9.

2 Internal audit
« Previous | Next »
The guidance shown on this page is relevant to ISO 9001, ISO 14001 and ISO
45001. Your organization should establish an internal audit programme to
cover all requirements of the standards. In addition, you should ensure that
consideration is given to the status and importance of the processes that
comprise the audit programme and the results of previous audits.

If you need a procedure and forms to help your business control its auditing
process, click here. Objective evidence should demonstrate information of
concerning the effective implementation the audit programme, as well as a
sample of audit results. The internal audit process should include the following
activities:
1. The development of a programme of internal audits which can be
revised depending on the results of previous audits and the results
of performance monitoring;
2. The identification, selection and training of internal auditors;
3. The analysis and evaluation of the results of internal audits;
4. The identification of the need for corrective or improvement
measures;
5. The verification of the completion and effectiveness of these
measures;
6. The documentation pertaining to the execution and results of
audits;
7. The communication of the results of audits to the top management.
The internal audit process is part of the continual improvement feedback loop
to evaluate and improve the effectiveness of the management system. It also
highlights where processes and procedures are not addressing risks
adequately and where changes are needed to improve efficiency or
effectiveness. The audit process also serves as a method of compliance
monitoring.

Setting up your internal audit programme

During the early stages of implementing ISO 9001:2015, or any other
management system standard, the internal audit programme often focuses on
ensuring that any compliance issues or nonconformities are discovered and
rectified prior to the Certification Body assessment. However, once your
organization becomes certified, the internal audit programme must evolve.

The focus of the internal audit programme should be re-directed, away from
'clause-based' compliance with standards, to an audit strategy that bases the
audit frequency upon process performance data, feedback from customers,
etc., to ensure that you are focusing on the risks and issues that should be on
Top management's radar.
When designing the audit programme you should ensure that customer
feedback, organizational changes and risks and opportunities are brought into
consideration. You should consider process importance as the degree of direct
impact that process performance has on customer satisfaction; i.e. could the
process provide the customer with a defective product?

You should consider process status in terms of maturity and stability; a more
established, proven process will be audited less frequently than a newly
implemented or recently modified process. Conversely; processes which are
not performing to the planned arrangements should be audited more
frequently.

Support processes should be given a lower ranking than the

manufacturing/service provision processes. In addition, the results of previous
audits should be considered too. Processes that have been audited recently
that have shown effectiveness and improvement should be audited less
frequently. When applying risk-based thinking to select internal audits and
their frequency, consider the following:
1. Processes that are critical to product and service quality;
2. Complex processes that require close monitoring and control to
ensure conformity;
3. Balance across operational and non-operational processes;
 4. Processes that utilize qualified personnel;
5. Activities or processes that occur across multiple locations;
6. Processes impacted by human factors;
7. Introduction of new or changed processes;
8. Changes affecting the organization;
9. Statutory and regulatory issues;
10.Process performance, e.g. process conformity/non-conformity,
escapes to the customer, complaints, previous internal/external
audit results, identified risk (see 6.1 and 8.1).
When designing your internal audit programme you should ensure that
customer feedback, organizational changes, and risks and opportunities have
been brought into consideration. Internal audit programmes that are based on
risk and customer feedback will help your organization to embark upon new
methods of compliance in which risk-based thinking and continual
improvement are the drivers, rather than compliance.

Determining the frequency of internal audits

Deciding the frequency of internal audits will depend on the perceived need
for the audit and the size and complexity of your organization. The frequency
of internal audits should depend on the criticality of each process and the
perceived need to audit it, but all processes should be formally audited at least
once during a 2-year audit cycle.

Critical processes that directly affect process and product conformity, and
customer satisfaction should be audited more frequently, e.g. monthly,
quarterly, or more regularly as required. When determining internal audit
frequency, you should consider the following:
1. The level of risk associated with the activity, policy or procedure;
2. The priority of the specific element of the management system;
3. The results of previous audits; and
4. The significance of problems identified in the areas to be audited.
The basic requirement of the quality management system is that it is audited
at least once per year. If many issues are found during audits, then additional
audits can be undertaken to help get that part of the system working
effectively again as soon as possible.

If some areas are not audited in a given year, then they can be scheduled for
audit the following year and so forth. Some audits are likely to be conducted
on a monthly basis in order to cover all manufacturing processes over the
year. Unscheduled audits may be conducted at any time based upon:
1. Previous audit results;
2. Regulatory inspections;
3. Operational changes (planned or unplanned);
4. Management review concerns;
5. Identified non-conformances.
The frequency of internal audits should be reviewed and, where appropriate,
adjusted based on occurrence of process changes, internal and external
nonconformities, and/or customer complaints. The effectiveness of the audit
programme should be reviewed as a part of management review.
Based on the audit process derived from ISO 9001:2015 and ISO 19011:2018,
our audit checklists, internal audit programme, procedures and report templates
help deliver meaningful results through effective audit planning, performance
and reporting.

Gap analysis audits

The unique knowledge obtained about the status your existing quality
management system will be a key driver of the subsequent implementation
approach. Armed with this knowledge, it allows you to establish accurate
budgets, timelines and expectations which are proportional to the state of
your current management system when directly compared to the
requirements of the standards.

The results of a gap analysis exercise will help to determine the differences, or
gaps, between your existing management system and the requirements of ISO
9001, ISO 14001 or ISO 45001. Not only will the analysis template help you to
identify the gaps, it will also allow you to recommend how those gaps should
be filled.

The gap analysis output also provides a valuable baseline for the
implementation process as a whole and for measuring progress. Try to
understand each business process in the context of each of the requirements
by comparing different activities and processes with what the standard
requires.

At the end of this activity you will have a list of activities and processes that
comply and ones that do not comply. The latter list now becomes the target of
your implementation plan.

Management system audits

Management system audits are commonly referred to as a ‘first-party audit’
and are conducted by an organization to determine compliance to a set of
audit criteria in the form of requirements that arise from standards like ISO
9001, ISO 14001 or ISO 45001, as well as customer, or regulatory
requirements.

The internal audit checklist is just one of the many tools which are available
from the auditor’s toolbox that help ensure your audits address the necessary
requirements. The checklist stands as a reference point before, during and
after the audit, and will provide the following benefits:
1. Ensures the audit is conducted systematically;
2. Promotes audit planning;
3. Ensures a consistent audit approach;
4. Actively supports your organization’s audit process;
5. Provides a repository for notes collected during the audit process;
6. Ensures uniformity in the performance of different auditors;
7. Provides reference to objective evidence.
Before a new audit is started in a particular area, it is important to check the
status of any outstanding issues since the last audit (if any) was performed in
the area. If there are outstanding issues, then they may be carried forward into
the current audit, and the previous audit could then be closed off.
The system audits are best undertaken using and internal audit checklist. This
type of audit focuses on the quality management system as a whole, and
compares the planning activities and broad system requirements to ensure
that each clause or requirement has been implemented.
Process audits
The adoption of the ‘process approach’ is mandated by ISO 9001:2015 and is
one of the most important concepts relating to quality management systems.
Process auditing is about auditing your organization’s processes and their
interactions, which together comprise the quality management system.

The process audit provides assurance that the processes have been
implemented as planned and provides information on the ability of the
process to produce a quality output.

Using the internal audit checklist to undertake a clause-by-clause audit works

very effectively for the initial audits in preparation for implementation, gap
analysis or certification. However, once your management system is
implemented, your organization is expected to develop a process approach to
its auditing programme.

Use the process audit template for conducting an in-depth analysis to verify
that the individual processes comprising the management system are
performing and producing outputs in accordance with the planned outcomes.
The process audit also identifies any opportunities for improvement and
possible corrective actions. Process audits are used to concentrate on any
special, vulnerable, new or high-risk processes.
The process approach is one of the core quality management principles, which
is defined as a ‘consistent and predictable results are achieved more effectively
and efficiently when activities are understood and managed as interrelated
processes that function as a coherent system’.

A process is a set of interrelated activities that transform inputs, such as

materials, customer requirements and labor, via a series of activities into
outputs, such as a finished product or service. Various stages of the process
must meet various applicable clauses of the standard. There are six
characteristics to look out for when auditing a process:
1. Does the process have an owner?
2. Is the process defined?
3. Is the process documented?
4. Are links between other processes established?
5. Are processes and their links monitored?
6. Are records maintained?
As part of the process approach, the process audits must be scheduled
according to the processes defined by your management system. The audit
schedule should not be based on the clauses of the standard, but it should
instead be based upon the importance and criticality of the process itself. The
process approach to auditing should cover three vital stages:
1. Preparing for the audit; (desk review)
2. Auditing the process and its linkages;
3. Preparing the summary and audit report.
An audit of each process should be conducted at planned intervals in order to
determine whether the processes conform to planned arrangements in order
to determine whether the process is properly implemented and maintained
and to provide process performance information to top management.

Effective process auditing requires the auditor to identify and record audit
trails that will make a difference to the organization. The audit should begin
with the process owner in order to understand how the process interacts with
the other process inputs, outputs, suppliers and/or customers.

What are ‘audit criteria’?

We’ve all heard the term ‘audit criteria’ but what exactly does it mean? As
defined in ISO 19011:2018, audit criteria are used as ‘a reference against which
conformity is determined’. It goes on to say that ‘The criteria may include one
or more of the following:
1. Policies, processes and procedures;
 2. Performance criteria including objectives, statutory and regulatory
requirements, management system requirements;
3. Information regarding the context and the risks and opportunities
as determined by the auditee (including relevant external/internal
interested parties’ requirements);
4. Business sector codes of conduct or other planned arrangements.
Basically, all documented information that helps you to prove the consistency
and compliance of your quality management system should be part of the
scope for each individual audit. If you are auditing to verify that the
requirements of ISO 9001, ISO 14001 or ISO 45001 are implemented, then the
standard itself becomes the audit criteria.

If you are going to audit your management system documentation as per ISO
9001, ISO 14001 or ISO 45001, the audit criteria become the standards
themselves, and any relevant quality management system documentation such
as the quality manual, procedures, work instructions, standard operating
procedures, and forms, etc.

If you are going to conduct a product audit against a production control plan,
the audit criteria will be the control plan itself, or relevant parts of it. The same
applies when auditing an operator to see whether they follow the Work
Instruction, the audit criteria is the Work Instruction for that process and any
applicable criteria.

Preparing the internal audit report

A good summary report is the final output of the audit and deserves an
appropriate amount of attention and effort. The audit report is the detail of
what was found during the audit.

It presents an overall summary of the audit findings, as well as any positive

aspects noted during the audit. The audit report must also identify
nonconformities identified during the audit and their associated corrective
actions.

The Internal Auditor should be responsible for finalising the audit report,
which should include:
1. The area and element/procedure/process audited;
2. Audit team composition, audit scope, persons interviewed;
3. Executive summary;
4. Observations and key findings (identified nonconformities);
5. Recommendations;
6. Opportunities for improvement, which are areas that may become
nonconforming in the future;
7. Graphical representation of findings.
On completion of the audit, a closing meeting should be scheduled between
the audit team and the organization or department being audited, to present
the results of the audit and discuss any subsequent steps required to complete
the audit.

Observations may also be recorded for future consideration. The audit report
needs to be signed by the lead auditor and the manager of the relevant
department, and distributed as required to relevant persons. The findings and
conclusions should be formally documented as part of the summary report.
Too often, the audit report only recites back facts and data the managers
already know. The value is in identifying issues and opportunities they do not
know!
This summary should be reviewed first with the lead auditor, then the Process
Owner and Management Team. Make final revisions and file the audit report
and all supporting audit materials and notes.
The audit summary and the corrective action forms should be attached to the
audit report, which now becomes the audit record. Only the summary report
and corrective actions need be given to the Process Owner and a copy of the
audit report should be given to Top management.