Introduction to Internal Audits
Internal audits within ISO standards such as ISO 9001, ISO 14001 and ISO 45001 have been in place for as long as we can remember. Audits are required within management systems to ensure systems and procedures have adhered.
Many businesses struggle with the internal audit process and do not attend any external training courses, although this may not help in some cases as it all depends on what’s taught as part of the course.
Some basic steps need implementing to have an effective internal audit process which not only meets the ISO standard requirements but also gives benefit to the business.
Internal audits should not be seen as an unnecessary evil and should be carefully planned and considered, don’t be scared of raising issues either, a Certification Body will never frown upon you for raising findings. Some businesses will perform what we call “soft grading”, which is of no benefit to anyone.
And don’t assume that the external audit is doing the same as the internal audit, it’s not. We are taking a small sample on the day, and we can’t cover everything. You should be doing more in-depth audits on a more regular basis and not relying on external certification bodies to catch everything for you.
Internal Audit Programme
There is a difference between an audit programme and an audit plan; an audit programme sets out when audits will take place, and what areas will be covered, an audit plan is a more granular detail showing specific times and processes will be covered. They can also highlight who is performing the audit.
When establishing your audit programme, you need to do some background planning first:
Identify the processes (this should have already been done as part of your management system setup)
Risk assess the processes based on risk to product and service.
Group the processes so you can test the links in between the processes
Establish when is the best time to perform the audits for the availability of personnel. Remember that some processes should be audited more often than others
Risk Assess the Audit Programme
The risk assessment process is often overlooked, businesses tend just to audit every process once a year a month or so before the external audit takes place. The audits should be planned based on the risk of the process on products and services, also consider past performance.
If you have not raised any findings in training and competencies in the last five years and neither has the external assessing body, your staff turnover is low, and you generally do not change the process. Why audit it annually, the same frequency as processes which have caused issues in the past, or gone through changes?
Generally speaking, the elements of the standard within section 8 (sales through to delivery of the product) are your key processes which have the greatest impact on the product or service you are delivering. Greater emphasis is placed on these processes; you may wish to audit them twice a year based on that factor alone.
You also need to consider the issues you have had within the individual processes; maybe you regularly have non-conformances within the purchasing process, you should increase the frequency of audits within purchasing to maybe three a year.
Linking the Processes
Linking the processes is something not considered by many internal audit programmes. An internal audit performed in purchasing, random purchase orders taken, random suppliers will be selected to check they are approved. There is no consideration to what purchase orders were used for material or services seen in use within the production process.
These processes should be linked together as part of your audit programme; the outputs from one process are the inputs to another. The same may be said for all processes within clause section 8, but you may struggle to perform an audit of section 8 in one audit day. Maybe your internal audit can span over two days which would allow most processes to be covered in those two days, if you are a large or complex business then you may need to break the processes down even further.
You may wish to audit by value stream if you have several large product groups, take one product and follow it from start to finish, thereby covering all clause areas but this could be done in a single day usually. In a couple of months, you could audit another value stream and cover the same processes again. By the end of the year you would cover all significant products at least once and each of the processes multiple occasions.
It’s hard to set out a rule that works for everyone as each business is different; you need to choose the most effective process based on your business needs.
Internal Audit Plan
Within the ISO 9001 standard, one of the new requirements is to “define the audit criteria and scope for each audit”. What this means in simple terms is that you need to generate an audit plan for each internal audit you perform.
You should set out what areas you will be auditing and for how long, whom you will need and the scope of the audit.
As many of the requirements in the ISO standards, you can use any media you wish to define your internal audit plan.
Audits need to be performed impartially, and this is any type of audit, including financial audits. Why? Well, simply that sometimes you can’t see the wood for the trees and also you might be more lenient if you are auditing your work.
If you have been performing a task a certain way for years and you audit that process you will be checking that you have been performing that task in that manner. If you are unaware that what you have been doing is incorrect or could be done more effectively, it’s never going to change. Having someone impartial perform the audit of the process is more beneficial. They will not come with any preconceptions, also when someone just asks you why you are doing something a certain way, you question yourself and possibly seek more effective methods.
Don’t be afraid of someone else reviewing what you have done; fresh eyes can bring a wealth of knowledge and clarity. In turn, you can audit that individuals process.
The impartiality element can get tricky in smaller businesses as the employees tend to wear many hats and touch many processes. Question whether an audit would be impartial, do you just perform a small element of that overall process or are you essentially in control of the process? If it is the latter, then you would probably not perform an impartial internal audit.
Another method is to utilise an external consulting business, although this costs you money it can bring great benefit if you select the right consultant. They work with numerous companies, and in many cases, they perform audits for Certification Bodies and can bring a new angle on your processes. Also, think about the money it costs the business to take employees away from their daily duties, is it more cost-effective to pay an external individual to perform an internal audit over losing someone internally for a couple of days?
If neither of those options is viable then the alternative and should be used as a last resort is to have someone independent look over your internal audit record to give an impartial check and question what has been audited. We do not recommend as the norm but is sometimes the last possible method for small businesses.
To read how we maintain our impartiality you can read our FAQ on the subject.
Record the Audit
There are many methods which can be adopted, don’t over complicate things whatever process you choose.
There is nothing wrong with presenting an internal audit using paper and pen on a notepad; there is no prescribed record within any of the standards; you select what is more appropriate for your business.
Some businesses will make a record using pen and paper and then worry about how it looks and type everything up. This method is fine, but not mandatory, if you just have pen and paper notes, then that’s good enough for any auditor.
Checklists are another standard tool but not recommended unless the checklist is process-based and specific to the business. Do not download a checklist off the internet and don’t just copy the clauses from the standard as your checklist questions. Checklists detract from the process-based approach, which is against the standard requirements.
If you must use a checklist, then ensure you have a checklist for each process, based on the process steps. However, the process steps are often highlighted within a process flowchart, so why not just record internal audit notes on a copy of your process map?
Process maps should meet the standard requirements but also highlight what should be done for that process. There is nothing wrong with printing out a current copy of your process map, walking through the process map from start to finish and seeking evidence of conformance against each step and noting the evidence on the process map/flowchart. This method is perfectly acceptable to submit as evidence and can often be more effective than a checklist as these do not change.
Ensure you have a copy of the standard, we know its an extra expense to the business but how do you know what you should be doing to meet the standard requirements if you don’t have a copy of the requirements? Don’t assume that your process map/flowchart meets the needs of the standard fully. You should always check the process map/flowchart against the standard as you are auditing to ensure you are meeting both.
Some businesses have been known to use some mobile apps such as IAuditor; this method is fine, but you should be careful of what checklist is being used. Are you just using one of the standard templates on the system or have you created your own. Simple yes/no boxes do not suffice as there is no objective evidence recorded.
Internal Audit Notes
There is an art to writing audit notes; it takes time to get them right. You need a mixture of process description and objective evidence.
If you are recording your notes on the process map/flowchart, then you are generally covering the requirement for process description as the description is already there. You would only need to record some specific process descriptions for the sample you are reviewing and also some reference to the sample itself.
A description should tell the reader what you saw and what elements you checked, tell a story of the process. The objective evidence is only there as a verification tool which allows the reader to go and check the specific record if they need further information or to clarify something. Your audit record will be read by someone else, in most cases by the process owner, so they need to know what you looked at to verify the information. You do not need to record lots of finite details of the record, just some reference which could be a job number or a purchase order number.
Effectiveness of the Process
One purpose of the internal audit is to verify the effectiveness of the process, is it being performed as required, and does it meet the objectives of the process?
At a minimum, you should do a summary/sentence of the process audit results. Was the process effective or not? Did you raise non-conformances within the process? Are process measures being met?
Key Performance Indicators should be set against each of the processes to determine if they are meeting requirements or not, we won’t go into great detail here, but the KPIs should be in place which addresses the objectives of the process. Supplier on-time delivery and quality are often used to measure purchasing; for example, there is debate whether this is an objective of the process. Still, we won’t go into that here. You can use those performance results as part of your effectiveness evaluation. If you are meeting goals, then you could use this as part of your effectiveness evaluation.
You don’t always have to implement full-blown root cause and corrective actions with internal audit findings, you need to take action to fix the issue but there is a common misconception about needing to implement full root cause analysis.
Soft grading is where you raise observations/opportunities for improvement instead of non-conformances when they are clearly non-conformances. We see this often and it gives no benefit to the system as they don’t need to be corrected, then we come along and raise the same issue as no actions were put in place.
It is very hard for an external auditor to raise the same findings as what you have raised yourself internally unless you have not addressed the non-conformance correctly, implemented actions or have said the issue is closed, and we find it still not working. This is why raising them yourself is more beneficial, don’t be scared, we like to see non-conformances being raised, we know you are not perfect, no one is.
You need to record the non-conformances but it’s up to you where you record them, some businesses use their own non-conformance form used for complaints or internal issues, some will use a simple spreadsheet to log them and show the status of closure. Others will simply record them within the audit notes and show that they have addressed the issues by signing them off.
Choose the method most suitable to your business. All we care about is that they have been raised and closed and you are not getting repeat issues.
You can read more about the differences in the types of non-conformances in our FAQ.
Do not just pay lip service to the internal audit process; properly implemented internal audits can add great value to any management system. They are there to monitor your processes and conformance and also identify areas for improvement.
Invest time and possibly money into the activity with a focus on gaining benefit.