How to go about performing Internal Audits, how often they should be scheduled, and how they fit in with External Audits.
An audit is similar to product inspection and testing - except that in this case the product being inspected is the management system itself.
Like a product inspection, an audit compares how things actually are, to how we think they are and how they ought to be.
Audits help uncover areas that are in need of attention and they can be an opportunity to draw back from the day-to-day details and to take look at the whole process with fresh eyes. Despite being such a (potentially) positive tool in the management system toolkit, audits often induce the same kind of stress as end of year exams!
Obviously a great deal rides on a successful external audit so some anxiety is expected. However, a good Internal Audit process can reduce the stress, since you can uncover the problems yourself and resolve them before the external auditor begins.
We suggest you enrol in a professional development course before jumping into the role of Auditor. An alternative is to use an external consultant to perform your internal audits for you.
Quality, safety and environmental management standards all require audits to monitor and report on the effectiveness of the management system.
ISO 9001:2015 does not require a documented Internal Audit procedure, although we do recommend you have one. Having outline procedures helps everyone understand the process and exactly how things are managed at your organisation.
You are required to "maintain an audit programme" (i.e., plan and schedule internal audits) and "retain documented information" (i.e., keep records) of the audits conducted and the results.
What does an internal audit process look like?
Each company will have their own particular method, but it will generally follow the same process:
1. Plan your Audit Programme
Internal Audits need to be scheduled at planned intervals to check that the quality system conforms to requirements and that the system is effective. 'Requirements' include the standard itself, as well as the company's own requirements (i.e., it's own procedures and policies).
You don't need to audit every process all at one time. The External Audit may be like this, but internal audits can be spread out with different processes audited at different times - a series of 'mini-audits'.
The standard does not set out a required audit frequency. Instead, it recommends that you consider how important the processes are, their risks, their prior history of problems, and also your quality objectives. With a series of 'mini-audits' you can set different audit frequencies for different processes.
If you are implementing a new management system, we recommend that you should have audited all the processes identified in your management system at least once prior to the initial Certification Audit.
2. Work out who will audit
An auditor should be objective and impartial. Usually this means you won't audit processes that you manage / control yourself, so you'll need to have at least two internal auditors trained and available. However, due to lack of resources, or sometimes with the crossover of responsibilities that is common in small businesses, having two impartial auditors may not be possible. In this case, you may need to consider using an external resource.
Large organisations may use a team of auditors.
3. Define the requirements for each audit.
The plan already identifies the area you will audit, now you need to define what criteria you will audit against. Sometimes this takes the form of a formal checklist with a pre-determined list of questions. You can also use a copy of the procedure being audited and mark this up with questions and points to verify. You'll need to identify what records should be checked to verify the process.
Any previous findings or issues related to the audit area should also be checked.
Even with pre-defined questions, an auditor will still need to 'follow their nose' if something is not quite right.
You can define the criteria for the audit prior to each audit rather than having to set this up at the planning stage. These requirements (checklists, documents, records, etc) should be communicated to the auditee some time prior to the actual audit taking place. (Specify the time in your audit procedure - a week is reasonable)
4. Conduct the audit
An audit usually starts with an opening meeting where the auditor meets the auditee(s), sets the expected timetable and out how the audit will be conducted.
During the audit, the auditor will work systematically through the checklist or procedure, examining evidence that the process meets the criteria. It's common to markup the checklist with notes and a quick finding result, e.g., C = compliant, NI - needs improvement, NC - non-conformance,
When recording the audit, it is important to write down exactly what evidence was examined to establish the finding - regardless of the finding. e.g., while auditing employee training records, the auditor writes:
(Note that the date is an important part of the evidence).
Usually the auditor will discuss the finding with the auditee before recording it. This is to ensure the finding is understood and to confirm there is actually a problem, e.g. the auditee above may reveal that Joe Bloggs' personnel folder includes a separate safety briefing record with the required signature. This can sometimes negate the finding, or just change it - i.e. the signature is there, but it is not following the procedure. In this example, the consequences of not following the procedure are minor and the audit finding should reflect that.
The audit will finish with a closing meeting where the lead auditor gives an overall summary of the audit and discusses each audit finding to ensure they are understood.
5. Document the Audit findings
An external certification auditor will submit a formal written report on the audit to management several days later and it's common for an internal auditor to do the same. However, there's no requirement in the standard for a formal audit report. You simply need to ensure the findings are recorded and communicated to management. You could just record the findings and their details in your non-conformance form & register (or as an 'Issue' in Toolbox ).
You will need to retain records of the audit which will typically include:
- Completed Audit Checklists and/or marked up procedures
- Notes on objective evidence examined, and personnel interviewed
- Audit Findings (cross referenced to your Nonconformance Register)
- Audit Report
6. Take Action on those findings!
Findings raised at both Internal and External Audits need to be addressed with corrective actions.
At the next audit, the auditor will verify that the corrective actions taken were effective in bringing the management system into compliance.
Have a look at how internal audits are managed using Quality Systems Toolbox.
The ISO Standard ISO 19011:2018 covers auditing management systems. It has information on training and experience for auditors, and guidance for how audits should planned, conducted and recorded.