ISO 9001 Internal Auditing: DO's and DON'Ts

Internal Audit 3-1

Part of an ongoing series: Practical advice on ISO 9001:2015 Clause 9.2

 The advice here applies to all Management System Standards (MSS) and not just to implementing ISO 9001:2015.

For whatever MSS you need to conduct internal audits, you have two basic approaches to choose from:

Option 1: do the minimum necessary to satisfy the Certification Body (CB) [or Accreditation Board (AB)] Auditors

or

Option 2: take the best advantage of the opportunity the mandatory requirement offers.

You may well ask: Is it really worth my while putting time and effort into internal auditing, especially when I am going to meet resistance at every turn?

Here we’re going to consider both options and then you can decide which is best for your organization.

 Option 1: Do the minimum to satisfy Clause 9.2 requirements

Action The benefit to the Organization
Focus on the basic performance and effectiveness of the management system (MS) from an impartial viewpoint (through choosing impartial internal auditors) Satisfies a requirement of Clause 9.2
Ensure that planned arrangements have been completed, not forgetting to audit processes that do not have procedures associated with them (Clauses 4 and 5 in particular) Satisfies a requirement of Clause 9.2
Ensure that the MS is effectively implemented and maintained. Satisfies a requirement of Clause 9.2

 

With Option 1 you’ll have done a good job.  But at what cost in terms of lost opportunity?

 

e-Book Implementing ISO 9001

 

Option 2: Take full advantage of the opportunity Clause 9.2 presents

Action The benefit to the Organization
(As with Option 1) Satisfies a requirement of Clause 9.2
Develop an audit programme directed towards ensuring the performance and effectiveness of the MS. The internal audit becomes part of monitoring the system to check progress towards achieving the Management System Objectives and KPIs chosen and prompting timely action to ensure that they are going to be successfully met.
Develop an Audit Schedule (as part of the audit programme) to conduct audits throughout the year (e.g. monthly, quarterly, or annually) and that differs for different areas or processes over the course of a year.  Audit activity provides an ongoing reminder to colleagues of the importance of the Management System and its contribution to its success.  Reinforces any awareness training or similar provided.

In developing the audit programme apply a risk-based approach to considering:

  • how critical each process of the MS is to success,
  • how often each process is performed,
  • how mature or how complex the processes are,
  • any recent changes in the process, and
  • the objectives of the audit programme.
Processes will be audited at suitable frequency with important/critical/failure-prone ones being audited most frequently.  Early detection of failing processes will save time, money and reinforce customer and other stakeholders’ satisfaction.
Ensure that, in addition to the importance of the processes, the audit programme considers:
  • managerial priorities (e.g. strategic business objectives),
  • performance of the processes,
  • both internal and external changes affecting the organization,
  • results from previous audits and non-conformance history,
  • trends in customer complaints, and
  • statutory and regulatory issues.
Common sources of noncompliance with both CB and regulatory are addressed, and the possibility of a major non-compliance is significantly reduced (self-preservation, perhaps?)
Plan and conduct audits according to the requirements of your Management System by project or process, rather than by the specific clauses in ISO 9001. Prepare an ISO 9001 Audit Checklist to address requirements not normally directly involved in operational processes (e.g. Parts 4 and 5). Auditors find it easier and more natural to follow workflows, material flows and information flows with this approach.  Consequently, a more thorough audit is conducted, and significant, disjointed steps in processes, procedures and methods are less likely to be missed.
Have internal auditors professionally trained to include interview, observational, sampling and information reviews skills. With a variety of evidence collection methods in use, the dependability of compliance and noncompliance findings is enhanced, as is management’s confidence in the Management System.
Ensure for each internal audit ISO 9001 or other Standard that, while interviewing, the auditors actively seek out improvement opportunities no matter how minor these may seem. Large numbers of incremental improvements and corrections to processes and procedures will result, as well as the occasional major improvement opportunity.  Remember innovative thinking is to be found at all levels and functions within the organization and often from those working with the issues day-in, day-out.
Follow-up on findings of good compliance and on the improvement opportunities identified. Individual audit reports will consequently be balanced in their reporting of the state of compliance and will help ensure that internal audits are not perceived as ‘witch-hunts’.  Instances of good compliance in one area may be an improvement opportunity for another.
In addition to evidence of non-compliance, present evidence of good compliance and of improvement opportunities identified to top management. An ISO 9001 Audit Report presented at Management Review meetings that highlight the positives will confirm to management the usefulness of the Management System, and make it easier for you to secure additional resources for your Management System improvement projects.

 

Conclusion

In our opinion Option 1 is 'what not to do' and Option 2 is 'what to do' and, if you are the Audit Programme Manager for your organization, we strongly recommend it to you as part of your ISO 9001 implementation and maintenance.  Yes, it is a lot more work but the results will significantly benefit your organization (and mostly on the ‘bottom line’). It won’t do your career prospects any harm either.

New Call-to-action

 

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates

FOLLOW US ON...

Recent Posts

Posts by Topic