Internal Audit Process: 1. Planning Phase Objective: Establish a clear understanding of the audit subject and develop a roadmap (audit program) for executing the audit effectively. Key Activities: > Initial Contact & Information Gathering: Understand the size, responsibilities, and procedures of the audited unit. > Risk Assessment: Performed to identify high-risk areas for focus. > Audit Objectives & Methodology: Defined and documented through the audit program. > Notification Letter: Sent to leadership to inform them of the audit. May include a pre-audit questionnaire or document request list. > Entrance Meeting: Discuss audit scope and objectives. Explain methodology and timeline. Identify scheduling concerns (e.g., staff availability). Encourage input on known risks and areas of concern. 2. Fieldwork Phase Objective: Evaluate internal controls, compliance, and operational effectiveness through testing and inquiry. Key Activities: > Testing & Documentation Review: Examine transactions, records, and procedures. > Staff Interviews: Conducted to gain deeper insights into practices and control execution. > Disruption Minimization: Work is coordinated to limit interference with operations. > Ongoing Communication: Frequent updates and discussions with audit clients. > Collaborative Analysis: Observations and issues are discussed with management to identify root causes and explore solutions. 3. Reporting Phase Objective: Present audit findings, recommendations, and management’s corrective action plans in a formal written report. Key Activities: > Draft Report: Initially shared with local management for review. > Management Response: Required for each recommendation, including: Action plan. Responsible person. Implementation date. > Exit Meeting: Held if needed to address concerns and clarify findings before finalizing the report. > Final Distribution: The final report is sent to Management and Boards. 4. Follow-Up Phase Objective: Ensure that corrective actions are implemented effectively and that issues are resolved. Key Activities: > Verification Procedures: May involve document review, staff interviews, or re-auditing specific processes. > Ongoing Tracking: Open findings are tracked and presented at each Institutional Audit Committee (IAC) meeting. > Escalation for Delays: If action plans miss deadlines, the responsible party must submit a written explanation. Repeated delays require in-person explanation to the IAC.
Auditing Practices Overview
Explore top LinkedIn content from expert professionals.
-
-
Audit, Risk & Compliance (ARC): The Three Pillars of Strong Governance "Let me explain why Audit, Risk, and Compliance aren’t just checkboxes—they’re your governance backbone." I’ve had this conversation many times with peers, clients, and boards. And here’s what I often say when someone asks, “How do you build strong governance?” You start with ARC: - Audit - Risk Management - Compliance Each has its role, but when aligned, they become a strategic force. Let me walk you through it from experience: 🔍 Audit is your independent lens. Think of Audit as the team that tells you what’s happening. Their job is to verify that controls are working not just existing on paper. ▶ Example: I once saw an internal audit uncover a $500K billing discrepancy no one had noticed. That wasn’t just cost savings it was a control failure caught before it became reputational damage. The best audit teams today use data analytics and real-time assurance tools to stay ahead. Traditional static audits no longer suffice. ⚠️ Risk is your radar. Risk Management isn’t about stopping risk, it’s about knowing which risks matter, and how much risk you can take to grow. I’ve seen risk teams run scenario analyses ahead of market expansion that flagged FX volatility. With a solid hedging plan, they avoided a 7% EBITDA hit. That’s what proactive risk management looks like. And right now? The strongest risk programs I’ve seen are integrating AI, ESG risk, and third-party oversight into their frameworks. ✅ Compliance is your moral and legal compass. Compliance isn’t just about avoiding fines. It’s about building trust internally and externally. A solid compliance program is the reason one company I worked with navigated new data privacy regulations across multiple countries without missing a beat or getting penalized. What’s changing? Compliance is becoming more automated, more behavior-driven, and more global. And that means compliance officers need better tech and a seat at the strategy table. Now here’s the key: ARC only works when it's integrated. When Audit, Risk, and Compliance operate in silos, things fall through the cracks. But when they collaborate sharing insights, aligning priorities, and using common platforms governance becomes a value driver. A recent PwC survey backs this up: - 73% of execs say ARC alignment improves decision-making - 65% plan to invest in integrated GRC platforms - Over half say Internal Audit is now a transformation partner If you’re leading or supporting ARC functions, my advice is simple: Don’t build walls, build bridges. The future of governance isn’t in functions. It’s in how those functions work together. Let me know how ARC works in your organization today. Do the functions collaborate, or still operate in silos? #Governance #InternalAudit #RiskManagement #Compliance #GRC #BoardEffectiveness #OperationalResilience #Leadership #3prm #tprm #GovernanceExcellence #RiskStrategy #ComplianceCulture
-
There’s one question every audit team asks during a repeat audit: Did you solve the problem? Not the symptom. The root cause. Too many MedTech teams fall into the same traps: ❌ Skipping frontline input ❌ Abandoning follow-through ❌ Using the wrong tool for the issue ❌ Fixing symptoms instead of systems But there’s a fix. Here are 4 proven root cause tools, and when to use each: 1. 5 Whys 👉 Keep asking “why?” until you hit the core issue. Best for: Simple, recurring problems. 2. Fishbone (Ishikawa) 👉 Map causes across methods, materials, manpower, etc. Best for: Complex, cross-functional issues. 3. Fault Tree Analysis (FTA) 👉 Break down failure logic step by step. Best for: System-level breakdowns or safety-critical events. 4. Pareto Principle (80/20 Rule) 👉 Use data to find which few issues cause most failures. ✔ Prioritize audit findings ✔ Focus your RCA where it counts ✔ Guide resource use with impact in mind Best for: Identifying high-impact failure clusters before RCA begins. ✅ A strong RCA is: • Process-focused – not blame-focused • Evidence-based – not guesswork • Collaborative – includes voices from the floor • Actionable – ends in real improvements • Audit-ready – easy to explain and document Because if you want: ➟ Fewer findings ➟ Less CAPA churn ➟ And safer devices You need to solve the right problem. So when the audit team asks, “Did you fix this?” You’ll say, “Yes, and here’s how we know.” ♻️ Find this valuable? Repost for your network. 💡 Follow Bastian Krapinger-Ruether for actionable tips on MedTech compliance and QM. Tired of wasting time on repetitive compliance tasks? DM me to see how AI can automate 70% of your processes, so you can focus on what really matters.
-
Last week I spoke with a CISO looking for a GRC platform to manage SOC 2, ISO 27001, ISO 9001, CSA Star, and PCI DSS. These are dream projects for me because there is such a huge opportunity for ROI. 𝗖𝗨𝗥𝗥𝗘𝗡𝗧 𝗣𝗥𝗢𝗚𝗥𝗔𝗠 & 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - Today they have 2 audit firms: One for SOC 2/PCI/CSA and one for ISO 27001 - As a result they have two audit seasons and end up burning a lot of political capital with engineering teams and IT asking for the same audit evidence 2x per year - The audits drive all compliance activity and there is no visibility between audits -The business has aggressive plans to acquire 1-2 companies a year and they needs to be able to inherit and maintain new programs 𝗪𝗛𝗔𝗧 𝗪𝗘 𝗔𝗥𝗘 𝗚𝗢𝗜𝗡𝗚 𝗧𝗢 𝗗𝗢 𝟭. 𝗛𝗮𝗿𝗺𝗼𝗻𝗶𝘇𝗲 𝘁𝗵𝗲 𝗽𝗿𝗼𝗴𝗿𝗮𝗺 𝗶𝗻 𝗳𝘂𝗹𝗹𝗖𝗶𝗿𝗰𝗹𝗲 First we are going to harmonize all the frameworks and audit evidence in our platform fullCircle. This way they can slice and dice by framework, by control, by evidence, by owner, or however else they need to. This will enable gathering evidence once to meet requirements across multiple frameworks. They can also generate "audit packages" of evidence with a click of a button. 𝟮. 𝗦𝘁𝗿𝗲𝗮𝗺𝗹𝗶𝗻𝗲 𝗮𝘂𝗱𝗶𝘁𝘀 Next, we need to work with the external auditor to create a single audit season, understand mapped evidence, and buy in on the strategy. The best audit firms we work with are great partners in pulling off this strategy while also doing a thorough high quality audit. 𝟯. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 We also have to get the team to a place where they aren't pulling everything manually and they have some confidence things are running well between audits. First, we did this is by automating a few big ticket items - focusing mostly on their AWS and GCP instances (access, secure configs, etc.). Second, we set up a cadence of internal audit spot checks on a monthly basis for high risk items. --- This will likely save the customer $1M and 1000+ hours a year of largely non-value add work. That's a solid project.
-
Want to improve safety? Start by understanding people — not just procedures. In high-risk work environments, we often focus on systems, compliance, and controls. But it’s human factors that often decide whether things go right… or terribly wrong. Human factors in safety isn’t about blaming the person — it’s about understanding the person: What are they seeing, hearing, and feeling? Are they fatigued, rushed, or under pressure? Is the task designed for success, or primed for error? When we design work with human performance in mind, we move from: ❌ “Who made the mistake?” ✅ To: “What conditions set the stage for it?” Human factors means: Clear, intuitive procedures Fit-for-purpose tools and environments Mental workload and stress considered in planning Control room and field tasks aligned with real-world use Teams trained in decision-making under pressure Because safety isn’t just technical — it’s human. If we want fewer incidents, we need to understand the people doing the work. That’s how we design for safety, not just hope for it. #HumanFactors #SafetyCulture #HumanPerformance #WorkplaceSafety #HSE #SafetyLeadership #HumanCentredDesign #HighReliability #ErrorPrevention #OperationalExcellence
-
Compliance isn’t choosing one framework, it’s understanding how they work together. Many organizations view SOC 2, ISO 27001, and GDPR as competing obligations, but the reality is far more integrated. SOC 2 validates data security controls for US-based service providers voluntary but expected by enterprise clients. ISO 27001 provides a globally recognized ISMS foundation with comprehensive risk management and continuous improvement. GDPR legally enforces personal data protection for EU citizens with significant financial penalties for non-compliance. The strategic advantage lies in their overlap: access controls, incident response, vendor risk management, encryption, and breach notification requirements align across all three. Organizations that map controls once and satisfy multiple frameworks simultaneously reduce audit fatigue while strengthening their overall security posture. Rather than treating compliance as separate silos, mature GRC programs build unified control environments that address shared requirements, turning regulatory burden into operational excellence. What’s your approach to managing overlapping compliance frameworks? #GRC #SOC2 #ISO27001 #GDPR #Compliance #InformationSecurity #DataProtection
-
𝐖𝐡𝐲 𝐬𝐡𝐨𝐮𝐥𝐝 𝐀𝐋𝐂𝐎𝐀++ 𝐛𝐞 𝐚 𝐡𝐚𝐛𝐢𝐭, 𝐧𝐨𝐭 𝐣𝐮𝐬𝐭 𝐚 𝐫𝐮𝐥𝐞? If you’re in pharma or biotech, ALCOA++ is probably second nature to you. But it’s more than just a compliance rule - it’s a way of working that keeps data reliable and trustworthy. We talk about it all the time, but what does it actually look like in real-world scenarios? Let’s look at some real-world examples. 📌 𝐀𝐭𝐭𝐫𝐢𝐛𝐮𝐭𝐚𝐛𝐥𝐞 – Who did what? 🔹 𝐄𝐱𝐚𝐦𝐩𝐥𝐞: A sample analysis is recorded, but without the analyst's initials. Later, an OOS (Out of Specification) result is found. If we don’t know who performed the test, investigating root cause becomes a nightmare! 📌 𝐋𝐞𝐠𝐢𝐛𝐥𝐞 – Can you read it? 🔹 𝐄𝐱𝐚𝐦𝐩𝐥𝐞: Handwritten temperature logs in a cleanroom are smudged and unreadable. When auditors ask for records, nobody can verify whether storage conditions were maintained. 📌 𝐂𝐨𝐧𝐭𝐞𝐦𝐩𝐨𝐫𝐚𝐧𝐞𝐨𝐮𝐬 – Recorded in real-time 🔹 𝐄𝐱𝐚𝐦𝐩𝐥𝐞: A stability study result is noted two days later from memory. Could you recall exact values? Real-time data entry = real credibility. 📌 𝐎𝐫𝐢𝐠𝐢𝐧𝐚𝐥 – The first, unaltered record 🔹 𝐄𝐱𝐚𝐦𝐩𝐥𝐞: A QC analyst re-enters test results in a new sheet after realizing an error. Instead of correcting the original entry with an explanation, they discard the first record. Oops! Major compliance risk. 📌 𝐀𝐜𝐜𝐮𝐫𝐚𝐭𝐞 – No room for errors 🔹 𝐄𝐱𝐚𝐦𝐩𝐥𝐞: An autoclave run is recorded as 121°C for 15 minutes, but the printout shows it only reached 118°C. A small slip, but a huge impact on sterility assurance. 𝐀𝐧𝐝 𝐧𝐨𝐰, 𝐭𝐡𝐞 "++" 𝐩𝐚𝐫𝐭 – 𝐰𝐡𝐞𝐫𝐞 𝐰𝐞 𝐠𝐨 𝐛𝐞𝐲𝐨𝐧𝐝 𝐀𝐋𝐂𝐎𝐀: 📌 Complete – No missing pages, no hidden data 📌 Consistent – Follows a standard, traceable format 📌 Enduring – Stored securely for the required retention period 📌 Available – Accessible for audits and investigations anytime 𝐖𝐡𝐲 𝐝𝐨𝐞𝐬 𝐀𝐋𝐂𝐎𝐀++ 𝐦𝐚𝐭𝐭𝐞𝐫? Because in pharma, "Good enough" isn’t good enough. Patients rely on our integrity. Regulators demand transparency. It’s not just about compliance - it’s about trust. #ALCOA #Dataintegrity #Qualitymanagementsystem #Pharma #QA
-
How did 1 year look like in internal audit at a Big4? Note: Experiences may differ. To help you understand the kind of exposure one can get, I have shared the 4 core projects I spent ~75% of my time on. Each had different scopes, challenges and learning outcomes. (all manufacturing clients) 1. Price Supplementary & Logistics Audit (Audited pricing changes, logistics data and CTO checks): Heavy manual punching from PDF to Excel – built early Excel shortcuts; 2-week outstation audit across 3 plants – attended opening meetings, understood how field audits differ from remote ones; limited client talk at HO but meaningful exposure at plants; saw how audit checklists are implemented physically; absorbed audit mindset from seniors – how to test, replicate, and present findings cleanly. 2. Manpower Audit (Audited headcount, attendance, payroll controls): First time seeing client disagreements; taught me how seniors respond to resistance with calm and facts; identified major finding involving overtime misuse; used Power BI for heavy data – visualized anomalies in data, but still had to manually verify with physical records; tight deadlines before final meetings taught me focus under pressure; learned how observations need backing, not just assumptions. 3. Spare Parts Division Audit (Audit scope: procurement, warehousing, dealer incentives): Joined mid-audit – needed 1–2 weeks to catch up on past discussions; performed testings, peer reviews, closing file work; first time giving review comments and receiving feedback on mine; interacted with mid-level client staff – understood how audit tone shifts based on level; explored Alteryx for workflow automation – basic but eye-opening on how tech fits into audit; best mix of autonomy and learning – not new, not too senior; realized how documentation, communication, and teamwork drive a smooth close; favorite audit of the year. (learnt why seniors fear reviews!) 4. Compliance Audit (FEMA & Customs): Audit focused on regulatory filings; reviewed filings, policy adherence, import/export documentation; used AI tools to summarize provisions, minimal Excel compared to others; interacted with senior – observed how findings are communicated differently at that level; relaxed audit timeline, but required depth of understanding; a little less worried about IDT now. Apart from finance, I do not think there was any business process I did not at least get some exposure to. I was trained heavily in Excel, BI and used AI extensively during audits, and even got to try Alteryx to build simple workflows. For anyone still unsure about this domain – I hope this helps bring some clarity. Yes, as a first-year article, a lot of what I did was manual and repetitive at times – but that should not be a deciding factor in choosing or rejecting internal audit. That kind of work exists in every domain you enter. What matters more is what you make of it.
-
Two years of secrecy: Big four accounting firms still skirt oversight Treasury has been told the big four accounting firms Deloitte Australia, EY Australia, KPMG Australia and PwC Australia operate in a regulatory grey area with gaps in how the partnerships are policed, and the current oversight of audit quality is inadequate. A summary of dozens of responses to the department’s consultation into auditing and consulting governance also outlined support for giving the corporate regulator the power to sanction firms, as opposed to individuals, an idea that is vehemently opposed by the accounting sector. The consultation, which closed in mid-2024, was triggered by the PwC tax leaks scandal and followed a parliamentary inquiry that made 40 recommendations to reform the sector. Details of the 36 submissions and 16 private forums are contained in a ministerial summary, released under Freedom of Information laws.