This posting examines different types of audits to provide a better understanding of audit terminology for individuals that are involved with auditing. In a second part to this posting I will examine the similarities between different types of audits in a post titled, “Different Types of Audits Are Really All the Same.”
While writing an ASTM standard for cannabis operational compliance audits I learned that everyone has their own perspective on audits based on their past experiences. There are first-, second-, and thrid-party audits, supplier audits, financial audits, internal audits, independent audits, self-audits, external audits, certification, quality, IT, HIPAA, IRS audits, and more.
In addition, there are other terms such as assessment, examination, inspection, and others. In some circles, there are very specific meanings to these terms and in others, they are used almost interchangeably. If that last statement makes you shudder you are certainly part of the former group. My mobile assessment platform can be used to automate, standardize, and customize all of these so I used these terms in a more general nature.
The scale of an audit can range from an internal audit of a small single operation with a few employees to an audit of a large corporation with facilities at multiple international locations. An audit can be based on a few criteria or a complex set of criteria based on multiple regulations, standards, best practices, and policies.
The scale affects the effort required for audit planning and preparation, logistics and communication requirements, the size of the audit team (from one auditor to many), the time to conduct the audit, and the effort required to prepare and present the report and findings.
The objectives of an audit can range from a simple audit based on a few criteria for a specific concern such as workplace safety to an audit based on many different criteria such as good production practices, safety, quality measure, information privacy, IT or physical security, and government regulation. It can be for internal purposes or be mandated by an external entity or authority.
It is important to understand the objectives of an audit and how the audit findings are intended to be used. Misalignment can result in an audit that does not assess the intended criteria, overlooks key objectives, or assesses elements that do not support the purpose of the audit.
Different Types of Audits
Financial, compliance, operational, product audits I will attempt to lump audits into 4 categories. Each one of these types can be sliced and diced into many other specific types of audits. For now, Let’s examine the main difference in general terms.
A financial audit typically refers to an inspection of financial statements and data to verify that the records are a true representation of the actual financial transactions and current financial status. I find the term also applying to an audit to ensure financial controls are in place but this type of audit fits the operational audit category.
Financial audits fit into a category I’ll call “records verification” audits that can include audits with the intent to verify that some form of records are an accurate representation of events that have occured. For example, an audit that a high security area access log for 2018 accurately accounts for everyone that entered the facility or an audit of national weather system records over the last century.
A compliance audit is an assessment to verify compliance with applicable policies, standards, laws, or regulations. Compliance audit criteria are translated into questions that require a “Yes/No” or “Compliant/Non-compliant” answer. For example, Does the high-security area maintain a log of everyone that enters the facility?
Operational audits tend to be more subjective than compliance audits. They assess that policies, processes, procedures, training, controls, record keeping, management systems, risk assessment and other measures are in place to adequately meet some set of policies, regulations, good agricultural or manufacturing practices, health and safety measures, social and environmental responsibility, information system security or privacy, or other objectives. Using the same example, an operational audit for the access log would examine policy, documented procedures, training, staff interviews, and operational observations to confirm that measures are in place to meet this requirement. My reseach of the terms process audit and conformance audit appear to fit into this category.
Product audits focus on how well a products meets internal, regulatory, and customer specifications. A product audit can include an assessment of how well the product specifications are defined, maintianed, and managed.
Internal versus external audits
An internal audit refers to an audit conducted for internal reasons, mostly to identify and correct gaps and reduce risk. An internal audit can be conducted by internal staff or by contracting with an external audit firm. It is common to find definitions that strictly define an internal audit as one performed by staff internal to the entity being auditied.
Self versus independent audits
Self-audits are conducted by the employees of the operation being audited. Self-audits are internal audits and it is best if conducted by individuals that are not responsible for the items being audited. Checking your own work and results should be described as self-checking or self-inspection not as an audit.
Independent audits are conducted by an outside external auditor or auditing firm that has no dependent relationship or bias to the business being audited or the second party that requires the audit to be conducted.
Notes: Self-audits conducted by an internal quality or compliance department that does not have a direct interest in the operation being audited reduces but does not eliminate internal bias. Many people use the term internal audit to mean self-audit and external audit to mean an independent audit.
Certified versus non-certified
Certified auditor—This is the certification of the auditor by way of auditor training and testing. Depending on the certification program a certified auditor may have been trained and tested on inspection, observation, interview, evidence collection, and report writing techniques, properly handling proprietary information, and other legal matters, as well as the subject matter of the audit.
Certified Audit program—This is a predesigned audit program that has been reviewed by a certifying body to ensure that it thoroughly and completely covers the intended audit criteria.
Certification audit—This is an audit to “certify” that the audited entity is compliant with specific audit criteria. To be credible, a certification audit is usually conducted by a certified auditor using a certified audit program. The certifying body is required to maintain records of the certification and there are usually periodic recertification audits required..
Certification statement —This simply means that the auditor certifies that they have conducted the audit, truthfully reported their findings to the best of their abilities, and are prepared to defend the findings. This would not imply the auditor or the audit program is certified, or that the audited entity is certified in any way.
Noncertified audits are common to identify gaps and risks and provide valuable information for internal or external reasons.
Mandated versus self-initiated
An audit can be mandated by an external authority such as a business customer, a financial firm or investor who requires an audit prior to establishing a business relationship. Government regulation can mandate certifications that would require and audit.
Self-initiated audits are performed for internal improvement reasons or to obtain an industry standard certification for quality, risk reduction or marketing reasons.
Gap-finding versus compliance-affirming
Audits can be conducted for the purpose of finding gaps to drive improvement efforts or to document compliance and everything that is positive.
Comprehensive audits versus issue-reporting
Most audits are comprehensive based on all of the objectives and criteria of the audit. The audit report would include issues and positive findings. An assessment that just looks for and reports issues should be described as an inspection instead of an audit.
Manual versus automated audit programs
An audit program can be paper-based, semi-automated using word processing and spreadsheet tools, or fully automated using specialized audit software. Most automated audit applications run on mobile devices. Some automated programs provide specific audits while others are customizable or are an audit platform that allows an auditing body to develop its own audit programs.
Large Versus Small Audits
An audit of a large operation involving multiple departments with facilities at several locations will involve more people and require substantial preparation, planning, coordination, and communication. The CEO, a board of directors, or a division VP may have initiated the audit and be the recipients of the audit findings. The impact of not having clear objectives or poor communications can have substantial effects on audit results.
A small compliance audit may involve a single auditor for less than a day. This means that planning, communications, and audit logistics require far less effort. However, knowledge of all audit criteria and developing a solid audit program can be equally demanding.
First-, Second-, and Third-party audits
A first-party audit refers to an internal audit. The operation being audited has the interest in the results. The audit can be conducted by the first-part, a self-audit, or an independent auditor can be hired.
A second-party audit refers to an audit where a second party initiates the audit and is interested in the results. A business that requires a supplier audit before entering into a contract is referred to as second party audits. The second-party can condust the audit or hire an auditor.
A third-party audit is conducted by an auditor, or audit firm that is independent of and without bias toward the operation being audited or a second party with direct interest in the results. A certification audit requires a third-party audit. A supplier audit is usually refereed to as a second-party audit but could be considered a third-party audit if the auditor is totally indepentent of the second-party.