How to
tackle HR
gives his top tips on how to audit a human resources department
No organization department should be immune from an audit of some description and this includes human resources (HR). The HR department is most likely to receive audits from financial auditors confirming the recruitment and departure of staff and their associated salaries and packages, but audits for quality, information security and health and safety management systems are becoming more frequent.
The role of HR is to implement and facilitate effective processes for all people-related activities regarding recruitment, retention and development of staff as well as optimizing business spend. It must also ensure that employees are best placed to deliver business objectives and that the organization is compliant with employment legislation. To achieve this the department must have processes in place to enable:
- recruitment
- reward and remuneration
- management and leadership management
- performance management
- disciplinary action around the capabilities of staff and also grievances
- dismissal
- absence including annual , maternity and paternity leave
- welfare including the wellbeing of staff and their health and safety.
So there is a wide variety of areas and processes for an auditor to assess. Added to this challenge there are also associated issues of confidentiality and data protection around sensitive information that might be held on personnel records. The questions is: what is an auditor going to look for and what is he or she allowed to see?
What the auditor looks for is dependent on the scope of the audit, which may well revolve around a management system standard or other criteria. Whatever the reason for the audit there must be a clearly defined scope agreed by all parties involved before the audit is carried out.
The issues of confidentiality and data protection are less of a problem with external auditors than with internal auditors, where it is highly likely that the auditor may well know the subject of the records being audited. Whatever the situation, it is still possible to still conduct a meaningful and thorough audit.
ISO 9001
Taking ISO 9001 as the standard being audited, there are two possible scenarios. The first is an audit of records to see if competencies have been agreed, implemented and reviewed, together with any additional enhancement of those competencies and whether this has been effective.
The second situation is where the HR department itself has a management system or is part of an overall organizational scope that has been introduced using the requirements of ISO 9001. Clearly this latter scenario will need a much deeper and thorough audit than only looking to see if competencies have been agreed and that staff have had these reviewed and acted on where necessary.
As with any kind of auditing there are two methods of finding out information to judge if the management system is operating effectively. The easiest is to look for records and hard evidence to show compliance. But what happens if the HR department refuses to show you any personal records due to confidentiality? There are two possible ways around this. The first is to go and speak to the person involved on a one-to-one basis about what they do and if their skills have been assessed and if any skill gaps have been filled and monitored for effectiveness. If this is satisfactory why do you need to see hard records except for perhaps auditing the records procedure? This can be easily audited by looking at other records held in the HR department such as records for purchasing training and publications and the hire of agency staff where these are used.
If the HR department uses electronic records and you only want to see the record for competency reviews and training, it may be possible to give the HR department the names of those personnel audited and come back at a later date to view those records when they have been prepared so only the parts you are interested in can be seen.
The HR department is in many ways no different from any other department that is audited, sometimes you just have to be a little more creative on how the audit is approached and carried out.
About the author
John Hele is global project manager at BSI Management Systems. He has overall global responsibility for ISO 9000-related and risk products
