Conformance1

Tools for conforming to standards, goals and processes

Internal Audit

  • What is an internal audit?
  • How do companies plan and conduct internal audits?
  • What are some common questions about internal audits?
internal audit
The most effective audit programs ensure organizations have adequate processes and documentation, meet their objectives, satisfy their customers, and seize improvement opportunities.

What is an Internal Audit?

An internal audit, also called a first-party audit, is a process by which an organization evaluates its own success and compliance with the requirements of its quality management system. Internal audits also identify the organization’s strengths and weaknesses and facilitate its continual improvement

Internal audits often help organizations prepare for external audits by second and third parties. Second-party audits are conducted by customers to evaluate their suppliers, and third-party audits are completed by independent groups to determine eligibility for certifications, licenses, awards, citations, or fines.  

Though crucial for external audit readiness, internal audits serve a more meaningful purpose. Internal auditing is a continuous and repeating process of quality and effectiveness assessment that guides organizations in the direction of success. Without audits, organizations have no way to discover their shortcomings or address their improvement opportunities.

Audits can be divided into three categories:

  1. In a process audit, the quality team verifies that a particular process meets all of its requirements and operates as designed and intended.

    Organizations can benefit from adding a layered process audit program on top of their existing process audit plans. This special type of process audit is conducted by managers from all levels and departments organization-wide. Layered process audits are narrowly focused on specific areas such as critical measuring equipment or sensitive machinery. They allow for more frequent evaluations and provide personnel with a greater sense of responsibility for the quality of the organization.
  2. A product audit evaluates the compliance of an organization’s products and services with its quality and other requirements.
  3. System audits evaluate management systems, such as quality, safety, or environmental management systems. ISO 9001 compliance audits are a type of system audit. 

Clause 9.2 of ISO 9001:2015 requires organizations to:

  • Create a planned internal audit program that declares audit frequency, methodology, who will conduct the audits, and how to report results
  • List and document audit criteria in detail
  • Select impartial, unbiased auditors
  • Ensure auditors relay audit results to appropriate management
  • Take corrective action when problems are found
  • Document audit program information and results

Why are internal audits so important? Organizations cannot correct problems or leverage opportunities that they don’t know about. The internal audit is a deliberate process of problem and opportunity discovery that effectively identifies these targets for improvement.

Planning and conducting internal audits

For the sake of both effectiveness and ISO 9001 compliance, audits should be conducted in five stages.

1. Plan the audit schedule. Organizations should audit all of their processes at regular intervals not longer than one year. Consider the relative importance and unique circumstances of each process to decide how often to audit. Audit schedules are an explicit ISO 9001 requirement.

Lead Auditors are responsible for planning audit schedules as well as other logistical aspects of auditing such as choosing teams of internal auditors, planning audit schedules, and issuing audit reports. The lead must choose and prepare competent, impartial auditors. Inexperienced or untrained auditors lack the knowledge to conduct effective audits and should enroll in formal audit training. Likewise, biased auditors may filter and frame audit results to reflect their views rather than hard facts, so they should never audit the departments that they normally work in.

2. Design the audit process. Determine the scope and depth of the audit by considering the audited process’s importance to the organization. A brake pad manufacturer, for example, should devote more time and resources to audits of its testing and safety division than its package design process. 

Audit planners should review the process’s requirements and prior audit results to help guide the audit. Though not required by ISO 9001, wise auditors rely on an audit checklist of questions that evaluate compliance with specific requirements. 

3. Perform the audit. Auditors should gather data from a diverse range of sources and engage in honest, open dialogue with auditees. Rather than just asking questions, auditors should share their observations with and offer solutions to auditees. Doing so builds trust and encourages auditee cooperation. Auditors also need to thoroughly review of all documented information related to the subject of the audit to look for missing or inadequate documentation and to verify that departments are following all procedures.

Direct observation of the process in action is a must as well. Watching processes occur in real-time can reveal opportunities and nonconformities that employees and documentation might overlook.

Remember: internal audits are more than just a means of finding compliance failures. They are also among the most effective tools organizations have for finding and taking advantage of improvement opportunities. Management should foster an objective environment where problems are addressed openly and with assigned responsibility rather than creating an environment where employees are discouraged for pointing out problems.

4. Discuss and document the results. At the conclusion of an internal audit, auditors should discuss their findings with the managers of the audited processes or departments and make them aware of the successes, failures, and improvement opportunities discovered during the audit.

Next, auditors will write up the ISO 9001 – required documentation of audit results in the form of an audit report. The standard does not specify the structure the report must take, but a solid report should include

  • A short statement about the audit’s scope, or precisely what the audit is evaluating and why the audit is necessary
  • An audit summary containing a brief overview of the organization, the role the audited process or department plays in it, and the strengths and weaknesses uncovered during the audit
  • Enumerated lists of the strengths and weaknesses identified by the audit
  • A copy of the audit checklist

5. Check back. After the audit is completed and the necessary changes and corrective actions defined, auditors and management should “check in” on the process to make sure that the changes are effective. The follow-up is also an opportunity to evaluate how beneficial the changes were.      

Common Internal Audit Questions

Internal auditing is a large and potentially overwhelming topic. As with ISO 9001 as a whole, the relevant requirements leave a lot of room for interpretation, so how can organizations decide what questions they should ask? How can they make sure their auditors are fair, impartial, and competent? What can they do to help internal auditors to understand how to evaluate a QMSs against the ISO 9001 standard?

Auditors should start by developing their audit questions with a focus on gathering a few specific categories of information:

  1. Context of the Organization: What are the relevant internal and external issues?
  2. Interested Parties – Who has a stake in the organization, and what are their demands?
  3. Risk-based thinking: What are the organization’s unique risks and opportunities, and how will they be addressed?
  4. Planning of Quality Objectives: Are plans specific? Do they establish implementation procedures and methods for measuring success? Do employees understand how their QMS-related responsibilities?
  5. QMS integration into processes: Auditors should ask the organization’s leadership team how the QMS goes beyond ensuring quality to inform how the management runs the company and dictates its strategy.
  6. Change management: Auditors need to identify any changes to the QMS or evaluated process and check that they were implemented and function successfully. 
  7. Knowledge capture and use: ISO 9001 compels organizations to record everything learned from both positive and negative experiences and apply that knowledge to the continual improvement of the QMS and the organization as a whole.

ISO 9001 QMS auditors should additionally ask questions that evaluate adherence to the seven management principles at the core of ISO 9001’s approach to quality management. The principles are:

  • Customer focus
  • Leadership
  • Engagement of people
  • The process approach
  • Improvement
  • Evidence-based decision making
  • Relationship management

How can auditors maintain impartiality and fairness?

  • Choose auditors who are not directly involved with the audited process or department. Organizations are permitted to “outsource” internal auditing to contractors or consultants as well, but they should keep in mind that external auditors are less familiar with the organization’s culture, context, and personnel.
  • Encourage the free flow of information between auditors and auditees. Honest, forthcoming auditors can encourage employees to more readily share information, whereas standoffish or secretive auditors breed auditee suspicion and distrust.

How can an organization prevent auditor confusion when its QMS does not mirror ISO 9001’s clause structure?

Documented information mimics the structure of the ISO 9001 standard clause-for-clause, but policies designed to leverage ISO 9001’s flexibility to address unique organizational contexts and circumstances can better promote continual improvement. Unfortunately, such “customized” quality manuals can frustrate auditors by obscuring how each part of the quality manual corresponds to an ISO 9001 requirement. Top management can minimize confusion by providing auditors with documents such as tables or cross reference matrices that illustrate how each part of their organization’s quality policy corresponds to individual requirements of the standard. This “cross reference” is a very useful document when explaining how an existing quality management system satisfies ISO 9001 and other third party quality requirements to external, third party auditors including those of a notified body/registrar that is providing a quality certification such as ISO 9001. 

What is the best way to ensure an effective internal audit program?

Of course there are countless additional questions that organization managers, personnel, and beginning auditors might ask when faced with this complex topic, and it would be impossible to answer them all here. However, auditors can go a long way toward maximizing the benefits of internal audits by going beyond checking requirement conformance. The most effective audit programs ensure organizations have adequate processes and documentation, meet their objectives, satisfy their customers, and seize improvement opportunities. Organizations that adopt such a robust approach to auditing obtain the greatest benefit from their internal audit programs.