How to do an Internal Audit
Firstly auditing is not a new technique and has been used in various guises for many years, especially for financial purposes. Quality auditing has also been performed for some time but has perhaps changed a little in recent years in terms of the objectives of performing the audits and also the use of the information gathered during the audit.
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organisation itself for management purposes and can form the basis for an organisation’s self-declaration of conformity.
Perhaps the first question to ask is “why should we perform internal audits?” The most obvious answer to this question is that ISO 9001:2015 clause 9.2 says we shall conduct audits; it is not an option if we wish to comply with the standard. Internal audits are a key management tool for evaluation of conformance of the management system to the standard.
To understand what is required with regards to internal auditing, we first need to take a look at that particular clause in ISO 9001:2015, which is:
9.2: Internal audit
9.2.1; The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system;
1. Conforms to;
- The organizations own requirements for its quality management system
- The requirements of the international standard
2. Is effectively implemented and maintained
9.2.2; The organization shall;
1. Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning, requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits
2. Define the audit criteria and scope for each audit
3. Select auditors and conduct auditors to ensure objectivity and impartiality of the audit process
4. Ensure that the results of the audit are reported to relevant management
5. Take appropriate correction and corrective actions without undue delay
6. Retain documented evidence of the implementation of the audit programme and the audit results
How does this relate to the context of an organizations quality management system?
Audit criteria are used as the reference for determining conformity, they effectively describe what should be achieved for any given process or activity. The criteria to be audited against will be set by the process owner of the internal audit programme (normally the Quality Manager) and agreed with the auditor and the departments concerned.
What are the key definitions?
Shall, indicates a requirement, which means:
- Need or expectation that is stated, generally applied or obligatory
- A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
- Non-fulfilment of a requirement
- Action taken to eliminate the nonconformity and to prevent recurrence
- Extent to which the planned activities are realised and the planned results achieved
- Ability to apply knowledge and skills to achieve intended results
- Set of interrelated or interacting activities which transforms inputs into outputs
The process approach involves the systematic definition and management of processes, and their interactions, so far as to achieve the intended results in accordance with the policies and strategic direction of the organization.
How to define the internal audit process
A process may be defined as an activity which uses resources to take an input and convert it to an output. The input may be a sales enquiry which the sales department processes and converts it into a works order. There would then be further processes which the organisation performs until the ultimate delivery is achieved.
ISO 9001 requires an organisation to have a management system which reflects its processes. The system must satisfy the requirements of the standard but should be based around the requirements of the organisation as a priority, not simply to reflect the standard.
To give priority only to satisfying the standard inevitably leads to a management system which does not help the organisation, indeed, it would often hinder them. The whole purpose is to create a system which helps to manage the way in which the organisation operates.
In summary the organisation must:
Determine the processes within the organisation
Determine their sequence and interactions
Determine the methods of control
Establish and implement measures for monitoring purposes
Maintain documented information to support the operation of its processes
A simple list of steps to follow for an internal audit could be:
Planning the internal audit
Conducting the internal audit
Where to start with planning for an Internal Audit?
It is vital for the audit to be arranged with the auditee department to avoid any impression of “catching them out”. Some companies adopt a formal written notification method, but in a small company it might be equally effective to call in and arrange to visit “next Friday afternoon”.
The first important aspect is to agree the scope of the audit (i.e. the part of the process to be covered). Note: This may be specified by the Quality Manager as part of the Audit Programme and essentially defines the boundaries of the audit.
The next aspect is to agree which people in the department concerned will be involved and have set aside the necessary time. Another point may be that a guide may be needed to cover any safety issues, and perhaps to agree findings as the audit proceeds.
Some organisations adopt the idea of auditors working together as a team. If so, then one of the auditors should take the lead. There should be some prior agreement between the auditors to agree a division of the work (e.g. who is taking notes, who is tackling which aspects of the process?)
When preparing an Internal Audit Programme, the following should be considered:
The particular risks and opportunities is to the business
The registered scope and strategic direction of the organization
Previously identified nonconformities and the effectiveness of the actions taken
Results of internal and external audits
How often should each process be internally audited and the frequency, (after reviewing the above points)
Who will be undertaking the audit, to ensure objectivity and impartiality
Are they independent of the process / activity be audited
Are they competent to undertake the audit
How has their competency been determined
Experience / Qualification / Training
How will the internal audit programme and actual audit be communicated to the Auditee(s)
What internal audit reports (documented information) will be used.
When the audit is being undertaken, the following points should be considered:
1. An opening meeting with the Auditee(s) to explain that the internal audit will verify the effectiveness and efficiency of the organizations processes, including evidence of continual improvement, for example, by auditing:
- Customer information, score cards / dashboards / reports / claims
- KPIs and objectives; relevance, trend analysis and continual improvement
- Links with other processes and control of these interfaces; inputs / outputs
- Risk control
2. Confirm the internal audit standard(s) and /or requirement(s).
3. Categorisation of findings, for example:
- Major nonconformity
- Minor nonconformity
- Opportunity for improvement
4. Who will be involved
5. What will be looked at, the process approach internal audit is based on the Plan / Do / Check / Act (PDCA) model and will be sampling the documented management system, including:
- Documented information
- Physical processes / activities
- Interviewing personnel
6. Actions to be taken if findings are identified, for example;
- Correction - Action taken to address and correct the immediate nonconformity
- Root cause analysis - How and why did the finding occur
- Corrective action - Action taken to eliminate the nonconformity and to prevent recurrence
7. Timescale for implementation of these actions
Conducting the Internal Audit
The international standard ISO 19011; “Guidelines for Auditing Management Systems” states that there is an opening meeting for all audits, whether first, second or third party.
In an internal audit the company style will dictate the degree of formality. The important thing for the auditor to remember is to treat the audit seriously. If the word “meeting” is too grand, then do not use it. The initial aim is to ensure that the Auditees are aware of the overall objectives. If this is best covered by a handshake, and a chat between colleagues over a cup of coffee, then that still meets the requirement. ISO 19011 includes the following practical help.
‘In many instances, for example internal audits in a small organisation,
the opening meeting may simply consist of communicating that an audit is being
conducted and explaining the nature of the audit.’
The first action is the review of the previous internal audit to verify if any findings were raised, and if so, the effectiveness of the actions taken to correct these.
The second action is to audit the selected process, sample and record the contextual objective evidence that is seen during the audit, this may include:
Documented information - don’t forget to detail, document name, reference, issue date, etc., which may include:
- Sales orders
- Meeting minutes
- Purchase orders
- Delivery documents
- Job cards
- Calibration records
- Statutory inspection records
- Site inspection records
- Product / service inspection records
- Competency records
Note: This list is not exhaustive, but indicative. However, the actual documented information sampled will vary due to the process being audited.
Personnel interviewed during the internal audit - don’t forget to detail, person’s name, job title and department. You will need this to follow up the competences of the persons seen during the internal audit.
Physical processes / activities seen during the internal audit - don’t forget to detail what was actually seen and include:
Equipment being used, for example machine / asset number
Date of last service
Date of expiry of the statutory inspection
Job number and description, including details of drawings, process cards, work instructions / process flow charts / procedures
Inspection equipment, for example: Is it identified for its calibration status? Is it actually OK and suitable to use?
Components / products - are there any expiry dates?
Note: This list is not exhaustive, but indicative. However, the actual items sampled will vary due to the process being audited.
We must remember that when we are auditing, we are there to gather information, not to give information. Therefore, the auditee should be doing most of the talking during the audit interview. In terms of the balance of time spent talking, a good target would be 80%-20% in favour of the auditee. It may not always be possible to achieve this but it is a good target.
‘I kept six honest serving men, they taught me all I knew, their names are What and Why and When, and How and Where and Who.’ Rudyard Kipling – The Elephant Child
In order to achieve this, the auditor will normally need to ask questions about specific subjects and then listen to the answers. The amount and type of information given by the auditee will often depend upon the type of question asked by the auditor.
Conducting the Closing Meeting
Introductions will not always be necessary but the report back may be presented to people who have not been involved in the audit until this point. The scope and objectives need to be clarified to ensure that the auditee understands what was audited, in particular if the audit did, or did not cover all of the expected areas as specified at the opening meeting, eg, perhaps the auditor was unable to complete the whole of the proposed audit due to lack of time or unavailability of personnel.
The auditor should now give a general summary of his/her findings during the audit. This is an opportunity to ‘round up’ his/her thoughts and to provide feedback to the auditee on the areas where the system is working well. This helps to reduce the impression that auditing is a negative exercise. Quite often there will be non-conformities to discuss (though not always) and these should now be presented individually.
Assuming that the non-conformities are accepted, the auditor should seek to obtain corrective actions including timescales for their completion. After the non-conformities, any observations raised should also be presented. Non-conformities that are not accepted should be explored and attempts made to reach agreement, but if not they should be referred to the quality manager (or whoever is responsible for arbitrating on these issues). Alternatively, they may be passed forward to the next management review meeting for resolution.
Finally, the auditor should offer thanks to the auditees for their co-operation during the audit and inform them as to when the audit report will be produced.
The following needs to be taken into consideration:
Thank the Auditee(s) for their assistance during the internal audit
Explain that the internal audit is sample based, thereby introducing an element of uncertainty
Advise the Auditee(s) of any findings, including the category of the finding
Advise the overall outcome of the internal audit
Explain and agree the timeframe for the auditee(s) to undertake the correction and corrective action for any findings raised
Invite any questions
So what next? How do you follow up?
It is important that when nonconformities are raised, they are acted upon and checked to ensure that they have been properly cleared. Follow-up is more than just checking that action has been taken, it is also verifying that the action taken has been effective in removing the nonconformity originally raised.
When conducting the follow-up, it is important to treat it like a ‘mini audit’ in that evidence of what was seen must be recorded on the form.
If the action has not been taken the auditor must determine whether it is a genuine case of perhaps being forgotten, in which case another week or so of time may be allowed. Or, has there been no attempt to resolve the problem in which case it is most likely that the nonconformity may have to be ‘escalated’ to the management representative for resolution.
If the action has been taken but has not worked i.e. the nonconformity still exists, it is normal to agree another action either on the same form or to raise another nonconformity report.
Once the action has been taken and deemed effective, the nonconformity can be closed out.
The following needs to be taken into consideration:
Has the Auditee(s) undertaken the immediate correction and corrective action
Was this undertaken within the agreed timeframe
Has the corrective action been evaluated as effective
If not, what are the follow up requirements
Does the Risk and Opportunities Register need to be reviewed and updated following the implementation and evaluation of the corrective action.
General Tips From an NQA Auditor
The internal audit must be robust enough to drill down into the process to verify the implementation and the effectiveness of the quality management system.
Remember, you can have too little objective evidence, but never too much! Consider that if you looked at this internal audit report in three to six months, would you still be able to follow the audit trail.
This is not an exhaustive list detailing that all the above are mandatory elements and are required to be included in an internal audit process, but a blog article to provide some guidance on the elements that should be considered when internal audits are being undertaken.
It is appreciated, that not all the elements will be applicable, as this is dependent on a number of factors including:
- Size and locations of the organization
- Activities and complexities of the organization
- Number of standards the organization is registered to
- Maturity of the organization’s management system.
As always if you have any specific questions or would like to speak to a member of the team, please don’t hesitate to get in touch.