9.2 Internal Audit: Why Perform Internal Audits?
9.2 Internal Audit: Why Perform Internal Audits?
9.2 Internal Audit: Why Perform Internal Audits?
9.2 Internal Audit 8.2.2 Internal Audit This requirement is unchanged from the requirements of ISO 9001:2008 Clause
8.2.2 – Internal Audit.
Your internal audits demonstrate compliance with your ‘planned arrangements’, e.g. the QMS and how
its processes are implemented and maintained.
Your organization will likely conduct internal audits for one or more of the following reasons:
1. Ensuring compliance to the requirements of internal, international and industry standards &
regulations, and customer requirements
2. To determine the effectiveness of the implemented system in meeting specified objectives
(quality, environmental, financial)
3. To explore opportunities for improvement
4. To meet statutory and regulatory requirements
5. To provide feedback to Top management
Looking for an Internal Audit Checklist?
Please click here to find ISO checklists that are proven to work.
Adherence to the following principles are considered to be a prerequisite for ensuring that the
conclusions derived from the audit are accurate, objective and sufficient. It also allows auditors
working independently from one another to reach similar conclusions when auditing in similar
circumstances.
Selection of Auditors
Competence level may be measured by training, participation in previous audits and experience in
conducting audits. Auditors may be external or internal personnel; however, they should be in a
position to be impartial and objective.
When internal personnel are selected to perform an audit, a mechanism needs to be established to
ensure objectivity, for instance, a representative from another department may be selected to do the
audit.
Audits are demanding and require various forms of expertise. The size of the audit team will vary
pending the size of the organization, size and type of operations and the scope of the audit.
Before the audit, prepare thoroughly! Spending time in preparation will make you much more effective
during the audit - you will become a better auditor. Auditors should not skip this step as it provides
much needed value to the audit. Taking the time to prepare and organize actually saves time during
the audit.
You should have an up-to-date audit schedule and a well defined audit plan for each process. Be sure
to communicate the audit schedule to all parties involved as well as to top management as this will
help reinforce your mandate.
Gather together all the relevant documented information that relates to the process you will be
auditing. Look at process metrics, work instructions, turtle diagrams, process maps and flowcharts,
etc. If applicable, collect and review any control plans and failure mode effects analysis work sheets
too. Review these thoroughly and highlight the aspects that you plan to audit. Using the documented
information in this way ensures they become audit records.
Your organization’s documented information may not cover all of the requirements that may be
relevant to the process. If certain information is not available, it may become your first audit finding,
not bad for the pre-audit review!
Certain information and linkages should be audited. Some are required and some are simply good
audit practice. Putting these sections into a worksheet format gives auditors a guide to follow, to
ensure the relevant links are audited.
Good auditors realise very early on that they are dealing with personalities as much as processes and
systems. Whilst the intent of the audit a serious one, often light humour, politeness and diplomacy are
the best ways to build rapport. It is vital every effort is made to reassure those being audited that the
audit’s primary function is to drive improvement, not to name and shame.
If you are new to auditing, acknowledge this fact, be open and honest. It is also important to explain
to the auditees that they are free to express their views during the audit. Remember that you, the
auditor, are also there to learn.
Always discuss the issues you have identified with the auditees and always provide guidance on what
is expected in terms rectifying any non-conformances or closing out observations you raised. Let the
auditees know they are welcome to read your notes and findings; the audit is not a secret.
Try not to be drawn into arguments concerning your observations. It is never appropriate to directly
name people in the audit report as this may lead to defensiveness which is ultimately counter
productive.
Source: International Professional Practices Framework (IPPF), The Institute of Internal Auditors
Research Foundation. Florida, USA, January 2011
There are four common methods of internal auditing that may be used to determine compliance:
1. System Audits
2. Process Audits
3. Product Audits
System Audits
The system audits are best undertaken using the internal audit checklist. This type of audit focuses on
the organization’s quality management system as a whole, and compares the planning activities and
broad system requirements to ensure that each clause or requirement has been implemented.
Process Audits
The process audit is an in-depth analysis which verifies that the processes comprising the
management system are performing and producing in accordance with desired outcomes. The process
audit also identifies any opportunities for improvement and possible corrective actions. Process audits
are used to concentrate on any special, vulnerable, new or high-risk processes.
Product Audits
The product audit may be a series of audits, at appropriate stages of design, production and delivery
to verify conformity to any specified product requirements, such as dimensions, functionality,
packaging and labelling, at a defined frequency.
The internal audit checklist is just one of the many tools which are available from the auditor’s toolbox
that helps to ensure each internal audit addresses the necessary requirements. It stands as a
reference point before, during and after the audit process and if developed for a specific audit and
used correctly will provide the following benefits:
The unique knowledge obtained about the status your existing quality management system will be a
key driver of the subsequent implementation approach. Armed with this knowledge, it allows you to
establish accurate budgets, timelines and expectations which are proportional to the state of your
current management system when directly compared to the requirements of the standards.
Your organization may already have in place an ISO 9001:2008 compliant quality management
system or you might be running an uncertified system. If this is the case, you will want to determine
how closely your system conforms to the requirements ISO 9001:2015.
The results of a gap analysis exercise will help to determine the differences, or gaps, between your
existing management system and the new requirements. Not only will the analysis template help you
to identify the gaps, it will also allow you to recommend how those gaps should be filled.
The gap analysis output also provides a valuable baseline for the implementation process as a whole
and for measuring progress. Try to understand each business process in the context of each of the
requirements by comparing different activities and processes with what the standard requires. At the
end of this activity you will have a list of activities and processes that comply and ones that do not
comply. The latter list now becomes the target of your implementation plan.
These findings and conclusions should be formally documented as part of the summary report. Too
often, the audit report only recites back facts and data the managers already know. The value is in
identifying issues and opportunities they do not know! This summary should be reviewed first with the
lead auditor, then the Process Owner and Management Team. Make final revisions and file the audit
report and all supporting audit materials and notes.
Gather the whole audit package together, in an organized manner. The rest of the work instructions,
flowcharts, notes and relevant papers should be gathered into the audit package as supporting
records. All findings should also be documented on your corrective action forms. The audit summary
and the corrective action forms should be attached to the audit package, which now becomes the
audit record. Only the summary report and corrective actions need be given to the process owner.