System Guides

Compliance assessment or Internal auditing is a critical component of maintaining compliance with ISO standards. It ensures that an organization’s processes align with established guidelines, identifies areas for improvement, and facilitates effective decision-making. CIMSNEX is an ISO compliance software designed to streamline internal auditing and management review processes. This manual provides step-by-step instructions for using the internal audit and management review feature.

1. Accessing the Assessment Input Report

• Navigate to Evaluation from the main menu.

• Hover on Compliance Assessment.

• Click on View Statement of Applicability.

• Review the statement, which contains the all clauses of the ISO standard from clause 4 to clause 10 and how they are implemented and choose which clause statements to assess.

2. Scheduling the an Assessment

• Navigate to Operations from the main menu.

• Hover on Activity Scheduler.

• Click on Create to schedule the the activity by selecting Internal options.

3. Conducting the Assessment

• Navigate to Evaluation from the main menu.

• Hover on Compliance Assessment.

• Click View Statement of Applicability.

• Review documents or report from links as per the statement.

• Click the Review button against the clause description to add update the status of implementation based on the findings: In the Review Purpose dropdown, select Internal Audit, and Additional description field specify your findings and also indicate whether

  Implementation Status

  • "INITIAL/ ADHOC": The requirement is in its initial stages, implemented on an ad hoc basis with no formal processes or documentation.

  • "NOT IMPLEMENTED": The requirement has not been implemented, and there is no evidence of its existence within the organization.

  • "PARTIAL IMPLEMENTATION": Parts of the requirement have been implemented, but there are significant gaps or inconsistencies in its application across the organization.

  • "LARGELY IMPLEMENTED": The requirement is implemented in a majority of relevant areas, with consistent processes, documentation, and periodic reviews.

  • "CONSISTENTLY IMPLEMENTED": The requirement is consistently/ uniformly applied across relevant areas of the organization, with defined processes and documentation. 

  • "FULLY IMPLEMENTED":  The requirement is fully implemented across the organization, with well-defined processes, thorough documentation, and continuous monitoring.

  • "OPTIMIZED/MATURE": The requirement is not only fully implemented but also optimized for efficiency and effectiveness. Continuous improvement practices are in place, and the control is regularly reviewed and updated.

  • "NOT APPLICABLE": Denotes clauses that are irrelevant or excluded from the organization's scope.

• Submit your findings.

4. Generating and Accessing the Report

• Navigate to Evaluation from the main menu.

• Hover on Compliance Assessment.

• Click on View Compliance Statement to view the generated audit report.

• Export the audit report to PDF or Excel as needed.

5. Scheduling a Management Review Meeting

• Navigate to Operations from the main menu.

• Hover on Activity Scheduler.

• Click on Create to schedule a management review meeting.

• Enter details and schedule the meeting to review audit findings and make decisions/action plans for change and improvement.

6. Conducting and Closing the Management Review

• Conduct the review using the Compliance Statement as input.

• After completion, the management representative will:

  • Navigate to Operations from the main menu.

  • Hover on Activity Scheduler.

  • Click on Verify to verify and close the management review schedule.

7. Mapping Corrective Action Requests

• The internal auditor will map corrective action requests to the closed review schedule.

• Formally request and plan to address the findings as per the Corrective Action Requests (CAR) user manual.

8. Generating and Accessing the Management Review Report

• Navigate to Operations from the main menu.

• Hover on Corrective Action.

• Click on Corrective Action Register and filter to generate management review report.

• Export the management review report to PDF or Excel for sharing.

By following this user manual, auditors and management representatives can effectively use CIMSNEX for internal auditing and management reviews, ensuring compliance with ISO standards and continuous improvement within the organization.

Metrics for Effective Internal Audits

During an internal audit, auditors should consider several metrics beyond the completeness and availability of information or evidence. These additional metrics help ensure a comprehensive evaluation of processes, controls, and overall organizational effectiveness. Key metrics include:

1. Accuracy: Ensure that the information and evidence collected are correct and free from errors.

2. Relevance: Verify that the evidence is directly related to the audit objectives and criteria.

3. Timeliness: Assess whether the information is up-to-date and gathered within an appropriate timeframe to be useful.

4. Reliability: Confirm that the sources of information and evidence are credible and dependable.

5. Compliance: Check adherence to relevant laws, regulations, policies, and procedures.

6. Effectiveness: Evaluate whether the processes and controls in place achieve the desired outcomes and objectives.

7. Efficiency: Measure the efficiency of processes, considering the optimal use of resources to achieve objectives.

8. Risk Management: Assess how well risks are identified, assessed, and managed within the organization.

9. Control Environment: Evaluate the overall control environment, including the tone at the top, governance practices, and ethical culture.

10. Documentation Quality: Review the quality and clarity of documentation, ensuring it supports the audit findings and conclusions.

11. Segregation of Duties: Verify that roles and responsibilities are appropriately divided to prevent conflicts of interest and reduce the risk of errors or fraud.

12. Consistency: Ensure that processes and procedures are applied consistently across the organization.

13. Continuous Improvement: Look for evidence of ongoing improvement efforts and how feedback is used to enhance processes and controls.

14. Training and Competence: Assess whether employees are adequately trained and competent to perform their roles effectively.

15. IT Controls: Evaluate the effectiveness of information technology controls, including cybersecurity measures and data integrity.

16. Financial Metrics: Analyze key financial indicators such as budget adherence, cost management, and financial performance.

17. Stakeholder Feedback: Consider feedback from stakeholders, including employees, customers, and suppliers, to gauge satisfaction and identify areas for improvement.

By focusing on these additional metrics, auditors can provide a more holistic assessment of the organization's operations and help identify areas for improvement and risk mitigation.