Guidelines for audits
Roel Dufifie
Introduction
An audit is a systematic examination to verify whether something complies with certain standards, rules, legislation, or quality criteria. The aim is often to create transparency, detect errors or risks, and identify areas for improvement. However, it can also lead to certain adverse consequences. For example, in some audits, a fine may be imposed on the party that is in violation, the party may be required to make an additional payment, and the violation may result in reputational damage.
In this white paper, various types of audits will be explained. Since audits can have a major impact on the party being audited, it is essential to know when and under what conditions an audit may be conducted. This white paper specifically focuses on these requirements, which will hereafter be referred to as “admissibility requirements.”
Internal audit
An internal audit is a systematic and independent examination within an organization, commissioned by that same organization. The audit is carried out by an entity within the organization or by individuals hired externally on behalf of senior management. The purpose is to verify whether processes, systems, and activities comply with internal guidelines, external laws and regulations, and established quality or performance objectives. It is therefore important that the auditing party is part of the organization it audits. In large (international) organizations, this entity may comprise an entire department. In medium-sized or small organizations, it is more often a few individuals who independently conduct the audit.
An internal audit can serve several purposes:
An internal audit may usually take place unexpectedly, as many companies specify in their policies that internal audits are part of regular business operations. Of course, this depends on internal rules and agreements, meaning that several admissibility requirements must be met:
External audit
An external audit is a systematic and independent examination conducted at an organization by an entity or person outside the organization. The aim is to assess whether the audited organization complies with established standards, laws and regulations, and contractual requirements. This may involve a formal assessment that can result in obtaining a specific certificate, permit, or official opinion.
Here too, it is important that the audit be objective, systematic, and evidence-based. The external party must be independent, such as a certifying body, accountant, or supervisory authority. This independence is stricter than in the case of an internal audit: the auditor may have no interest whatsoever in the organization being audited. Since the findings of an external audit often result in a formal outcome, such as a report, statement, or certificate, it is crucial that the audit be conducted systematically and based on evidence.
Unlike an internal audit, an external audit may not take place unexpectedly. Since it involves an assessment by an external party, there must always be legal obligations or prior agreements to justify the audit. Broadly speaking, an external audit may take place in the following two situations:
First, the situation in which the audit is conducted by a governmental or supervisory authority. These vary greatly in terms of focus areas. Common audits include:
First, a governmental or supervisory audit must have a legal basis. The supervisory body must have statutory authority to perform the audit. These can be found, for example, in the General Tax Act (AWR), the Working Conditions Act, the Commodities Act, and the General Administrative Law Act (Awb).
Second, only designated officials may carry out the audits, and they must identify themselves and indicate which governmental or supervisory body they represent. For instance, an inspector from the Netherlands Food and Consumer Product Safety Authority may not conduct a VAT inspection; that authority lies with the Tax Administration.
Third, there must be purpose limitation. This means that an audit may only be conducted for the purpose laid down in the law. Suppose the Health and Youth Care Inspectorate conducts an audit on hygiene measures in a hospital — it may not suddenly also check how patient data is processed and stored.
Fourth, the principles of proportionality and subsidiarity must be met. These mean that the least intrusive effective method must be chosen to achieve the purpose and that no more is done than necessary to achieve it. For example, documents should be requested before a physical inspection takes place.
Fifth, the auditor must act carefully and transparently from the moment the audit is announced. This means clearly explaining the purpose and scope of the audit, specifying which information is requested and why, and explaining how findings will be recorded. The report of findings must be shared with the audited organization. If the organization questions the auditor’s authority, the auditor must provide information about its legal basis and powers.
During a supervisory audit, just as with an internal audit, personal data must be handled with great care. Organizations also have the right to provide corrections or explanations of findings at the end of the audit. Sometimes they have the right to appeal or lodge objections against decisions, for example in the case of imposed sanctions.
Supplier audit
The second situation is when the audit is conducted by a supplier of the audited organization. This situation lies between an internal audit and an external audit by government regulators. The audit is conducted by an external party but with the consent of the audited organization. This consent is contained in the first admissibility requirement: there must be a contractual agreement between the audited organization as the purchaser of a product or service and the party conducting the audit as the supplier of that product or service. This is also known as the audit right or right-to-audit.
An example of this is when an organization purchases software licenses from a software supplier. The supplier may include in the contract—possibly via its general terms and conditions—a clause granting the right to conduct an audit at the purchaser’s premises. The aim is to verify that the licenses are not being used unlawfully—in other words, that they are used according to the contract terms.
Suppose an organization purchases annual licenses for a software program. The software supplier may stipulate that after some time, it has the right to verify that the licenses are being used correctly—for example, that a unique license may only be installed on one piece of hardware, such as a computer, or that a unique license may only be linked to one employee account. If a customer installs a unique license on multiple computers or links it to multiple accounts contrary to the contract terms, the supplier may take measures through an audit. This could include retroactively invoicing for the number of licenses actually used over the past years, possibly followed by a contractual penalty for breaching the contract.
Since the financial consequences can be significant, it is important that the contract includes clear and fair provisions. However, contractual freedom in the Netherlands means that no uniform admissibility requirements exist for voluntary, contract-based audits. Parties are free to agree on the conditions under which an audit may take place, unless prohibited by law.
Nevertheless, the admissibility requirements previously mentioned for internal audits and external governmental audits are often applied in practice to make an audit workable for both parties. A common second admissibility requirement is that the scope and purpose of the audit must be clearly defined. The audit must be limited to the products or services the supplier has provided to the customer, with the purpose of verifying that they are used in accordance with the agreed terms.
A third common admissibility requirement is that the number of audits is often limited—e.g., to once per year—and that the audit is completed within a reasonable period. The idea is to minimize disruption to the audited organization’s operations.
A fourth and final common admissibility requirement is that the auditing party must announce the audit in advance, for example one month beforehand. Unannounced audits may also be permitted, but only if this is explicitly stated in the contract—for example, in the event of a serious security incident.
Conclusion
All in all, there are both internal and external audits, with external audits being divided into mandatory and voluntary audits. For all audits, certain requirements must be met before they may be conducted. These admissibility requirements vary but largely overlap for both internal and external audits. However, an external audit is generally less readily permissible than an internal one. Because audits can have far-reaching consequences, it is wise to verify the legitimacy of an audit in advance. It is also important to continuously monitor the independence and diligence of the auditor and to verify how the findings in the final report were established.
An audit is a systematic examination to verify whether something complies with certain standards, rules, legislation, or quality criteria. The aim is often to create transparency, detect errors or risks, and identify areas for improvement. However, it can also lead to certain adverse consequences. For example, in some audits, a fine may be imposed on the party that is in violation, the party may be required to make an additional payment, and the violation may result in reputational damage.
In this white paper, various types of audits will be explained. Since audits can have a major impact on the party being audited, it is essential to know when and under what conditions an audit may be conducted. This white paper specifically focuses on these requirements, which will hereafter be referred to as “admissibility requirements.”
Internal audit
An internal audit is a systematic and independent examination within an organization, commissioned by that same organization. The audit is carried out by an entity within the organization or by individuals hired externally on behalf of senior management. The purpose is to verify whether processes, systems, and activities comply with internal guidelines, external laws and regulations, and established quality or performance objectives. It is therefore important that the auditing party is part of the organization it audits. In large (international) organizations, this entity may comprise an entire department. In medium-sized or small organizations, it is more often a few individuals who independently conduct the audit.
An internal audit can serve several purposes:
- To check compliance with internal procedures, internal policies, and legislation;
- To identify areas for improvement by detecting risks and inefficiencies;
- To identify and help control business risks;
- To prepare for external audits, such as ISO certification, financial audits, or regulatory inspections.
An internal audit may usually take place unexpectedly, as many companies specify in their policies that internal audits are part of regular business operations. Of course, this depends on internal rules and agreements, meaning that several admissibility requirements must be met:
- The purpose and scope (delimitation) must be clear to all involved so that an employee knows whether the audit relates to their work.
- Privacy legislation must be complied with. Therefore, only essential personal data may be collected and processed, in accordance with the General Data Protection Regulation (GDPR).
- The information collected during the audit may not be misused. Think, for example, of (disguised) disciplinary consequences such as revoking secondary employment benefits or a demotion.
- Organizations often include in their policy a timeframe stating, for instance, that a department may only be audited once every three years.
- Furthermore, it is necessary that the audit does not interrupt the organization’s core business operations. It must not cause operational issues.
External audit
An external audit is a systematic and independent examination conducted at an organization by an entity or person outside the organization. The aim is to assess whether the audited organization complies with established standards, laws and regulations, and contractual requirements. This may involve a formal assessment that can result in obtaining a specific certificate, permit, or official opinion.
Here too, it is important that the audit be objective, systematic, and evidence-based. The external party must be independent, such as a certifying body, accountant, or supervisory authority. This independence is stricter than in the case of an internal audit: the auditor may have no interest whatsoever in the organization being audited. Since the findings of an external audit often result in a formal outcome, such as a report, statement, or certificate, it is crucial that the audit be conducted systematically and based on evidence.
Unlike an internal audit, an external audit may not take place unexpectedly. Since it involves an assessment by an external party, there must always be legal obligations or prior agreements to justify the audit. Broadly speaking, an external audit may take place in the following two situations:
- Statutory obligation for medium-sized and large enterprises, such as a financial statement audit by an accountant or an audit by a supervisory authority (government or regulatory audit).
- Voluntary contractual agreement between the audited organization in its role as the purchaser of a product or service and the auditing party in its role as the supplier of that product or service (supplier audit). This also includes certification cases such as ISO, VCA, and FSC, which require that the certified organization periodically undergo an external audit by an accredited certification body to maintain its certification.
First, the situation in which the audit is conducted by a governmental or supervisory authority. These vary greatly in terms of focus areas. Common audits include:
- Financial and tax audits: for example, the Dutch Tax and Customs Administration conducting a books audit, VAT check, or payroll tax inspection.
- Labour and social legislation audits: the Inspectorate for Social Affairs and Employment may check working conditions, working hours, minimum wage compliance, and the employment of foreign workers. The Employee Insurance Agency (UWV) may verify compliance with social security legislation, such as those related to (wage cost) subsidies.
- Audits on product and service quality and safety: for example, food and product safety supervision by the Netherlands Food and Consumer Product Safety Authority. This also includes audits on transport safety, environmental regulations, and waste management by the Human Environment and Transport Inspectorate.
- Audits in healthcare and youth care: this includes inspections and audits in hospitals, nursing homes, youth care institutions, and pharmaceutical companies by the Health and Youth Care Inspectorate.
- Audits related to information security and privacy: the Dutch Data Protection Authority (AP) may check compliance with the GDPR, which can lead to further investigations, fines, and enhanced supervision.
- Audits in education and science: for example, audits by the Education Inspectorate, which monitors the quality of educational institutions. This also includes NWO and RVO audits for grant applications related to research and innovation projects.
- Sector-specific audits: De Nederlandsche Bank and the Authority for the Financial Markets supervise financial institutions, banks, insurers, and pension funds. Local supervision by the Land Registry and municipal authorities may occur in the context of building and environmental permits.
First, a governmental or supervisory audit must have a legal basis. The supervisory body must have statutory authority to perform the audit. These can be found, for example, in the General Tax Act (AWR), the Working Conditions Act, the Commodities Act, and the General Administrative Law Act (Awb).
Second, only designated officials may carry out the audits, and they must identify themselves and indicate which governmental or supervisory body they represent. For instance, an inspector from the Netherlands Food and Consumer Product Safety Authority may not conduct a VAT inspection; that authority lies with the Tax Administration.
Third, there must be purpose limitation. This means that an audit may only be conducted for the purpose laid down in the law. Suppose the Health and Youth Care Inspectorate conducts an audit on hygiene measures in a hospital — it may not suddenly also check how patient data is processed and stored.
Fourth, the principles of proportionality and subsidiarity must be met. These mean that the least intrusive effective method must be chosen to achieve the purpose and that no more is done than necessary to achieve it. For example, documents should be requested before a physical inspection takes place.
Fifth, the auditor must act carefully and transparently from the moment the audit is announced. This means clearly explaining the purpose and scope of the audit, specifying which information is requested and why, and explaining how findings will be recorded. The report of findings must be shared with the audited organization. If the organization questions the auditor’s authority, the auditor must provide information about its legal basis and powers.
During a supervisory audit, just as with an internal audit, personal data must be handled with great care. Organizations also have the right to provide corrections or explanations of findings at the end of the audit. Sometimes they have the right to appeal or lodge objections against decisions, for example in the case of imposed sanctions.
Supplier audit
The second situation is when the audit is conducted by a supplier of the audited organization. This situation lies between an internal audit and an external audit by government regulators. The audit is conducted by an external party but with the consent of the audited organization. This consent is contained in the first admissibility requirement: there must be a contractual agreement between the audited organization as the purchaser of a product or service and the party conducting the audit as the supplier of that product or service. This is also known as the audit right or right-to-audit.
An example of this is when an organization purchases software licenses from a software supplier. The supplier may include in the contract—possibly via its general terms and conditions—a clause granting the right to conduct an audit at the purchaser’s premises. The aim is to verify that the licenses are not being used unlawfully—in other words, that they are used according to the contract terms.
Suppose an organization purchases annual licenses for a software program. The software supplier may stipulate that after some time, it has the right to verify that the licenses are being used correctly—for example, that a unique license may only be installed on one piece of hardware, such as a computer, or that a unique license may only be linked to one employee account. If a customer installs a unique license on multiple computers or links it to multiple accounts contrary to the contract terms, the supplier may take measures through an audit. This could include retroactively invoicing for the number of licenses actually used over the past years, possibly followed by a contractual penalty for breaching the contract.
Since the financial consequences can be significant, it is important that the contract includes clear and fair provisions. However, contractual freedom in the Netherlands means that no uniform admissibility requirements exist for voluntary, contract-based audits. Parties are free to agree on the conditions under which an audit may take place, unless prohibited by law.
Nevertheless, the admissibility requirements previously mentioned for internal audits and external governmental audits are often applied in practice to make an audit workable for both parties. A common second admissibility requirement is that the scope and purpose of the audit must be clearly defined. The audit must be limited to the products or services the supplier has provided to the customer, with the purpose of verifying that they are used in accordance with the agreed terms.
A third common admissibility requirement is that the number of audits is often limited—e.g., to once per year—and that the audit is completed within a reasonable period. The idea is to minimize disruption to the audited organization’s operations.
A fourth and final common admissibility requirement is that the auditing party must announce the audit in advance, for example one month beforehand. Unannounced audits may also be permitted, but only if this is explicitly stated in the contract—for example, in the event of a serious security incident.
Conclusion
All in all, there are both internal and external audits, with external audits being divided into mandatory and voluntary audits. For all audits, certain requirements must be met before they may be conducted. These admissibility requirements vary but largely overlap for both internal and external audits. However, an external audit is generally less readily permissible than an internal one. Because audits can have far-reaching consequences, it is wise to verify the legitimacy of an audit in advance. It is also important to continuously monitor the independence and diligence of the auditor and to verify how the findings in the final report were established.
Would you like to read through this whitepaper at your convenience? Open it by clicking on the button below!