is required (see 9 below).

3. Identify / select the audit team members

My personal preference is to select my own audit team members. It allows me to nominate technical competent auditors with experience in the likely scope risks. Sometimes this is possible, sometimes not. Either way, identifying the team composition is very important.

The lead auditor should write to each nominated member of the audit team, welcoming them to the team, briefly describing their involvement, and confirming the dates and duration of the audit.

  1. Develop and send pre-audit requestsfor information and documents needed in advance of audit

About three months in advance of the audit, request the desired information from the auditee. This gives time for follow-up at -2 months (‘this is my second request’) and -1 month (‘this is my third and final request’) if the required items are not received. I have included an example text, showing what may be useful to request in advance in Appendix 3.

Should the pre-audit documentation not be received, you should refer back to the audit sponsor (e.g. the internal audit manager) to advise on the situation. It is possible that the audit may have to be rescheduled.

5. Receipt of pre-audit documentation

When the pre-audit documentation arrives, be sure to read it. Check what you have receivedagainst the list of information you had requested.

What you have received does not have to be perfectly aligned to your request, but it should cover your main requirements. If necessary, follow up with a further request for essential items which have not been received.

6. ‘One month out’ checks

These constitute the ‘final arrangements’. Check (for self and audit team):

Passport(a six-month validity beyond the planned return date is a good standard)

Check that passport will be recognised by the territory to be visited e.g. Israeli immigration stamps invalidate passports proposed for some Arab territories

Necessary entry visas*

Car park reservation

Taxi booked

Flight, train tickets

Directions to your hotel / auditee’s site (SatNav?)

Travelling arrangements (team travelling together or meeting later?)

Immunisations – requirement for anti-malarial medication. Some territories require evidence of inoculations at border control (e.g. Yellow Fever). Contact a physician or GP for specific up-to-date advice

Insect repellent (content of 50%+ DEET is the ideal concentration)

Accommodation for the duration of the stay – the auditee can often recommend suitable, convenient locations, and may also have preferential rates agreed

Business travel insurance

A supply of currency and an ATM-enabled credit card. Carrying a few US dollars has always been a good fall-back, as most (say) taxi drivers will accept it.

Availability of foreign language translators (where needed)

Initial meeting point logistics for auditors

Electrical adaptors for electrical appliances (e.g. laptops)

Enable mobile data and telephones for territory to be visited

Specific training / qualification requirements (e.g. HUET for helicopter / offshore)

PPE (e.g. safety shoes, flame-proof overalls, etc.)

*My own company has tried several visa agencies over the years – some good and some (very) bad. In recent years, we have discovered the best for us has been IJDF Worldwide Visa Services Limited in London. At the time of writing, a good contact is Ivone Ferreira / +44 208 964 3276.

Note that some territories have particularly challenging visa conditions to be met. For example, at the time of writing, Angolan short visit work visas - once issued - require entry into the country within three days (72 hours), and accordingly, flight have to be booked prior to obtaining a visa.

  1. Send draft terms of reference

Send the draft ToR to the auditee approximately one month before the audit is scheduled to commence. This is an ideal way of confirming the final details to the location.

  1. Sort and sharethe pre-audit materials to audit team members

There is no need to send everything to your audit team. Choose wisely, and send copies of the information that is most likely to be helpful to your auditors as they start to prepare for this assignment. Two weeks beforehand in my experience has been the ideal timeframe.

Tip – remember ‘seek, sort, share’.

Impress upon the auditors the importance of being fully prepared in advance of the audit. To do this successfully, they do need to read what you have sent them.

  1. Arrange pre-audit site orientation visit

Within the month before the audit (as discussed in chapter x), it is useful for the lead auditor to make a short orientation visit to the location.

Accept that this pre-audit visit may not be possible if the location is some distance from the home base of the auditors. As an alternative, the auditee may be able to send some photographs of the site, or a tool (such as) Google Earth or Streetview may provide additional information.

10.The day before the audit

Review the organisation’s website for ‘last minute’ news and information. This takes just five minutes or so, and very often provides up-to-date information useful to the audit team.

[b]During the audit

  1. As an auditor

Conduct yourself and the audit as described in this book. Use it as a resource throughout the audit.

  1. Lead auditors retain the principal responsibility for ‘delivering the overall audit service’ with an evidence-basedwritten audit report.

The lead auditor should also take responsible for:

Acting as the principal contact between the auditee and the auditors

For convening and chairing all meetings of the audit team

For being the principal presenter at opening and closing meetings with the auditee and their team. Of course, the lead auditor may also co-opt other presenters as required.

Arranging and conducting nemawasi (‘no surprises’) meetings with the auditee

For scheduling meetings with auditee’s staff, and co-ordinating overall timekeeping

For motivating the audit team – coaching, co-ordinating, encouraging, and maintaining team discipline

To proof read and challenge where necessary all documentation (e.g. working papers / AFWP) produced by the team

For security of data and materials

To ‘decide’ where the team cannot (sometimes this can be as the ‘casting vote’ – the team leader is responsible for the overall audit opinion)

To co-ordinate production of the draft report which is ideally issued prior to the closing presentation

For overall quality assurance of the audit and its deliverables

[b] After the audit

The lead auditor takes the following responsibilities following the conclusion of the on-site work, and after the audit team has dispersed:

  1. Finalise (having received and taken account of any comments from the auditee on the draft report) and submit the final audit report with recommendations to auditee, and others as agreed / required
  1. Gather, index and securely archive / securely destroy (depending upon contractual arrangements and/or professional indemnity insurance requirements) the audit file and working papers
  1. Sendinga letter of thanks (unless this is inappropriate) to the auditee and each member of the audit team
  1. Arrange for charging or invoicing (as required) for the fees and expenses incurred

An excellent lead auditor should also:

Regularly back-up all computer and mobile phone data at a secure, out-of-office location

Identify and participate in continuing professional development activities, and maintain a CPD logbook of developmental training and experience of auditing

Provide one-to-one coaching / support / training to their staff

Be aware of the need for the provision of professional indemnity insurance. We recommend that this is discussed with a licensed insurance broker

Be a member of a recognised auditing organisation (such as the International Register of Certificated Auditors (IRCA)or on an auditor register, such as that maintained by the Institute of Environmental Management and Assessment (IEMA). This latter register was formerly known as the EARA register