Sunna Arnardottir

Empowered employees; Healthy workplace

Audits

Audits are an important part of every business, especially for all HR operations and initiatives. Audits allow for utilizing metrics and data to systematically determine if the audited procedure or process is operating as it should, accurately, in full legal compliance, and with preferred efficiency. By repeating the same audits frequently, one ensures continuous improvement of procedures and processes, that operations are staying within budget, and that the most cost efficient items/initiatives are in operation.

The purpose of an audit is never to point a finger, lay blame, or go on a witch hunt against on one or more individuals, but to ensure heightened efficiency in procedures and processes.

Audits should be tailor made for their expected use. Even so, it is important to KISS (Keep It Super Simple!) to ensure easy repetition of the audit at a later date to ensure results from future audits are comparable.

To keep this article simple, how to choose what procedure, processes, and/or objectives are audited will not be covered. Furthermore, this article will explain the setting up of an audit using the templates and examples which can be found in the article’s sidebar. Should any questions arise, you are welcome to fill in the contact form and request assistance.

Setting up an audit

When creating a simple audit it’s good to start with setting up both the report and checklist to ensure that the audit covers all the necessary items and that all steps and findings are properly documented.

  • Report – Details how the audit was set up, performed, it’s results, and next steps. The report should be set up and filed so that anyone could repeat the audit on a later date to see if any action plans from the previous audit are genuinely having the desired effect.
  • Checklist – Holds a list of all the objectives and processes that the auditor must collect data on to fulfill the purpose of the audit.

These documents will be filled in systematically while the audit is in progress, ensuring each step is documented and that no data or metric is forgotten. These two documents can be combined if that is considered fitting for the audit.

Auditor

When collecting tangible data and metrics, different people can be signed off as being responsible for their respected checklists. However, there should always be a single person who is responsible for the audit, it’s documentation, finalization, and filing of the report.

Naming the audit

The first step of setting up all documentation is making sure all are easily identifiable as what they are and from what audit they belong to.

  1. Name the audit based on the overall procedure or process that is being audited.
    • E.g. an audit done on the procedure that follows once an individual is offered employment and until they begin work with the employer can be called “Audit on New Hire procedures”
  2. If you have a filing system, use it to create an ID for this specific audit, and make sure all applicable documents include the same ID in an obvious place.
    • If you do not have a filing system, setup your own ID system.
      • E.g. Department’s name + procedure covered could be Human Resources New Hire procedures, or “HRNH”.
  3. Make sure the ID includes a number to distinguish between different audits on the same objectives, or with different objectives
    • If this is the very first audit it’s ID can end with “0001”, so all follow up audits that target the exact same objectives can be labeled as “0001_02”, “0001_03”, etc.
    • When a new audit on the same procedure but with different objectives is done, the new audit receives the ID number “‘0002”.
  4. Now make sure all documents, attachments, addendums, and data relevant to the audit all include the same audit name and ID:
    • E.g. New Hire audit – HRNH0001

Report Chapter – Objectives

The first step of the audit is to fill in the “Objectives” part of the report. The Objectives list what procedures and/or processes will be covered in the audit and why.

Remember to KISS your objectives!

An objective simply states what it is that will be checked within the chosen procedure. For example, for a New Hire procedure it could be considered to check whether information is properly handled between personnel responsible for the hire and the HR department, or to see if the new hires are properly welcomed once they begin their first day as a new employee.

Each objective should then list all processes that are followed and are relevant to the objective. To look at how information is handled it is important to check how the information is transferred from one personnel to another, what systems are being used, how long the transfer takes, if there are security issues with the transfer, and other applicable processes.

It is tempting to simply take all processes that have to do with given keywords of the objective. For example, to check if information for new hires is handled correctly, it would be tempting to include the process of “all candidates who apply for a position hand in necessary information”. This is where expertise in the procedure is necessary, as someone who understands the new hire procedure knows that information sent in by prospective applicants happens during the recruitment procedure and are irrelevant unless they belong to the individual who is offered employment.

Don’t worry about missing an objective or a process, audits are repeated for this exact reason.

Report Chapter – Scope

After identifying the objectives of the audit, it’s time to fill in the “Scope” chapter in the report. The scope lists everything that the audit covers, and can for example be:

  • Personnel
    • A list of departments
    • A list of teams within departments
    • Job titles
    • Ranks
    • No names or individuals
  • Areas or functions
    • Certain production lines
    • Workstations or -spaces
    • Specific functions
  • Procedures or processes
    • If the objectives are limited and localized to a certain process within a larger procedural framework it should be listed here.

Remember: Audits focus on making procedures and processes more cost effective and efficient and are not witch hunts directed at individuals!

This chapter should also include a short explanation of time period the audit was performed, and if the scope of the audit will be reported on individually or as a whole.

Setting up the Checklist

Make sure that the audit name and ID are listed on the Checklist and in the name of the document. Fill in the objectives from the report, and for each objective identify all necessary processes.

The purpose of the checklist is to make sure the auditor remembers to check all necessary processes once the collection of tangible data and metrics begins, as well as ensure that the audit can be properly repeated at a later date.

An audit can have several copies of the same checklist, in order to manage data gathered from different parts of the audit’s scope.

Please note that there is only one checklist for each audit. Each copy of the checklist should be more or less exactly the same to ensure that each part of the audit’s scope is being handled in the same way, and the same information is being collected from each.

Report Chapter – Methodology

The next chapter the auditor fills in is what methodology will be used to collect tangible data and metrics to audit the set objectives.

There is no one methodology that is best and each audit needs to evaluate what methodology to use to best ensure proper and thorough audit of the targeted objectives and processes.

Examples of methodologies can be found in the example report, but keep in mind that this is not a finite list.

Data collection and processing

Before starting the data collection, a good general rule to follow is to list all applicable personnel that need to be contacted – and when applicable – randomly select from departments and teams who should be contacted, and list all necessary contact information.

Once this is done, looking over the checklist is the next step and determining what data can be collected directly from systems, what data needs to be requested from another individual, and if setting up inquiries or interviews with individuals or groups is necessary.

Setting up a timeline

Once all this information has been taken together, setting up a timeline is easy and it should include:

  • If the data collected needs to be collected in a specific order.
  • Dates when inquiries/interviews are to be done.
  • Time to work on and interpret all data and finalize the report.
  • Due date when the results in the report will be presented and/or filed.

The timeline doesn’t have to be complicated, and could even just be a simple list of steps taken to collect all necessary data listed on the checklist:

  1. Day 1. Contact applicable personnel and setup meetings regarding the audit.
  2. Day 2. Contact applicable personnel and request data from systems.
  3. Day 3. Open up systems to find necessary data for the audit.
  4. Day 4-7. Attend meetings to inquire about data for the audit.
  5. All data should have been collected by now.
  6. Day 8-9. Put data together, enter into report.
  7. Day 10. Submit report.

Once the timeline has been finalized, it can be reported along with all updates regarding the audit.

Having a fixed timeline helps the auditor to maintain order of what is collected and when, limit delays, ensure all necessary data is properly collected in it’s proper order, as well as make sure that if there is a team working on the audit all individuals know what is expected of them and when.

Report Chapter – Metrics/Results (Table)

Once all data has been collected from all applicable teams/departments, the data is complied either as a single data pool, or per different parts of the audit’s scope.

Setting the data up in a table helps give an overview of what is going right with the objectives that the audit is focusing on, and what can be identified as needing improvement.

Table summarizing performance metrics including time to notify new hires, sensitive data management, and outdated job descriptions.

Image 1. Example of a table showing metrics from a new hire audit.

Ideally all metrics/results collected should be compiled and presented in the report, even metrics/results that meet their target, or metrics/results that don’t meet their target but are not considered important or severe enough to warrant an action plan for.

The metrics/result table is set up as follows:

  • Metric – Description of the metric/data collected.
  • Business target – Ideal number, range, minimum/maximum of what the metric/data should be, the ideal cost, or even legal compliance.
  • Actual rate – What the collected data shows the metric/data to be.
  • Status – The difference between the business target and the actual rate of the metric.
  • Comments – A short description of what is going on with the status of the metric.

After filling in all metrics and their respective information, the findings are considered to be:

  • Strengths – No further actions needed.
  • Irrelevant – No further actions needed.
  • Improvement needed – Further action needed.

Report Chapter – Key Findings

The Key Findings chapter has two sub-chapters:

  • Strengths
    • All objectives/processes that are going strong and have a positive effect on the procedure.
      • Yes, it’s nice to include what is going well in audits as well.
  • Improvements needed
    • All objectives/processes that need to be addressed.

Objectives/processes that are found to show irrelevant results are generally not listed. Even so it is a good general rule to go over these objectives/processes and determine if maybe they are irrelevant for this particular audit, irrelevant for the procedure in general, or the collection of necessary data was done wrong in some way.

A metric with results that are found to simply be irrelevant to look at further in this particular audit can be kept and audited on later on to see if there is a change in it’s status. However, if a metric is found to simply be irrelevant to the audit in general, or had wrong data collected, should be mentioned in this chapter of the report in order to not repeat the mistake in follow up audits.

Report Chapter – Risk Assessment (Table)

A risk assessment is done on each metric that is considered to be in need of improvements.

Table outlining risk areas, risk levels, potential impacts, and recommended actions for employee onboarding processes and data compliance.

Image 2. Example of a table showing risk assessments from a new hire audit.

The Risk Assessment is set up with the following columns:

  • Risk Area – Copy/Paste of all comments in the metrics table that were deemed to need improvement.
  • Risk Level – A three point scale – Low, Medium, High – that the auditor uses to label the metric that needs improvement.
  • Potential Impact – The impact the metric will have on the business if no improvements are made, this helps determine the risk level.
  • Recommended Actions – A short description of what needs to happen to turn this metric around into a more favorable outcome. Note that this does not list what will be done – just what needs to change.

Remember: Audits are not meant to point fingers, lay blame, or to be used as witch hunts.
Focus on optimization!

The risk assessment is used to further analyze if all identified metrics that needed improvement are warranted an immediate action plan, or if one or more of them can be revisited at a later date.

Report – Cost Benefits Analysis (Table, not in template)

If the purpose of the audit is to assess cost, cost efficiency, or benefits from a cost, the risk assessment can be replaced with a Cost Benefits Analysis, which is set up as follows:

  • Item/Initiative – The item/initiative that is being checked against having some cost benefits.
  • Initial Cost – How much setting up the item/initiative will initially cost (e.g. new equipment, training program, etc.)
  • Annual Savings – How much the business can expect to save on their procedure/process should they implement this item/initiative.
  • Payback Period – How long it takes for the item/initiative to pay back it’s initial cost.

An audit can include both a risk assessment as well as a cost benefits analysis. The difference would be that the metrics/results table would show the “item/initiative”, “Business Target” would show the cost if the item/initiative is implemented, “Actual Rate” would show the current cost without the item/initiative, “Status” would give the difference between the business target and actual rate, and comments would include information on whether continuing status quo or updating items/initiatives would be more beneficial for the business.

Depending on the status of the item/initiative from the metrics/results table, it can be deemed:

  • A strength – The current status quo is more cost efficient than proposed changes.
  • Irrelevant – No remarkable difference between the status quo and proposed changes.
  • Improvements needed – The current status quo is more expensive than the proposed changes.

Except for the language used, the setup for a Cost Benefits Analysis and Risk Assessment in an audit report are the same.

And like the risk assessment, the cost benefits analysis is used to determine what items/initiatives are determined to be worthy of needing an immediate action plan or should perhaps be revisited at a later date.

Report Chapter – Recommendations for Action Plans (Table)

All risks from the risk assessment that are considered to be in need of an immediate action plan are moved to the recommendations for action plan table.

Image 3. Example of a table showing recommendations for action plans from a new hire audit.

Recommendations for action plans is set up as:

  • Recommendations – A copy paste of all applicable recommended actions from the risk assessment, and/or cost benefits analysis if applicable.
  • Priority – A three point scale – Low, Medium, High – that the auditor uses to label the recommendations to determine how early in the time line of the action plan should kick in.
  • Responsible Party – The job title(s) that are responsible for making sure to bring solutions for their respected risk recommendations.
  • Timeline – The timeline can be a time period in which the action plan needs to be seen through, or a fixed date on when the action plan needs to have been finalized.

The information from the recommendations for action plans are then moved into the Action Plan, where all steps on how to improve the identified risks will be documented.

Please note that the action plan is a working document that is done after the report is finalized, and is therefore not included in the report except as an addendum added after the fact!

Report Chapter – Conclusion

Remember to KISS your conclusion chapter! Nobody wants to spend a weekend reading dozens of pages about a single audit.

The conclusion of the report should include a short description of the results from the audit regarding strengths as well as any irrelevant metrics that should be looked at in later audits or perhaps be removed all together.

This description should also include information on metrics that need improvement, and why it is business critical to act immediately.

Finally, the conclusion includes information about when a follow up audit will be done to see if the recommended action plan – that is still being worked on – was successful in improving the identified risks.

The conclusion chapter should not include any information about the action plan, as it is still a work in progress!

Report Chapter – Summary

This is a chapter that is finalized after everything else in the report has been finished, and includes three short sentences:

  • A sentence on why the audit was conducted, for whom, and possibly if this audits was a follow up.
  • A sentence on what the audit focuses on.
  • A sentence on what the audit identified.

The purpose of the summary is not to give details, but to give a TL;DR account on the audit’s main points.

Action Plans

Once the audit is over and the report has been filed, the auditors job is not over, as the auditor is also responsible for the action plan’s completion.

An action plan is a simple working document that lists the risks that were decided needed to be tackled by the audit. The action plan kicks into action immediately after the report is presented, and all applicable personnel should begin work on corrections immediately.

A table summarizing HR findings related to new hire procedures, including sections for findings, owner, closure meeting date, corrective action, due date, and follow-up actions.

Image 4. Example of a table showing an action plan from a new hire audit.

  • Finding – A copy paste of all applicable recommended actions from the “Recommendations for Action Plan” table.
  • Owner – The job title or department that is responsible for finding best practice to tackle their allocated finding. Should a department be listed, the head of said department is considered to be responsible for seeing the task through, or naming a subordinate to be responsible.
  • Closure Meeting Date – The individuals who are responsible for working on the matter have until this set date to come up with methods and actions to set into place to tackle the finding. What actions are put into place is then decided upon in this meeting by all attendees, and filled into the “Corrective Action” column and given a set due date.
  • Corrective Action – During the Closure Meeting, all applicable parties discuss any and all possible methods in tackling the applicable findings and come up with a corrective action and who is responsible for what part of said action during the meeting.
  • Due Date – A due date for the completion of the corrective action is decided upon during the closure meeting. The due date is determined by the severity of the finding, as listed in the priority column of the “Recommendations for Action Plans” table, as well as necessary time for personnel to see the corrective action through.
  • Follow Up – During the closure meeting, a follow up from the corrective action is determined. Either by allocating importance to it in the next follow up audit, or by setting up a new audit specifically to tackle the finding if it is deemed highly business critical.

The action plan is a working document, meaning that it gets filled in as actions get done. The auditor is responsible for filling in necessary information into the action plans, and following through with those responsible on completion of their tasks.

Bonus – Performance Reviews

The metrics gathered in the audit aren’t just useful for the audit, but also for HR. If a procedure or process is deemed business critical – or even just job title critical – the metrics in the audit can be used as part of that job title’s – or managers/executives – performance reviews.

If the data for the audit is gathered from a single individual’s behavior, HR can request access to said metric straight from the auditor and collect information for performance reviews all year round simply by piggy-backing on the audit’s results.

If the metric isn’t gathered per individual, HR can include said metric in their performance reviews and gather the information per individual themselves.

For metrics that are highly business critical, where if the business targets are not met it can be seen as possibly damaging the business, said metrics could even be used as important factors for reprimands and even termination from employment.

Templates and Examples

Who is Sunna Arnardottir

Sunna Arnardottir is a human resources professional, with a background in psychology and behavior management.

Sunna focuses on personal and professional development for her clients, offers consultation and training on how to set up and grow a healthy workplace environment for all, as well as support during investigation and eradication of detrimental behavior and culture in the workplace.

About Sunna Arnardottir

Contact

Do you have questions, or require support from Sunna Arnardottir?

Contact Sunna Arnardottir