Internal Audit- What you need to know

An ISO Audit is the systematic process of collecting and evaluating information about an organization’s processes to determine their level of compliance with the standard they are being audited against. Audits are completed to check the effectiveness of measures in place and to determine if the organization is operating at full capacity within the requirements to achieve certification and continue to grow. Within an audit cycle, which is typically 3 years, an organization will have both ‘internal’ and ‘external’ audits completed at least once per the calendar year, with the scope of the audit and the scale of the audit dependent on who is conducting it and its purpose. 

Internal auditing is carried out independently by an organization, utilizing internal personnel or an ISO Consultant with experience and knowledge of your organization and industry. It is an appraisal of the efficiency and effectiveness within certain departments or the organization. External Audits are done to evaluate your organization and recommend certification to the standard you are compliant with. External audits are performed by third-party auditors affiliated with a Certification Body. Internal audits are a requirement of ISO Standards, but cannot grant you an ISO Certificate

• Provides information for management review
• Demonstrates senior management commitment
• Improves personnel awareness, participation, and motivation
• Provides opportunities for continual improvement
• Improves customer confidence and satisfaction
• Increases operational performance
• Evaluate the reliability and soundness of its internal control system;
• Ascertain the degree of compliance with established standards, policies and procedures

An internal audit should have five general phases of activities— The following provides a brief explanation of each phase.

Planning – During the planning process, the internal audit team will define the scope and objectives, review guidance relevant to audit (e.g., laws, regulations, industry standards, company policies and procedures, etc.), review the results from previous audits, set a timeline and budget for the audit, create an audit plan to be executed, identify the process owners to involve, and schedule a kick-off meeting to commence the audit.

Audit criteria- Refer to the specific QMS policies, objectives, ISO requirements, documentation, customer and regulatory requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods include an interview of personnel, observation of activities, review of documents and records, etc. You must define the minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001 standard, the audit process, and audit techniques. Internal auditors need to be trained in the ISO 9001 standard as they generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have knowledge of quality management system standards and their application to the organization.

Fieldwork – Fieldwork is the actual act of auditing. Throughout this phase, the audit team will execute the audit plan. This usually includes interviewing key personnel to confirm an understanding of the process and controls, reviewing relevant documents and artefacts for an example execution of the controls, testing the controls for a sample over a period of time, documenting the work performed, and identifying exceptions and recommendations.

Reporting – As you might guess, internal audit will draft the audit report during the reporting phase. The report should be written clearly and succinctly to avoid misinterpretation and to encourage the intended audience to actually read and understand the report. Findings should be accompanied by recommendations that are actionable and lead directly to process improvements. The process of issuing an internal audit report should include drafting the report, review the draft with management to ensure the accuracy of findings, and issuance and distribution of the final report.

Follow-up – The final stage is an important one that is often overlooked and neglected. Following up is critical to ensure that the recommendations have been implemented to address the findings identified. This process should include appropriate follow-up with process owners needing to implement the recommendations as well as Board oversight of the company’s overall status in addressing findings identified by internal audit. If an organization fails to follow-up on the implementation of recommendations, it is unlikely that the changes will be made.

The Auditor has the following responsibilities:

• Support the team leader
• Be prepared
• Participate in opening and closing meetings
• Carry out assigned tasks
• Keep to the timetable and audit scope
• Document and support all findings
• Keep team leader and auditee informed
• Safeguard all documents
• Maintain confidentiality
• Be objective and ethical
• Verify corrective actions (if assigned as the auditor)

After determining the audit criteria (requirements), objective evidence should be gathered in four different ways for more complete and effective audits:

1. Interview personnel

Based on your audit planning and checklist questions, ask employees about their jobs. Listen to what they tell you and see if their explanations match the defined process. Use open-ended questions to elicit more complete responses. Do not be afraid to challenge and probe or follow an audit trail to see where it leads you. Talking to people is the best possible way to test their understanding and knowledge about the processes and sub-processes in which they are involved.

2. Observe operations

Aid your own understanding of the process by watching it being performed. See if the observed practices comply with requirements. You will discover the persons being interviewed are more relaxed when you allow them to demonstrate their jobs. In addition, internal audits will be less disruptive since work is actually being complete

3. Review documents and records

Ask the persons being interviewed what documents and records are used in their work. You may find documents, records and forms beyond those identified in your audit planning. See if the documents are adequately controlled and available for use. Refer to the documents and records to help you follow the work being shown. Verify the records described in the documents are being properly collected and controlled. Also challenge the need for documentation and always try to find better and more effective ways of managing and controlling the processes being audited.

4. Examine records

Auditors cannot interview every person, observe every activity, look at every document, and evaluate every record. You should strive for representative samples that allow you to make informed judgements. Since audits are limited due to sampling, non-conformities may continue to exist in the system beyond those identified and reported. However, with time and well planned audits you can feel confident that you have thoroughly reviewed your system and its performance.