Internal auditing MANAGEMENT SYSTEM. Page: 1/11

Transcription

1 Page: 1/11 MANAGEMENT SYSTEM Date: Type of document: Strategy/Routine Process: Management process Document number: 42 Version: 3 Author(s): Anna Norstedt Department: Staff of the Director General Approved: Ann-Louise Eksborg Internal auditing Introduction Internal audits of the operation and management system are performed as assigned by the Director General in accordance with an established audit programme. Audits are performed for the purpose of monitoring the operation at all levels, verifying the Authority s fulfilment of external and internal requirements, verifying that the key values are realised in practice and investigating whether application of the management system is fit for purpose and effective. Audits are to provide significant decision-making input to the Authority s senior management and other parties in charge of particular areas or processes while also providing impetus to development work. This document defines the orientation and describes the routine for performance of internal auditing at the Authority. Aim The foremost aim of the internal auditing is to verify that the management system is working as intended: that the approaches to work lead to the desired results and that everyone works in compliance with decisions taken. Another aim of audits is to identify deviations and measures for improvement. They contribute with input for development and adaptation of the work based on the principle of continual improvements. Responsibility Internal auditors perform work as assigned by the Director General. In turn, the Director General has delegated management of audits to the DG staff by appointing the head of DG staff as the senior management s representative.

2 Internal auditing Page: 2/11 The senior coordinator has the task of coordinating the internal auditors work as directed by the head of staff. The senior coordinator also conducts follow-ups and checks overall development of the operation and the management system on the basis of work performance and audit results. Internal auditors are appointed by the Director General as proposed by the heads of departments. One to three internal auditors from each department are nominated. Departments K, R and S nominate three internal auditors, Department I, the DG staff and the Administration Department nominate two auditors, and the Communication Department nominates one auditor. These nominations help the DG staff to propose appointments based on a holistic perspective in terms of experience, professional skills and needs. Internal auditors are appointed for one year terms. The DG staff are responsible for coordination of internal auditing work by being in charge of developing an audit plan and giving assignments to the auditors. Competence Auditors must be familiar with the following areas: external requirements which are imposed on and that must be considered by SSM (the Authority s assignments, enactments and other official requirements, and standards such as ISO 9001, 14001, 27001, and IAEA GS-R-3, etc.) activities and development of the internal management process (rules of procedure, decision-making procedure, management process, document governance, etc.) the management system: structure, process interaction, process management and applications SSM s overall documentation (steering documents, records, reporting, etc.) SSM s steering documents, objectives, operating plan and results achieved An auditor should have the capability to: have a holistic perspective conduct in-depth analyses of details see links and effects in governance and management systems develop and pursue audit strategies develop efficient forms of work for audits An internal auditor should have an interest in: studies and analyses the perspectives of interested parties and the surrounding world concentrated efforts

3 Internal auditing Page: 3/11 active contribution to the further development of the Authority s management system making internal audits a proactive tool for improvement An auditor is expected to act: with integrity and openness with a focus on objectives independently communicatively An auditor must: have training in audit methods; a minimum of a two-day basic course have been employed by the Authority for more than one year, preferably with experience from inspections or other similar work activity An audit leader must also: have taken a minimum of a one-day continuing course in auditing have been employed by the Authority for more than two years have independently performed at least three complete audits Audit programmes Audits follow a rolling three-year programme for systematic analyses of the entire operation and management system. The three-year programme is drawn up by the DG staff in consultation with the internal auditors and is approved by the Director General. The programme is set up for audits of the following: management of the operation as well as how this is communicated in the organisation familiarity and compliance with legislation and other requirements professional development being undertaken regularly to ensure competence and awareness compliance with the management system, that is, the operation s internal requirements, policies, processes, strategy documents and routines whether improvement initiatives are prioritised and pursued as well as whether the expected effects are achieved whether deviations are identified and corrective and preventive measures are taken whether the results of environmental, quality and work environment efforts are visible and how they have an impact on meeting objectives Each year in conjunction with operational planning, the senior coordinator draws up a proposed programme for the coming year. This proposal is based on the three-year audit programme and is drawn up with the assistance of the internal auditors. The proposal is to describe the audits to be performed and

4 Internal auditing Page: 4/11 their extent, objectives and the planned period of time for each audit. Operational follow-ups and decisions of the senior management serve as the basis of possible adjustments to the yearly programme. After the proposal is referred for consideration, the Director General approves the yearly programme. The three-year audit programme is reviewed annually on the basis of objectives met, appropriation directions, etc., as well as the effects of and expectations placed on internal audits. In the third year, a new threeyear programme is drawn up in connection with operational planning. Comprehensive audit routine During the period January to February, a planning day is held with the relevant DG staff and all internal auditors, during which an audit plan is drawn up for the first six-month period. This audit plan describes: the audits to be performed during the period and each audit s objectives and aim the auditors who will participate in the respective audit the audit leader appointed for the respective audit Subsequently, the audit leader will, together with the other auditors appointed, plan the audits in collaboration with their supervisors and those who are in charge of the operation to be audited. The DG staff s senior coordinator is to be kept continually informed about progress in the respective audit activity. A second planning day is held during the period August to September. Here, the results of audits performed are evaluated and new audits are planned as described above. The DG staff are responsible for organising the planning days. Audit activities Internal auditing has five components: initiate, prepare, perform, report and evaluate. Initiate Internal auditing is performed by a team of two or three auditors. One auditor is appointed the audit leader for the audit in question. This responsibility encompasses planning, performing and documenting the audits and their reporting to the DG staff. The auditor may not audit an operation or process in which he or she is normally involved or dependent on.

5 Internal auditing Page: 5/11 The team to perform an audit must use the audit programme s objectives to define the planned audit s objectives, extent and criteria. Relevant documents, such as steering documents and records, are requested on the basis of these items. The audit leader will propose a point in time for the audit and make the necessary practical arrangements for this audit. Prepare The audit team produces a detailed plan (see Appendix 1) covering: the objectives of the audit audit criteria and possibly relevant reference documents the extent of the audit dates, periods and locations for audit activities roles and responsibilities for the various members of the audit team The detailed audit plan is to be reviewed and approved by the senior management s representative (the head of staff) and presented on the intranet. The plan must also be entered in Sinus, the planning and follow-up application. Prior to the audit, the audit team allocates tasks between the members and prepares checklists, sampling plans, questions and standard forms. The documentation requested is to be reviewed to check how the management system, as it is described, corresponds to the audit criteria. Reviews shall take the objectives and extent of the audit into consideration. Perform The main elements of the audit are to be presented to the relevant parties by means of an opening meeting or some other relevant format. Audits are performed through interviews, observations and reviews of documentation. Information relevant to the objectives, extent and criteria of the audit is compiled and verified. Only verifiable information may be used as a basis for the audit evidence. The audit evidence is to be based on random samples of the information that is available. Strengths, weaknesses and deviations will be noted and positive observations and good examples will be highlighted and own comments of the operation audited will be taken into consideration. All these factors will serve as the basis of the team s audit conclusions. The following concepts are to be used to help when assessing the information verified; see Appendix 2 for a deviation report.

6 Internal auditing Page: 6/11 Concept Definition Examples Deviation When an established requirement (enactment, standard, routine, etc.) is not fulfilled. Major: An element of a system is missing, e.g. an emergency response plan. Minor: Lack of knowledge, error of significance in the Observation A deficiency that can lead to a larger problem or deviation. documentation. A reference in a steering document to a document that does not exist. The audit is finished by providing information (for example in the form of a final meeting) to the relevant parties/interested parties where a preliminary (verbal) report is given as to what has been noted. Report The audit leader produces a summarised audit memorandum based on the detailed audit plan drawn up previously. The memorandum must contain the information described in Appendix 3. The audit memorandum is to provide complete, correct, brief and clear documentation covering the audit performed and its results. When the memorandum has been completed, it is provided to senior management, the relevant operations, the quality manager and the senior coordinator. Evaluate Audits are evaluated regularly by the audit team. Proposed changes to the audit programme, in addition to improvements to the auditing process and initiatives for continuing training, are suggested and implemented. Follow-ups Before operational planning, an annual summary assessment is to be made regarding internal auditing. The senior coordinator compiles a report and the head of staff/senior coordinator presents the assessment to the senior management. The results form part of the analysis of the results achieved by the operation, the effects and the achievement of objectives. Deviations and proposed improvements arising during an audit are coordinated by the audit leader in accordance with the routine for dealing with deviations, incidents, corrective action and improvements (No. 72). The

7 Internal auditing Page: 7/11 relevant supervisor or process manager in charge describes the cause of the deviation/observation, takes decisions on measures or improvements and is responsible for ensuring that they are implemented and documented in the Sinus application. The audit leader monitors the measures and improvements and the senior coordinator removes the deviation in consultation with the audit leader. Assessments of auditors and audit leaders are conducted by following the routines of the audit programme. Assessments are conducted in the following situations: when persons want to be auditors when audit teams are set up when there is a need to maintain and improve the auditors level of knowledge and skills Documentation Audits are documented in the Sinus application. This documentation is to cover: audit plans audit memoranda deviation reports reports covering corrective and preventive measures reports from audit follow-ups when applicable References ISO 19011: Guidelines for quality and/or environmental management systems auditing ISO 14001:2004 Environmental management systems ISO 14004:2004 Environmental management systems General guidelines on principles, systems and support techniques ISO 9001:2008 Quality management systems Requirements ISO 9000:2005 Quality management systems Fundamentals and vocabulary AFS 2001:1 Systematic Work Environment Management ISO Management system for information security

8 Internal auditing Page: 8/11 Appendix 1 AUDIT PLAN Date: Audit leader: Auditors: Audit of Audited process, operation or area Objectives of the audit Extent (any delimitations) Entire, or parts of, the process/routine. Aim, requirements and criteria for assessment What answers should the audit give? Audit documents Which documents are used? Roles and responsibilities of the audit team Point in time and location for audit

9 Internal auditing Page: 9/11 Appendix 2 Deviation report for internal audit Auditor Audit date Audit No. Audited operation, process, etc. Deviation No. Observation No. Page (no. of pages) Person in charge Standard Deviation or observation (Description, including audit evidence) Degree of seriousness of the deviation: major ( ) minor ( ) Signature of auditor Causal analysis (To be filled in by the person in charge of the area audited) Measures resolved (To be filled in by the person in charge of the area audited)

10 Internal auditing Page: 10/11 Implemented no later than: Performed by: Date: Name: Signature: Measures implemented and their effects Follow-up Concluded (date): Auditor: Signature:

11 Internal auditing Page: 11/11 Appendix 3 Audit memorandum Date: xxxx-xx-xx Audit leader: Auditors: Audit date: Standard: Approved: Heading, title of the audit Summary A summary of the report s content. Aim The aim of the audit. Extent The process, operation or area audited. (Sub-areas audited heading) How the audit was performed, reference documents, etc., either for the audit in its entirety or per sub-area. Results Audit observations and audit conclusions. Deviations A description of the deviations identified. Observations A description of the observations identified. Proposed improvements Proposed improvements drawn up. Deviation report See the deviation report for deviation x-x and observation x-x in addition to the requirements imposed to which each deviation/observation refers.