The Value of Auditing Your Organization’s Internal Processes

With 2018 in full swing, we think it is an opportune time to discuss the value of auditing not only your internal policies but also the processes to execute or enforce those policies. A new year is not the only reason for a fresh look at your organization’s processes. 2017 ended with a crazy number of high-profile sexual harassment allegations hitting high-level individuals in Hollywood, politics, and the media. Most allegations like this involve organizations that have policies, but have inadequate processes to make sure the policies get applied. While these high-profile cases may get more attention, they are sadly not uncommon across the board. Organizations, large and small, may have vulnerabilities when it comes to sexual harassment and similar issues, such as various forms of discrimination or standard employment procedures.


This post discusses the value of auditing your organization’s internal processes, specifically those—like an anti-harassment policy—that are in place to comply with laws and prevent lawsuits in the most effective way—by preventing bad behavior.

What is a Process Audit?

A process audit is a thoughtful way to evaluate the effectiveness of both your internal policies and the mechanisms for putting those policies into practice. An audit reviews the policy to make sure it is working, and can suggest strategic changes based on analyzing how things have actually worked (or not worked) in the past.

Why Conduct a Process Audit? 

Ensuring that your policies are actually functioning as they should is an important part of good risk management. By conducting an audit of your processes as well as the actual policies, you can see where the weak spots are in both and implement corrective measures. Or you can potentially discover ways to improve the process to make it simpler and easier to understand, and therefore, more likely to be followed. Finally, by conducting a process audit, you send a signal that your policies and processes are actually an important part of your organizational culture, which may in turn help to raise problems to the surface, where you can deal with them.

An audit is particularly useful for policies that are in place to protect the organization and its employees. For example, religious organizations that work with children often have a child safety policy that helps keep children safe, as well as ensures that the organization takes prompt corrective action if there is inappropriate behavior alleged. 

The same is true of anti-harassment policies. For sexual harassment in particular, having a mechanism in place to allow for complaints to be made and investigated can, when properly implemented, create a defense to a lawsuit against the organization. This gives an additional reason to make sure those processes work well and set the organization up for success. The additional impact is that by having a more effective process, harassment in the organization can hopefully be prevented, or at minimum, identified and swiftly corrected.

Considerations in Conducting a Process Audit 

So if you are convinced that a process audit is a good idea—how should you go about doing one? Here are some considerations. 

First, approach your audit on a process by process basis. Focus on those processes that are more comprehensive, and also those that have the potential to lead to a lawsuit if not done correctly. For businesses, this might include the anti-discrimination/anti-harassment policies, the policy on disability accommodations, or a general whistleblower policy. Religious organizations may also have those policies, as well as a child safety policy, that they want to evaluate. If policies share a reporting/complaint process—for example, there is one person designed to take complaints about sexual harassment and racial discrimination—then those can potentially be evaluated together. However, be sure to address all points in the process.

Next, consider who should be involved in conducting the audit. Commonly, this can be someone experienced from HR, who has enough seniority to be taken seriously. There can also be benefits to having a lawyer involved in the process. With an attorney, conducting an evaluation of process can potentially be set up to provide privilege to your audit and analysis. This can be important when there is the potential to uncover weak spots or discover that your process has not been legally compliant. While an attorney does not necessarily need to conduct the entire process personally, legal supervision of the team for the internal review is a good idea for particularly sensitive audits. The purpose of having a lawyer involved is to evaluate the policy and process to ensure that it is legally compliant, and to allow the lawyer to give the client legal advice on how to improve the process. If you are confident that your processes are already legally compliant and fairly up-to-date, legal involvement could be limited to a briefer review of your policies or processes for any needed changes.

Now comes the meat of the issue—what should you be looking for? Here is a high-level overview of the types of inquiries you should be doing when conducting a process audit, using a sexual harassment policy as an example.

1. Review the policy. Does the policy cover all legal requirements in light of new laws, regulations, or cases? Is it clear and explained in a way that everyone can understand and follow? Oftentimes, after a policy has been in place for a while, it is easier to evaluate how it is actually working in practice than it was at the beginning. The audit team can discuss this. Use this practical experience to review the policy, and consult experts where needed. Another common problem is policies or processes that contradict each other, so look at each policy or process in terms of all the others.

2. Evaluate the complaint mechanism. Does the procedure you’ve laid out for making complaints work? Does your policy give people the ability to make complaints to multiple people, or report by email v. in person? Do managers know what to do if they are given a report? Is the chain of command/responsibility clear? Is there widespread understanding of the policy and how it applies? Again, use your experience to decide whether the complaint reporting procedure is working or needs improvement.

3. Review complaints that have been made over the last year to identify any issues, trends, or points of focus for improvement. Are there any repeat offenders? Do certain fields or departments have more complaints than others? How were the complaints resolved? If any trends emerge, consider conducting targeted follow-up, training, or investigation. Or consider improving the process on how to make a complaint.

4. Consider asking for employee feedback for how the process can be improved. Employee feedback can be extremely useful when determining whether a process needs improvement or is working well. However, affirmatively requesting this information may result in issues being raised that could lead to liability for the organization and this information might be discoverable in the event of a lawsuit. Before doing any active investigating, it is important to seek legal counsel to evaluate the possible risks. 

5. Strategize on how to improve the process and implement any updates. Once you’ve gathered the data, analyzed it, and come to some conclusions, it is important to take a step back and strategize about how to most effectively implement any changes. Get leadership involved. 

A process audit is a great way to be sure that you are living up to your aspirational policy goals in practice. By taking a thoughtful look at how things are working, the organization can address issues strategically—and hopefully before you have a crisis on your hands.


Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations