- Internal Audit Management

Internal Audit Management

Introduction

Internal audits within iPassport are created using a Checklist. These checklists can be created as reusable templates within iPassport and selected when creating the internal audit.

If the preference is to produce audit reports created outside of a checklist process, then these are best stored as controlled documents with the Category of Internal Audit.

Internal audits can be on any topic; there is no limitation within iPassport on this.

For managers to have a quick overview of scheduled audits, the Metrics area provides a widget which lists ‘Internal Audits due within the next month’.

Required Permissions

There are 20 permissions associated directly with internal auditing. For convenience, they come organised by level of authority in two system roles - Audit Viewer and Audit Editor. Audit editors’ permissions include those of audit viewers.

Audit Viewer (also available in Global Viewer (excluding admin and personnel records) )

Internal Audits:Create Reports
Internal Audits:Search Internal Audits
Internal Audits:View History
Internal Audits:View Internal Audits
Internal Audits:View Non-Compliances
Internal Audits:View Print History
Desktop:Show Internal Audits Menu Item
Desktop:Show Non-Compliances Menu Item

Audit Editor (also available in Global Editor(excluding admin) )

All permissions above plus:
Internal Audits:Change OU
Internal Audits:Complete
Internal Audits:Create Internal Audits
Internal Audits:Delete Types
Internal Audits:Edit Internal Audits
Internal Audits:Edit Types
Internal Audits:Link To Records
Internal Audits:Manage Non-Compliances
Internal Audits:Manage Reviews
Internal Audits:Print Internal Audits
Internal Audits:Remove Links
Internal Audits:Schedule Reviews

Internal Audit Settings

There is currently one setting which allows closing internal audits when they still have open non-compliances. When it is not enabled (ticked), all related noncompliances must be closed before the internal audit can be set as completed.
The setting can be adjusted independently for each OU by navigating to Administration > Settings > Organisational Unit Preferences, selecting the OU and clicking, Internal Audit Settings. Once the option, “Allow closing Internal Audits with open non compliances” has been ticked or unticked, click Save.

Creating Internal Audits

Creating a new internal audit record

Note: Checklists should be in place before they are used in internal audits.

The Internal Audit menu item is located under the Quality Management main menu item.

To create a new internal audit:

  1. Go to Quality Management > Internal Audit > New Internal Audit (or use the [+] sign shortcut)
  2. In the New Internal Audit Step 1 of 3 screen, enter values for the following fields (at least those marked required must be entered to continue)-
  • Organisational Unit - this provides the internal audit with a ‘home’ and helps define who can and cannot access the record
  • Name (Required) - this field is displayed in search results so it’s beneficial to make it descriptive; the system will issue a warning if the name has already been used and it will prevent advancing to the next step.
  • Type - this allows breaking Internal Audits down by a searchable and reportable type. Only one type of internal audit can be selected/assigned from the dropdown menu. New types can be added using the spanner icon to the right of the field (please refer to, Adding New Types below).
  • Index (Required) - it can be left to Auto Generate by iPassport and it will use the settings in the Administration area; or it can be entered manually by clicking the cog icon, which toggles the auto generate on and off. The index is only used as an authentication method to help ensure there is a unique identifier for the record, therefore it can be manually configured. The system will issue a warning if the index has already been used and it will prevent advancing to the next step.
  • Schedule On (Required) - this field allows setting the date the audit is intended to happen. Internal audits can be created in advance so that an audit calendar can be built up well in advance. The schedule on date can be adjusted at any point until the internal audit is completed.
  • Frequency (months) - this field allows making internal audits recurring, when desirable; by setting a frequency in months (only whole numbers are accepted), a new audit will be automatically created when the current one is marked as complete. More detail is available below.
  • Completion Due On - allows setting a deadline by which the internal audit must be completed
  • Authors - to record the people who prepare the audit
  • Locations - this helps to further categorise the record
  • Auditor - this is a free text field which simply allows writing the name of the auditor; it is currently not linked to a contact record in iPassport so no reminders are triggered from this field.
  • Verifier - a verification step will only be added if a user is added to this field; if a user is selected from the dropdown menu (which displays names that match the text entered), this person will be assigned a task to verify the internal audit and confirm dates for the next audit when it’s recursive. Please find further details below.
  • Introduction and Scope - this field is available to provide background about the audit
    Note: Should a reminder of the audit be required, the best solution is to create a task and assign it to the auditor. If the audit is not for a few months time, the task can be created with an appropriate Activation Date set in the future.
  1. Click Next Page

  2. In the New Internal Audit Step 2 of 3 screen (Peer Review Step), optionally enter values for the following fields-

    NOTE: The peer review step is used to request other staff members’ feedback on the design of the audit. If this is not required the step can be skipped.
    If filled, a task is issued to the selected users when the audit has been created, dependant on the Tasks Active on date.

  • Review to be completed by - to set a date by which the peer review should be completed
  • Tasks active on - to set a date to release the tasks in the future if preparation time is needed before the audit can be reviewed
  • Reviewers (Distribution Lists) - to select a group of reviewers in ‘bulk’ by selecting existing Distribution List(s)
  • Reviewers (Users) - to select individual users one by one
  • Priority for review tasks - to select a level of urgency from the dropdown menu
  • Task Description - iPassport pre-populates the field with a standard message which can be edited and extended as required
  1. Click Next Page
  1. In the New Internal Audit Step 3 of 3 screen, select one or more existing checklists to be used for this audit

    NOTE: It is not required to select a checklist at this point and an internal audit can be completed without use of a checklist. However, internal audits are designed to use checklists for a more effective and efficient process. So, if it is missed here (for example, it has not been written yet), it can be added from the Checklist tab within the internal audit record later.

  2. Click Create Audit

Adding New Types

To add new types of audits:

  1. Open an incomplete internal audit
  2. Click the edit (pencil) icon next to the Type field
  3. Click the manage (spanner) icon that appears
  4. Click [+]Add Audit Type in the Audit Types lightbox to open the Create Audit Type section
  5. Enter a name for the new audit type in the Name field
  6. Click Create Audit Type
  7. Use the delete (trash/bin) and edit (pencil) icons to manage the types listed below
    NOTE: Only types not in use can be deleted

Searching Internal Audits

All internal audits are listed under the Search Internal Audits tab. A set of search filters help locating any internal audit quickly. To save screen space, some search filters are kept hidden and can be easily viewed by clicking the Advanced Search bar.

To find an internal audit:

  1. Go to Quality Management > Internal Audit > Search Internal Audits
  2. Use the following filters to narrow down the search -
  • Search - free text can be entered to look for audits by name or index

  • OU - a dropdown menu displays all Organisational Units where the user has permission to view internal audits; ability to view internal audits is limited to the OUs where the permission (Internal Audits:View Internal Audits) is granted

  • Type - user created ’types’ help classify and locate audits

  • Status - the options are, Not Started, In Progress, Completed and Overdue; leave the field blank to view all statuses

    Only the status label, Overdue is tagged to an audit’s name in red.

  • Review Status - if review feedback is requested for an audit, it can be in one of the following statuses, Reviewed, Scheduled, Under Review or No Reviews; leave the field blank to view all statuses

    An audit might have already been reviewed and have reviews underway at the same time. These are marked with both tags:

  • Date - is after - is before - the Date field offers the options, Created, Schedule on or Completion Due; the other two fields have pop-up calendars to set a range for the date parameter

Exporting Search Results

The list of audits resulting from any search can be exported in CSV format by clicking Export CSV, in the top right corner of the results section.

Viewing the Internal Audit Record

Once the internal audit is created, it can wait there until the audit needs to be performed. It is also possible to adjust the Scheduled On date at this point if needed. The Scheduled On date can’t be after the Completion Due On date; the system will validate this when these fields are edited.

The first three tabs of the record reflect the steps used to create it. The General tab, which the record opens to by default, represents the first step (page) when creating the internal audit. The Reviews tab and the Checklist tab represent the other two steps in the creation process.

Most elements of the record can be edited through these tabs while the audit is incomplete.
The Organisational Unit (OU) is the exception. To change it, the permission, “Internal Audits:Change OU” is required for the option, ‘Change OU’ to become available in the Actions dropdown menu.
It is possible to move an internal audit to a different OU after it has been closed, provided the user also has the permission, “Internal Audits:Complete”.

Non-compliances are created as part of the internal audit, based on the checklists chosen. As such, it is not possible to create a noncompliance from the Non-Compliances tab; it simply shows ones created from the Checklist tab as part of the audit.

The other tabs work in the same way as they do elsewhere in the system.

Performing the internal audit

When the internal audit record has been created it is possible to ‘perform’ the audit, using the Checklists tab in the record. The Checklists tab shows the checklist(s) loaded to the internal audit and by working through them, the audit can be completed.

To perform the audit:

  1. Open the internal audit by going to Quality Management > Internal Audits > Search Internal Audits

  2. Click the Checklists tab to open it

  3. Click the magnifying glass in the Actions column of a checklist to access its elements

  4. Mark off each item of the checklist by selecting one of the options in the Actions column; from left to right these options are:

    • Compliant (’ ’ check) - marking an item as compliant opens a lightbox to provide evidence. Free text can be entered here and other evidence such as a picture or scans, can be added by dragging them into the dotted rectangle marked, Click here to attach evidence or by clicking inside the dotted area to open a ‘search and select’ browser window. Other records in iPassport can be linked at the bottom of the lightbox. Click the button, “Mark As Compliant” to complete the approval or click the “X” in the top right corner to close it without marking the step as compliant.

    • Noncompliant (’X’ cross) - marking an item as noncompliant opens a noncompliance lightbox where some of the key information can be entered.
      Critically, a noncompliance record is created from this information, allowing the noncompliance to be expanded and actioned. Immediate and follow up actions are not created at the time of recording the noncompliance but through the (now) linked noncompliance record. The noncompliance record can be accessed from the Non-Compliances tab in the internal audit, or from the noncompliant audit step itself.

    NOTE: A noncompliant internal audit checklist step and its associated noncompliance are two distinct items and once created they can have attachments and links added separately.
    Non-Compliances created from an internal audit checklist step (also referred to as a ‘requirement’), will display information about their origin in the internal audit, with details about attachments and links added there.

    • Not Applicable (’-’ dash) - marking an item as not applicable opens a lightbox where observations, attachments and links can be added. Click the button, “Mark As Not Applicable” to complete the process or click the “X” in the top right corner to close the lightbox without changing the state of the step.

Any attachments added are listed near the bottom of the lightboxes that open when clicking Compliant (✓), Not Applicable (-) or, when clicking the magnifying glass icon (🔍) which shows once a step has been marked. Steps can be revisited to upload, remove or replace more evidence. It’s possible to open these lightboxes just to manage attachments and then click the “X” in the top right corner to close them without altering the state of the step. For more information on the attachment icons, please refer to the user guide, Attachment Management.

Completing the internal audit

Once the checklist items have been worked through, the internal audit can be marked as complete. For the internal audit to be marked as complete, not all the noncompliances have to be closed if the Organisational Unit Preference, “Allow closing Internal Audits with open non compliances” has been enabled. Please see the settings section above. If there are open noncompliances, they’ll remain linked to the internal audit as separate records.

To mark an internal audit as complete:

  1. Expand the Actions drop down menu and select the Set as Completed option

  2. Click the Go button and the internal audit should be marked as complete/finished

The fields under the general tab will still be editable after it’s completed. It will still be possible to manage the evidence submitted but it won’t be possible to change the state of any steps.

Verification Step

When a verifier is appointed in the field provided, the system automatically assigns a task to this person when the audit is set as completed. A task will be created even if the verifier completes the audit. The task will appear in the sidebar like any task and clicking it will take the user to the record so it can be verified easily.

Recurring Internal Audits

If a value is entered in the Frequency field, the internal audit will automatically become recurring. At the point of completing the internal audit, a lightbox will pop up to allow adjusting the dates calculated by the system. Both dates, “Schedule the next audit on” and “Next audit’s Completion due date”, are based on the previous corresponding dates and incremented by the frequency value.

If a verification step has been added, the verifier will also have an opportunity to edit these dates when performing the step.

A new copy of the internal audit will be created with the approved dates. It will include the same checklist as the original audit and from version 3.5.6, if the checklist has been updated in the interim, the changes will be reflected in the new audit.

Re-opening an Internal Audit

It is also possible to reopen an internal audit once it has been completed. The Actions dropdown menu will include the option, “Re-open” in completed audits. This option is only visible with the permission, “Internal Audits:Complete”. Completing this action reverts the internal audit to the status, “In Progress” and leaves an entry in the Changelog tab for future reference.