The Benefits of Internal Auditing
All ISO standards are based on the PDCA (Plan > Do > Check > Act) approach:
Plan what you would like to do and how you would do it
Do what you planned
Check the results
- Act to improve the process
What are internal audits?
Internal audits sit within the ‘Check’ element of this approach as they are used to check how well planned processes are performing. Based on the outcome of these audits the organisation can decide, in an informed way, how best to ‘act’, in order to ensure performance, compliance, risk mitigation and improvement.
The definition of an audit is “a systematic, independent and documented process for obtaining audit evidence, and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”. An internal audit is effectively an audit that you complete yourself, on your own organisation to see where improvements need to be made. These are also known as first party audits.
Internal Audits must be completed by a trained, competent, impartial person, who is unbiased with regard to the process(es) being audited. This will ensure that the outcome of the audit is not affected by any negative influences.
So, now that we know what an internal audit is and who should be delivering them, when should you complete an internal audit, and what should its scope look like?
Why are internal audits important?
As stated previously, internal audits are one of the organisation’s most useful tools when it comes to monitoring performance, so don’t complete them just for the sake of giving your assessor something to read at your next external audit.
Most ISO standards state that internal audits must be completed at ‘planned intervals’. Which means you decide when is best to conduct them. It doesn’t mean they have to be done every month, or every year, but when they will prove most useful to your organisation. So don’t just audit everything annually without a good reason.
This doesn’t mean however that you don’t have to complete internal audits on a regular basis!
The modern family of ISO standards are risk based. This means that certain processes, or certain activities, the organisation performs will offer a higher potential risk than others. The risk referred to here could be a risk to your organisation’s reputation. It could be safety related. It could relate to customer satisfaction, or the performance of key processes.
The risk could be related to one-off activities, such as the installation of new plant or equipment. The movement of the business to a new location. The introduction of a new supplier or sub-contractor. Or measured performance issues that could be linked to specific events, e.g. BREXIT, Covid, an accident, a fugitive release, etc.
Driving continual improvement
Based on these known risks it is down to you to decide what to audit and when. For example; if you are introducing some new plant you may choose to audit the performance of this plant during the first few months of its operation. This could be to ensure it is working as the organisation had planned and that it’s being suitably maintained.
An effective internal audit will give the organisation assurance that their investment in the new plant is being realised and that it is performing as needed and expected. It can also highlight whether the personnel operating and maintaining the equipment have received suitable training and are fully competent.
The audit would then potentially identify any gaps, which can then be addressed via corrective or improvement actions. In this case, the justifications for the audit are clear.
Another example could be a negative trend that is measured within a given process. If a KPI identifies that performance is declining then an internal audit is a useful tool to deep dive into what might be causing the decline. Again, the findings of this audit could be used to identify gaps and allow you to take corrective or improvement actions.
Another example could be following an accident, incident, or non-conformance. Once actions have been taken to address the initial issue, regular internal audits could be completed in order to assess the continued effectiveness of these processes and determine whether further actions might benefit the organisation.
Find your balance
So don’t simply complete audits robotically, covering the same processes, at the same time of year. Think about what you need to audit and when and also remember that your internal audit schedule is your own. You can reorganise your audits as you need to and use them in a way that will benefit you most. But, when you’ve completed them you must ensure that you audit what you planned to audit.
The findings from all audits, internal and otherwise, must then form part of your Management Review. This information will prove very useful to top management when it comes to taking appropriate actions that are in the best interest of the organisation.
Author - Andrew Bradshaw, Regional Assessor, NQA