08 November 2021

Why bother completing internal audits?

Definition: ISO 9000 define an audit as a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled or put simply; an audit is a systematic process for gathering factual data that enable an organization to identify areas for improvement within their business cycle.

Lots of organizations only complete internal audits prior to their annual third party assessment audits which are completed by their certification body. Sometimes the audit function is outworked to an independent consultant or it can be performed by a suitably trained employee.

So, why bother completing these audits?

Well the most obvious reason is that internal audits are a requirement to maintain ISO certification. An internal audit must be completed at least once per year and this document record must be presented to the external auditor during the annual assessment audit. Other than certification requirements, there are other equally, or in my view, more important reasons to complete internal audits.

Some examples include the following:

  1. To verify that an organizations documented processes accurately reflect current business practice. By auditing the documented processes, an organization can verify that its processes are operating as planned and are achieving their intended results. Where gaps and risks are identified, mitigation measures can be put in place to ensure effective controls are implemented that will deliver improved business performance.
  2. Comply with legal requirements. Don’t fall foul of government regulations. Non-compliance can lead to expensive fines and insurance claims. For standards including ISO 14001 and ISO 45001, internal audits can check that your system conforms to all statutory and regulatory requirements and compliance commitments.
  3. Risk identification, management, mitigation and improvement. Clause 4 of the ISO 9001: 2015 standard, states that an organization is required to determine its processes and address its risks and opportunities. While there is no requirement under ISO 9001 to document a formal risk management process, the standard requires that risk based thinking is built into an organization’s QMS. Therefor an organization must:
    • Identify its risks and opportunities and plan and implement mitigating measures to address its risks and maximise its opportunities through its operating processes.
    • Have a proactive rather than reactive system for managing risks and opportunities. An internal audit will:
    • Help to verify the control, of existing risks
    • Help to verify the control of existing risks.
    • Identify new risks.
    • Suggest remedial measures to mitigate threats and maximise opportunities.
    • Give assurance that the business risk process is functioning properly and can achieve its intended results.
  4. Protect your staff – ensure your staff are aware of and trained in emergency preparedness and response processes. Section 8.2 of the ISO 14001 and ISO 45001 standards state that ‘An organization shall establish, implement and maintain a process(es) needed to prepare for and respond to potential emergency situations’. An internal will verify that:
    • All potential emergency situations have been identified and assessed.
    • Staff and relevant stakeholders are trained in how to respond to potential emergency situations.
    • Planned emergency responses are documented and where required, communicated to employees, government bodies and visitors.
    • Emergency simulations are have been tested and completed, gaps identified and processes updated and communicated as required.
  5. Assessment of Management Controls. Its important to audit the management control systems that drive the quality management system. These controls including risk management, non-conformity, objective management and leadership are fundamental to the successful implementation of a QMS. A well planned audit will determine if the existing controls have been implemented as planned and are enabling the organisation to achieve its top line objectives and comply with the requirements of their chosen ISO standard.

Once an internal audit has been completed, it should be retained as a an internal audit report. Any issues arising from the audit should be documented within the organisations no-conformance or issue log. In that way the audit outcome is used as a tool for continuous improvement.

You now know why internal audits are important. Auditors require a high degree of training to carry out this function as detailed in the ISO 19011:2018 Guideline for Auditing Management Systems standard.

What are the main steps for completing an internal audit?

I have described a simple audit process below

  1. Develop and maintain an internal audit program that includes the audit frequency, methods, responsibilities and planning requirements.
  2. Auditors should be selected to ensure their objectivity and impartiality of the audit process.
  3. Identify the processes that are to be audited.
  4. Develop the audit schedule.
  5. Communicate with all relevant stakeholder, employees etc. Complete all pre-planning activities – develop the plan. Get buy in from all parties.
  6. Carry out the audits.
  7. Prepare the audit report. Documented information needs to be retained as evidence of implementation of the audit program and to provide evidence of the audit results.
  8. Communicate the audit results to the management team.
  9. Corrective action. If the audit has discovered any areas of non-compliance, the organization will need to ensure they act on the findings promptly. Its important that staff are involved in determining the cause of the problem and taking appropriate action to prevent it happening again.

Further internal audit details can be reviewed for each of the following standards:

What makes a good auditor?

ISO 19011 also talks about the Personal attributes of a good auditor including being:

  1. Ethical, i.e. fair, truthful, honest and discreet.
  2. Open-minded, i.e. willing to consider alternative ideas or points of view.
  3. Observant, i.e. actively observing physical surroundings and activities.
  4. Perceptive, i.e. aware of and able to understand situations.
  5. Versatile, i.e. able to readily adapt to different situations.
  6. A good communicator.

Internal Auditors should also adhere to the following seven auditing principles detailed within ISO 19011:2018 standard. Auditors are mandated to abide by these principles when carrying out their audit functions and providing audit conclusions. Auditing is a profession that is reliant on the integrity of the auditors and their consistent adherence to these auditing principles.

  1. Integrity
  2. Fair Presentation
  3. Due professionalism
  4. Confidentiality
  5. Independence
  6. Evidence based approach
  7. Risk based approach

These principles, when properly implemented, provide the guidance required to successfully manage and conduct audits of ISO management systems.

Use competent people to complete the auditing process.

Suitably trained employees can complete internal audits however the following considerations should be taken into  account before deciding to appoint an employee / team to carry out these activities.

  • Auditors should never audit their own work, which can be difficult in smaller companies.
  • The employee that drafted the process / procedures is the person carrying out the audit. There is an obvious conflict of interest here, therefore you need someone who is independent of the system who can be objective when completing the system audits.
  • Auditor experience / authority- does the employee have the experience to be able to audit senior management within the organization regarding their role within the quality management system.

For the audit program to be successful, it’s important to use the services of competent and qualified auditors to carry out the audit activities. When managed effectively, a well planned and executed audit  can assist an organization to improve its processes thereby becoming more efficient and dynamic in the achievement of its key business objectives.

Paul McDonell