Being an ISO 9001-registered company offers numerous benefits, but implementing and maintaining the ISO 9001 quality management system is no small task. An important part of ISO 9001 is the internal audit program, which is a self-check mechanism by which the company periodically verifies that it still meets all ISO 9001 requirements.
Though ISO 9001 internal audits fulfill an important part in keeping the ISO 9001 quality management system alive, many business owners and C-suite executives dread the internal audit process. Some believe that internal auditing just duplicates the work the registrar is supposed to do. Others treat internal auditors like some kind of business police force, hiding essential data and sometimes outright lying just to maintain the illusion of compliance.
However, the truth is that internal audits are not only a necessary task to maintain ISO 9001 registration but a powerful tool for examining the company's own quality management processes in great detail. These audits can improve the effectiveness of the ISO 9001 quality management system and the efficiency of operational processes.
Before examining the ISO 9001 internal audit process in detail, it is worthwhile to mention the other type of ISO 9001 audits, the so-called external audits, and compare them to internal audits. While internal and external audit activities are essentially the same - verifying if the ISO 9001 quality management system is properly implemented - they are performed for different reasons.
External audits are performed by an auditor (or team of auditors) who are appointed by your company's ISO 9001 registrar. The purpose of external audits is to verify that your ISO 9001 quality management system is effectively implemented, which enables your company's registrar to issue the ISO 9001 certificate. External audits are no one-time event; like internal audits, they are conducted in periodic intervals in order to verify if the quality management system continues to be fully implemented. The first external audit is often called "ISO 9001 certification audit" or "ISO 9001 registration audit", while the periodic, external follow-up audits are typically referred to as "surveillance audits".
Internal ISO 9001 audits, on the other hand, are performed internally by the company as a form of self-check mechanism. The internal auditor or audit team are company employees who have been appointed and trained as ISO 9001 auditors as an additional responsibility. Only very large enterprises may have one or more full-time auditors. Some companies (for example, one-person companies), on the other hand, decide to outsource internal audits to a professional auditor or consultant if they don't have personnel that could be appointed as internal auditor given that auditors are not allowed to audit their own work or area of responsibility.
The purpose of internal audits is to assess process conformity, evaluate performance, and identify processes that require improvement as a mechanism to ensure that the ISO 9001 quality management system remains fully implemented as well as in preparation for external audits.
Prior to your registrar's initial certification audit, you will need to perform one complete internal audit two or three months before the registrar's audit. However, most companies perform more than one internal audit as they utilize the internal audit program to help them implement their quality management system. This process produces audit reports and records of corrective action that show where your organization's weak points are and what your exact plans and targets are to address them. These records are required records that are reviewed during external audits. By the time the registrar performs the external audit, your company should have not only identified weaknesses but also corrected all.
The actual audit process involves two stages:
Document Review: First, auditors check whether procedural documentation meets ISO 9001 requirements.
Process Review: The main part of the audit process consists of checking actual business activities against documentation and looking for discrepancies.
All audits are designed to evaluate if ISO 9001 is effectively implemented. However, auditors cannot assess every single process, employee and document in the company. It is, therefore, important that the auditor uses his or her best judgement in picking a representative sample.
In managing these audits, process owners usually use the Plan-Do-Check-Act model. This lets audit supervisors define, implement, review, and improve the audit program – in that order. This model is one of the instrumental tools of modern quality control.
The actual auditing process is generally straightforward. An internal auditor checks whether procedure documentation adheres to ISO 9001 standards and then verifies that employees follow the procedures in their daily routines.
This step can get more difficult when there is no procedure or work instruction document for the auditor to refer to. While ISO 9001 does not require procedures and work instructions for all processes, it requires such documentation where it adds value to the company. It is important to emphasize that process documentation is for the internal benefit of the company - not for the convenience of the auditor. Companies are neither required nor encouraged to develop procedures and work instructions that fulfill no other purpose than making audits easier on the auditor.
In the absence of process documentation, the auditor will use a combination of employee interview, observation of actual work processes and review of records to establish if the process conforms to ISO 9001 requirements and is effectively implemented; during this process, the auditor also evaluates if procedures and work instructions would be beneficial and, thus, required.
When auditors have to rely more on employee interviews rather than observation of actual work processes, the best approach is to ask each employee the same set of questions and to cross-check their answers for consistency. Have the auditors ask these questions individually, in one-on-one sessions, so that employees cannot influence one another's answers. Ideally, the employees' answers will be consistent. If they are not, the auditor will need to check further to see if the cause of the inconsistency is due to actual inconsistencies in which work is performed, if there is a need for standardization and work instructions or if there is a need for training, if the entire process requires review and improvement, or if there are other factors involved.
Depending on the level of preparation that goes into your audit, it can be a smooth operation that highlights opportunities for improvement, or an unproductive and expensive nuisance. Consider the following tips for streamlining your internal audit and ensuring a painless path to compliance.
One of the first decisions you need to make concerns choosing your internal audit team. These individuals need to be trustworthy and thorough in their investigation. Look for authoritative employees with good people skills and analytical or investigative talents. More auditor requirements are defined in ISO 19011. Be sure to keep records of auditor training, education, skills, and experience.
Importantly, you want to train enough auditors to prevent any individual one from auditing his or her own department. Small companies may have one auditor who audits the entire company except the internal audit function, and another auditor who just audits the audit function. Larger companies require larger and better-coordinated auditing teams, so be sure to delegate responsibilities proportionately.
As with any potentially disruptive business process, you need to be well-prepared for your audit. The larger your organization is, the more complex the ISO 9001 internal audit will be. There are several recommended forms and checklists that will simplify your audit process:
Audit Checklist: The most important tool for internal audits is the audit checklist. Good ISO 9001 audit checklists include every ISO 9001 requirement as well as the overall processes to facilitate process auditing. In preparation of an audit, the lead auditor or audit supervisor customizes the audit checklist by excluding (or crossing out) those sections that are not part of the audit at a particular department. During the audit, the auditor uses the audit checklist to ensure that business processes are checked against all pertinent ISO 9001 requirements and process steps.
Audit Report Form: All audit findings are recorded and the audit report is presented to management of the audited departments for corrective action. Using a standardized format for the audit reports helps the auditor ensure that all required information is documented, as well as present the audit findings in an easy-to-understand way.
Attendance Roster: Internal audits typically start with an opening meeting and end with a closing meeting. Use an attendance roster to keep records of who joined these meetings. Good attendance rosters also include the agenda items of the opening and closing meetings.
The above mentioned forms and checklists are all part of the ISO 9001 Audit Package.
Like every other business process, the internal audit process works best if it is well designed and standardized. As mentioned above, internal audits involve two stages: First, there is the documentation review, in which the auditor verifies that the procedures and work instructions for a particular work process conform to ISO 9001 requirements. Next, there is the process review, in which the auditor directly engages with an employee and seeks answers to the following three fundamental questions:
Can employees describe what they do?
Do employees do what they describe?
Are employees effective at what they do?
These questions cover employee intent, implementation, and effectiveness in business activities. ISO 9000 describes effectiveness as "the extent to which planned activities are realized and planned results are achieved." Be sure to look beyond compliance and determine whether procedures are truly effective at meeting business objectives.
Many auditors make the mistake of privately reviewing internal audit results only with top management or merely sending an audit report. Either approach leaves employees wondering about ISO 9001 nonconformance. A better plan is to hold a closing meeting immediately after completing the audit and organizing audit findings. At a minimum, top management and all managers of the audited departments should join the closing meeting but - space and time permitting - staff could also join.
During this meeting, take care not to focus too intently on processes that didn't hold up to close inspection. Identify and praise departments that performed well in order to reinforce positive feedback to the process; it's important that you don't make internal audits feel like a punishment. In addition, you may use the opportunity to promote a culture of quality by underscoring the benefits and importance of adhering to the ISO 9001 standard.
Another way to make the internal audit experience a constructive one is by gathering auditee feedback. It may be tempting to treat audits like a one-way process, but your auditees' reactions are equally important as your auditors' methods. Whenever possible, try to get that feedback in real-time and use the results to adjust your auditors' approach moving forward. Involving people on every level will ensure a fair and balanced internal audit process.
When business owners ask "What is the ISO 9001 internal audit good for if there are already the external audits of the registrar?", the question is more about maintaining ISO 9001 registration and overlooks some of the most critical benefits of ISO 9001 compliancy.
While being an ISO 9001 certified company does improve your public image, the real gains are internal: Greater customer satisfaction, better decision making, and the cultivation of an engaged, constantly improving workforce are just a few aspects that make the ISO 9001 standard so valuable. An effectively implemented ISO 9001 system also generates a workplace culture of improvement that encourages employees to address problems, increase effectiveness, and improve workflow efficiency.
It is in this context that internal audits add much value. Audits not only ensure that ISO 9001 stays alive at the company, a well-designed and implemented audit process helps employees, process owners and managers improve their areas of responsibility and with it the entire company.
It is a common and persistent myth that internal audits need to show that every process is perfect to begin with. In fact, this idea contradicts the ISO 9001 mandate to constantly improve - a perfect company wouldn't need to improve. Look forward to your internal audit as an opportunity to discover methods for making your business run better and see the benefits follow.