4 replies to this topic

[GFW01]

Hi all.

 

I work with a small organisation that uses a qualified external auditor to audit our BRCGS systems on a quarterly basis. At each audit, I sign off the audit schedule beside the auditor's signature to indicate that all sections have been covered adequately. However, this year, we received the following NC against 3.4.2:

 

3.4.2 Internal audits: The external contractor audits all parts of the BRC standard, including the internal audit section -hence, auditing own work.

 

 I reviewed the interpretation notes of the Standard, and stated that I believed that 3.4.2 wasn't asking for the auditor's work to be itself audited, but that internal audits should be conducted by a suitably qualified independent auditor, but got nowhere with this.

 

Members' views would be appreciated on this - as would any recommendations as to what a satisfactory corrective might be for this?

 

Many thanks.

[pHruit]

You're correct in your assessment that 3.4.2 isn't specifically saying that the auditor's work should be audited, although to some extent that is an inevitable consequence of what it is saying - i.e. that no-one should audit their own work (for obvious reasons).

 

This clause is often challenging in a small business as independence from areas is difficult when you have a single person or small team covering a broad remit.

If your external consultant is auditing your whole system, one of the areas they are auditing is the activities covered by section 3.4, but since they are the ones doing the internal audits, 3.4 relates primarily to their own work (in practical application even if not in terms of ownership/authorship of procedures) and thus in this particular area they are effectively auditing their own work. They might be independent of the business, but they are not independent of the audit focus for this particular section.

 

Do you or anyone else in your business have internal auditor training? I'd suggest that this specific part of your audit schedule would ideally be transferred to someone else.

[GFW01]

You're correct in your assessment that 3.4.2 isn't specifically saying that the auditor's work should be audited, although to some extent that is an inevitable consequence of what it is saying - i.e. that no-one should audit their own work (for obvious reasons).

 

Do you or anyone else in your business have internal auditor training? I'd suggest that this specific part of your audit schedule would ideally be transferred to someone else.

 

Thanks pHruit. Yes, we can cover by an employee with appropriate training. Do you think there is any need for this to be elaborate, or simply comment and sign-off against the appropriate point in the checklist? 

[pHruit]

 

Thanks pHruit. Yes, we can cover by an employee with appropriate training. Do you think there is any need for this to be elaborate, or simply comment and sign-off against the appropriate point in the checklist? 

 

Probably not elaborate, but it will need to be reasonably robust if for no other reason than it'll get a lot of scrutiny this year, being part of a corrective action, and again next year as it will come up as part of the standard verification of previous year's NCs.

You may not necessarily need to have it physically done by the time you respond to the auditor with the corrective action details though, so for example something like this could be a pretty solid response:

• Being able to show that you have done internal training initially - e.g. record on training card showing an hour or two going over an introduction to the principles of auditing.
• A defined a plan for the new auditor to shadow the existing internal auditor/consultant on other audits as part of "full" training, to be completed prior to sign-off as being trained.
• External training of some sort. Auditors love an external certificate (pretty much irrespective of whether the training was any good, or more effective than doing it in-house ). Either a confirmed booking for a 1-day course with one of the various training providers, or even a receipt/invoice to show you've paid for an online course to be sat within a defined timeframe should round it out nicely.

 

Doing a "hands on" in-person training will probably teach the recipient more, but online is going to be vastly more practical at the moment I'd think, and the difference in quality can be made up for by the internal training. TBH the last of the three points above would probably suffice, but I'd throw in the other two as they're easy to accomplish, will probably make for a better-trained auditor, and it should theoretically close out the NC more cleanly as the auditor is far less likely to come back needing more info if you give a nice comprehensive response to start with.

[GFW01]

Thank you again, pHruit. Much appreciated.