USA / USD
31 May 2021
The internal audit program is a self-check mechanism which organizations use to periodically verify they meet ISO 9001 requirements. ISO internal auditing is required by the standard. But audits are not only necessary to maintain ISO registration, they're also a powerful tool for improving the effectiveness of the quality management system (QMS) and the efficiency of operational processes.
In this article, we'll explain what ISO 9001 internal audits are, how to benefit from them, and what you need to do to ensure compliance.
Before examining the internal audit process, it's worth comparing them to external audits. While internal and external audit activities are usually the same, they are performed for different reasons and often have a different scope.
External audits are undertaken by a third party – usually an auditor or team of auditors appointed by your company's registrar. They could also be conducted by a customer or other interested party. These types of external audits are often more limited in scope and focus on particular aspects of your quality system.
Internal audits, on the other hand, are performed in-house as a self-check mechanism at periodic intervals. The internal auditor or audit team are company employees who've been appointed and trained as ISO 9001 auditors, usually as an additional responsibility.
The purpose of internal audits is to:
Assess process conformity
Identify processes that require improvement in order to ensure the QMS remains fully implemented
Prepare for external audits
The audit process involves the Document Review, which is where auditors check whether documentation meets ISO 9001 requirements, and the Process Review, which consists of checking actual business activities against documentation and looking for discrepancies.
ISO 9001 internal audits apply the Process Approach which means that the auditor reviews a sequence of work activities rather than picking an ISO requirement and checking if the requirement is correctly implemented. Essentially, the ISO auditor would observe an activity, ask the operator questions, and request to view related documents and records. It's common practice for the internal auditor to cross-check what was said and verify records in other departments, for example, training records in the HR department. Auditors can't assess every single process, employee and document in the company, so it's important they exercise judgement in picking a representative sample.
The actual auditing process is generally straightforward. An internal auditor checks whether procedures and other documentation adheres to ISO 9001 requirements and then verifies that employees follow the procedures in their daily routines.
This can get difficult, though, when there is no procedure or work instruction document for the auditor to refer to. While ISO 9001 does not require procedures and work instructions for all processes, it does require such documentation where it adds value to the company. It is important to emphasize that process documentation is for the internal benefit of the company – not for the convenience of the auditor. Companies are neither required nor encouraged to develop procedures and work instructions that assist auditors.
In the absence of process documentation, the auditor will use a combination of employee interviews, observation of actual work processes and review of records to determine if the process conforms to ISO 9001 requirements and is effectively implemented. During this process, the auditor also evaluates if procedures and work instructions would be beneficial and, therefore, required.
When auditors have to rely more on employee interviews than observation of actual work processes, the best approach is to ask each employee the same set of questions and cross-check their answers for consistency. If these answers aren't consistent, the auditor will need to check further to see if this due to actual inconsistencies in which work is performed, if there is a need for standardization and work instructions, if there is a need for training, if the entire process requires review and improvement, or if there are other factors involved.
You will need to perform at least one internal audit two or three months prior to the certification audit. This will produce audit reports and records of corrective action that show where your organization's weak points are (ie, nonconformities) and your plans to address them. These records are mandatory and are reviewed during external audits. By the time your certification audit is conducted, you should have taken all corrective action necessary to eradicate nonconformities.
Depending on the level of preparation that goes into your audit, it can be a smooth operation that highlights opportunities for improvement, or an unproductive and expensive nuisance. Consider the following tips for streamlining your internal audits and ensuring a stress-free path to compliance.
One of the first tasks is to choose your internal audit team and provide training in both the ISO 9001 standard and auditing techniques. Look for authoritative, trustworthy employees with good people skills and analytical or investigative talents. More required auditor qualifications are defined in ISO 19011. You should be able to demonstrate how internal auditor qualifications are met so be sure to keep records of auditor training, education, skills, and experience.
Importantly, you need to train enough auditors to prevent individuals from auditing their own department. Small businesses may have one auditor who audits the entire company except the internal audit function, and another auditor who just audits the audit function.
Audit forms and checklists are used to simplify your internal audit process. The following two documents are particularly useful:
The most important tool for internal audits is the audit checklist. It includes every ISO 9001 requirement as well as the overall processes to facilitate process auditing. In preparation of an audit, the lead auditor or audit supervisor customizes the audit checklist by excluding sections that are not part of the audit at a particular department; specific audit questions can also be added based on a review of process documentation or experience in prior audits. During the audit, the auditor uses the checklist to ensure that business processes are checked against all pertinent ISO 9001 requirements and process steps.
Audit Report Form
All audit findings are recorded and the audit report is presented to management of the audited departments for corrective action. Using a standardized format for the audit reports helps the auditor ensure that all required information is documented, as well as present the audit findings in an easy-to-understand way.
Note that the mentioned internal audit forms and checklists are included in our ISO 9001 Audit Toolkit.
Like every other business process, the internal audit process works best if it's well designed and standardized. As mentioned above, internal audits involve two stages: the documentation review and the process review. During the process review the auditor seeks answers to three questions:
Can employees describe what they do?
Do employees do what they describe?
Are employees effective at what they do?
These questions cover employee intent, implementation, and effectiveness in business activities. ISO 9000 describes effectiveness as "the extent to which planned activities are realized and planned results are achieved." Be sure to look beyond compliance and determine whether procedures are truly effective at meeting business objectives.
Many auditors make the mistake of privately reviewing internal audit results only with top management or merely sending an audit report. Both approaches leave employees wondering about ISO 9001 nonconformance. A better plan is to hold a closing meeting immediately after completing the audit and organizing its findings. Top management and managers of the audited departments should join the meeting, but staff could also participate.
During the meeting, don't focus too much on processes that didn't hold up to close inspection. Instead, reinforce positive feedback by identifying and praising departments that performed well. Never give staff the feeling that internal audits are a kind of punishment. In addition, use the meeting as an opportunity to promote the benefits and importance of ISO 9001.
Another way to improve the internal audit experience is by gathering auditee feedback. It may be tempting to treat audits like a one-way process, but your auditees' reactions are as important as your auditors' methods. Whenever possible, try to get this feedback in real-time and use the results to adjust your auditors' approach. Involving people on every level will ensure a fair and balanced internal audit process.
The internal audit program can be an immensely powerful tool that not only ensures your company achieves and retains ISO 9001 certification, but also helps employees, process owners and managers improve their areas of responsibility.
There's a common and persistent myth that internal audits need to show that every process is perfect to begin with. This is obviously not true and does in fact contradict one of the core tenets of ISO 9001 – continuous improvement. Our advice is simple: treat your internal audits with the respect they deserve, and use them as opportunities to discover ways of improving your company's operations and enjoying the rewards of ISO 9001.
Start by giving your internal auditors good training.
Last but not least, there are companies that are either too busy and just not interested in setting up their own internal audit program, or too small to fully benefit from it. If that's your company, consider outsourcing your internal audit program to an experienced lead auditor.
If you enjoyed this article, subscribe for updates
Stay in touch with our free resources on ISO 9001
We won't send you spam. Unsubscribe at any time.
Thanks. Your message has been sent. We'll get back to you as soon as possible.
We'll reply ASAP