9.2 Internal Audit: Previous Next
9.2 Internal Audit: Previous Next
2 Internal audit
« Previous | Next »
The guidance shown on this page is relevant to ISO 9001, ISO 14001 and ISO
45001. Your organization should establish an internal audit programme to
cover all requirements of the standards. In addition, you should ensure that
consideration is given to the status and importance of the processes that
comprise the audit programme and the results of previous audits.
If you need a procedure and forms to help your business control its auditing
process, click here. Objective evidence should demonstrate information of
concerning the effective implementation the audit programme, as well as a
sample of audit results. The internal audit process should include the following
activities:
1. The development of a programme of internal audits which can be
revised depending on the results of previous audits and the results
of performance monitoring;
2. The identification, selection and training of internal auditors;
3. The analysis and evaluation of the results of internal audits;
4. The identification of the need for corrective or improvement
measures;
5. The verification of the completion and effectiveness of these
measures;
6. The documentation pertaining to the execution and results of
audits;
7. The communication of the results of audits to the top management.
The internal audit process is part of the continual improvement feedback loop
to evaluate and improve the effectiveness of the management system. It also
highlights where processes and procedures are not addressing risks
adequately and where changes are needed to improve efficiency or
effectiveness. The audit process also serves as a method of compliance
monitoring.
The focus of the internal audit programme should be re-directed, away from
'clause-based' compliance with standards, to an audit strategy that bases the
audit frequency upon process performance data, feedback from customers,
etc., to ensure that you are focusing on the risks and issues that should be on
Top management's radar.
When designing the audit programme you should ensure that customer
feedback, organizational changes and risks and opportunities are brought into
consideration. You should consider process importance as the degree of direct
impact that process performance has on customer satisfaction; i.e. could the
process provide the customer with a defective product?
You should consider process status in terms of maturity and stability; a more
established, proven process will be audited less frequently than a newly
implemented or recently modified process. Conversely; processes which are
not performing to the planned arrangements should be audited more
frequently.
Critical processes that directly affect process and product conformity, and
customer satisfaction should be audited more frequently, e.g. monthly,
quarterly, or more regularly as required. When determining internal audit
frequency, you should consider the following:
1. The level of risk associated with the activity, policy or procedure;
2. The priority of the specific element of the management system;
3. The results of previous audits; and
4. The significance of problems identified in the areas to be audited.
The basic requirement of the quality management system is that it is audited
at least once per year. If many issues are found during audits, then additional
audits can be undertaken to help get that part of the system working
effectively again as soon as possible.
If some areas are not audited in a given year, then they can be scheduled for
audit the following year and so forth. Some audits are likely to be conducted
on a monthly basis in order to cover all manufacturing processes over the
year. Unscheduled audits may be conducted at any time based upon:
1. Previous audit results;
2. Regulatory inspections;
3. Operational changes (planned or unplanned);
4. Management review concerns;
5. Identified non-conformances.
The frequency of internal audits should be reviewed and, where appropriate,
adjusted based on occurrence of process changes, internal and external
nonconformities, and/or customer complaints. The effectiveness of the audit
programme should be reviewed as a part of management review.
Based on the audit process derived from ISO 9001:2015 and ISO 19011:2018,
our audit checklists, internal audit programme, procedures and report templates
help deliver meaningful results through effective audit planning, performance
and reporting.
The results of a gap analysis exercise will help to determine the differences, or
gaps, between your existing management system and the requirements of ISO
9001, ISO 14001 or ISO 45001. Not only will the analysis template help you to
identify the gaps, it will also allow you to recommend how those gaps should
be filled.
The gap analysis output also provides a valuable baseline for the
implementation process as a whole and for measuring progress. Try to
understand each business process in the context of each of the requirements
by comparing different activities and processes with what the standard
requires.
At the end of this activity you will have a list of activities and processes that
comply and ones that do not comply. The latter list now becomes the target of
your implementation plan.
The internal audit checklist is just one of the many tools which are available
from the auditor’s toolbox that help ensure your audits address the necessary
requirements. The checklist stands as a reference point before, during and
after the audit, and will provide the following benefits:
1. Ensures the audit is conducted systematically;
2. Promotes audit planning;
3. Ensures a consistent audit approach;
4. Actively supports your organization’s audit process;
5. Provides a repository for notes collected during the audit process;
6. Ensures uniformity in the performance of different auditors;
7. Provides reference to objective evidence.
Before a new audit is started in a particular area, it is important to check the
status of any outstanding issues since the last audit (if any) was performed in
the area. If there are outstanding issues, then they may be carried forward into
the current audit, and the previous audit could then be closed off.
The system audits are best undertaken using and internal audit checklist. This
type of audit focuses on the quality management system as a whole, and
compares the planning activities and broad system requirements to ensure
that each clause or requirement has been implemented.
Process audits
The adoption of the ‘process approach’ is mandated by ISO 9001:2015 and is
one of the most important concepts relating to quality management systems.
Process auditing is about auditing your organization’s processes and their
interactions, which together comprise the quality management system.
The process audit provides assurance that the processes have been
implemented as planned and provides information on the ability of the
process to produce a quality output.
Use the process audit template for conducting an in-depth analysis to verify
that the individual processes comprising the management system are
performing and producing outputs in accordance with the planned outcomes.
The process audit also identifies any opportunities for improvement and
possible corrective actions. Process audits are used to concentrate on any
special, vulnerable, new or high-risk processes.
The process approach is one of the core quality management principles, which
is defined as a ‘consistent and predictable results are achieved more effectively
and efficiently when activities are understood and managed as interrelated
processes that function as a coherent system’.
Effective process auditing requires the auditor to identify and record audit
trails that will make a difference to the organization. The audit should begin
with the process owner in order to understand how the process interacts with
the other process inputs, outputs, suppliers and/or customers.
If you are going to audit your management system documentation as per ISO
9001, ISO 14001 or ISO 45001, the audit criteria become the standards
themselves, and any relevant quality management system documentation such
as the quality manual, procedures, work instructions, standard operating
procedures, and forms, etc.
If you are going to conduct a product audit against a production control plan,
the audit criteria will be the control plan itself, or relevant parts of it. The same
applies when auditing an operator to see whether they follow the Work
Instruction, the audit criteria is the Work Instruction for that process and any
applicable criteria.
The Internal Auditor should be responsible for finalising the audit report,
which should include:
1. The area and element/procedure/process audited;
2. Audit team composition, audit scope, persons interviewed;
3. Executive summary;
4. Observations and key findings (identified nonconformities);
5. Recommendations;
6. Opportunities for improvement, which are areas that may become
nonconforming in the future;
7. Graphical representation of findings.
On completion of the audit, a closing meeting should be scheduled between
the audit team and the organization or department being audited, to present
the results of the audit and discuss any subsequent steps required to complete
the audit.
Observations may also be recorded for future consideration. The audit report
needs to be signed by the lead auditor and the manager of the relevant
department, and distributed as required to relevant persons. The findings and
conclusions should be formally documented as part of the summary report.
Too often, the audit report only recites back facts and data the managers
already know. The value is in identifying issues and opportunities they do not
know!
This summary should be reviewed first with the lead auditor, then the Process
Owner and Management Team. Make final revisions and file the audit report
and all supporting audit materials and notes.
The audit summary and the corrective action forms should be attached to the
audit report, which now becomes the audit record. Only the summary report
and corrective actions need be given to the Process Owner and a copy of the
audit report should be given to Top management.