Audit is a process of obtaining and evaluating data concerning operations and events in the organization to appraise the degree of relationship between claims and established standards, and communicating the issues to interested users. In other words, the aim of audit is to compare "what should be" (standards, regulations, plans) with "what actually is" (practice).
IAA defines audit as an independent and objective operation connected with consulting, and its main aim is implementation of value added to the company and improvement of the actions. Audit helps company to achieve established goals through the systematic, consequent action which helps to evaluate and improve the efficiency of risk management, control system and organization management processes.
Audit is an unversal method, used in quality management, financial management, risk management and other areas. In each area specific rules apply, however, the main idea of audit is common for all of them. Therefore, it is possible to join different areas in one audit (e.g. joint quality and finance audit). This requires much wider competences of auditors.
General rules of audit
Regardless of area and type, those rules apply to each audit:
- Audit is not inspection - auditor looks after conformance, not defects.
- Audit is not unexpected - audit should be planned and communicated in advance.
- Audit is cooperation - audit should be a cooperation between auditor and audited in order to find solutions.
- Audit is an opportunity to improve - no improvement ideas means that audit was only waste of time.
Types of audit
First party audit (Internal audit)
Internal or first party audit is the situation when enterprise employees that have necessary competences audit other employees. In order to keep independence of assessment, auditors cannot audit processes in which they work. To become internal auditor employee has to:
- be appointed for this function by top management,
- have competences (training) necessary in audit.
Rules for first party audit are specified by top management in procedures or other types of documents.
See also: internal audit.
Second party audit (External audit)
External or second party audit is the situation when auditors from one company audit other company. This happens usually when company acting as (future) customer audits its suppliers. Rules for second party audit should be specified in agreement between enterprises.
Third party audit (Certification audit)
Certification or third party audit is the situation when independent organization audits enterprise in order to confirm that certain requirements (standards, regulations) were met. Certification may be more convenient than external audit because:
- Only one audit confirms meeting requirements. There is no need of multiple audits in case of multiple customers.
- No sensitive data is transferred to the customer (e.g. pricing policy, technology).
On the downside, certification audit sometimes is not so independent as it looks. Due to the competition on certification market, some certification bodies lower their requirements to attract more customers. In long term this undermines the credibility of certificate.
The internal audit was described in detail in separate article.
Concepts using audit
- Management systems
- Financial management
- Risk management
- ISO 19011 - Guidelines for auditing management systems
- Ling Li, Lin Xu, Jing Li, Changchun Zhang (2011) Study on the third-party audit in cloud storage service, IEEE Xplore
- Tanner B. (2000) Independent assessment by third-party certification bodies, Food Control, 11(5)
- Meigs, Walter B., Principles of Auditing, IRWIN, Boston 1989.
- Taylor D. H., Glezen G. W., Auditing. An assertions approach, John Wiley & Sons, New York 1997
Author: Slawomir Wawak