Internal Audit Expectations - A Refresher
As ISO 9001:2015 continues to age, it may be a good time to take stock of our expectations for the Internal Audit programs. We should make sure we have not lost focus on the expected methodology, outcomes and content of the audit records throughout the years since the latest version's implementation. This guide will briefly outline the internal auditing process, its requirements and outcomes and the benefits it can provide your business.
What Is An Internal Audit?
An internal audit uses objective partners to assess the effectiveness of your business' quality management system. Internal auditors evaluate all your internal controls to ensure compliance with laws, industry regulations and other requirements. They also monitor and confirm the accuracy of your business' accounting processes to protect against fraud and other abuses of the system. By identifying potential problems within these areas, you can correct issues before they're found by an external audit.
Several steps comprise the internal auditing process, including:
- Planning an audit schedule: Businesses of different sizes and industries perform internal audits on various schedules. Some departments might be audited daily or weekly, while others might only be audited quarterly or yearly. They might also be planned or given as a surprise — although surprise audits are usually best saved for the event of suspected illegal activity within a department. Plan an audit schedule that works best for your organization, and communicate this schedule with your employees.
- Conducting the audit: After you've selected your auditors and planned an internal auditing schedule, you can design and conduct your inspection. Auditors can talk to employees, analyze company data, observe workers on the job and review various records to gather information during auditing.
- Reporting its results: Once the audit is complete, you should receive accurate results as quickly as possible. A meeting with auditors soon after your inspection will ensure rapid improvement and correction of any issues that might have arisen. You should also receive a detailed written report of the results that outline both areas the department excels in and areas that should improve before the next audit.
- Remediating and monitoring issues: Following up on any problems found during your audit is an essential next step. Implement a corrective action and ensure its success with ongoing monitoring.
Internal Audit Requirements
Have we lost focus on the expectations of Internal Audits? Are Registrar Auditors and Internal Auditors both becoming complacent? If complacency sets in, the benefits of Internal Audits disappear. If this important cornerstone of the Plan-Do-Check-Act cycle has become weak, the entire system is weak. In this article, I intend to explore the basics to serve as a reminder on how to conduct Internal Audits.
Let’s review ISO 9001:2015 clause 9.2. This clause requires the organization to conduct internal audits to determine whether the four core aspects of a quality management system are in conformance and continue to be effectively implemented.
The Four Core Aspects
- the planned arrangements for providing services or products
- the applicable requirements of ISO 9001 (clauses 4, 5, 6, 7, and 8), and
- the documented quality management system
- the entire Scope of registration
ISO 9001:2015 clause 9.2 requires records of the internal audits. Records of Internal Audits will have evidence that all applicable requirements of ISO 9001 are being met, that the organization follows the planned arrangements for delivering goods and services as required by their customers, and that the organization continues to follow the documented management system.
What To Expect From An Internal Audit
The expectation is for audits to be based on a review of the processes (documented and not documented) providing evidence of compliance with ISO 9001, not necessarily based on the clauses of ISO 9001. The organization must conduct Internal Audits to the depth and breadth necessary to provide sufficient evidence of a review of the effectiveness of the entire management system. It also requires the Internal Audits be conducted by trained, competent auditors independent of the area under review.
The philosophy of Internal Audits is that the certified organization will have conducted Internal Audits to ensure the entire QMS continues to meet the requirements of ISO 9001.
- That the organization continues to adhere to all processes, documented and undocumented.
- That the system ensures customer requirements are being met all of the time.
- That all process descriptions remain current and accurate.
- That all records required by ISO 9001:2015 and the QMS are maintained and are accurate.
- To show the entire scope of the certificate has been audited.
Some of the complacency seen by the registrar auditors has resulted in Minor and, in some extreme circumstances, Major non-conformances at organizations with long-standing certificates. The following is a short list of the weaknesses in the organizations’ Internal Audits that have resulted in the issuance of NCRs by the registrar auditors:
- Use of untrained internal auditors
- Not auditing the entire scope of the certificate
- Not auditing all clauses of ISO 9001 and thus not auditing all processes
- No actual evidence of which documents or persons were the subject of the audit and failure to take timely correction and/or corrective action to non-conformances identified in the Internal Audits.
The Registrar Auditor’s role is to sample the processes and records of the organization to ensure compliance, identify potential weaknesses in the system, show the entire scope of the certificate has been audited, and ensure the overall intent of driving customer satisfaction is met. Registrar Auditors, by necessity, pay particular attention to the organization’s Internal Audit Reports, Management Review Meeting Minutes, and Corrective Action process. These three sources of information, when reviewed as an integrated set of processes, can help the Internal Auditor and the Registrar Auditor identify and correct complacency in the overall Plan-Do Check-Act process.
Taking stock of the effectiveness of the Internal Audit Programs could result in faster, smoother and easier transitions. Having an effective internal auditing schedule in place can keep your employees functioning at peak level and will keep them informed about precise areas of improvement within the organization. These insights will keep your company strong and competitive while it complies with industry standards. To reap results such as these, you'll need to choose a proven, trustworthy internal auditing team to conduct your audits.
Contact NQA For Auditing And Support
If you're looking for an internal auditor to evaluate your business practices objectively, turn to NQA. As a worldwide organization with years of auditing experience, we've helped thousands of companies discover opportunities for improvement with ongoing internal auditing services. We'll help you understand each of your results with meetings and written reports. Further, we often work closely with consultants who offer practical advice to help you implement the best business practices.
An internal audit does more than ensure your compliance with ISO 9001 standards — it can help you improve nearly every part of your business. Contact us to learn more.