For many ISO Certified Management Systems, a well-maintained Internal Audit schedule is a requirement of compliance against the Standard. However, any business that wants to make sure it is running efficiently should consider performing regular Internal Audits as part of its operational processes.
A successful Internal Audit helps businesses to decide if a process is documented accurately, correctly implemented and effectively maintained. Having a regularly scheduled set of Internal Audits will also help you spot issues that cause gradual deviations from the business’s own interpretation of best practice. It also allows the processes to be challenged as to their suitability or relevance. Internal Audits therefore facilitate continual improvement; providing an opportunity to improve both the systems and the effective operation of an organisation.
To conduct an Internal Audit properly, you will need to decide the following:
- Who will perform the audit and when
- What they will audit
- To whom the results will be communicated
- How to ensure corrective actions take place
Below are some practical tips to help get the most out of the Internal Audit process:
Before the Audit
1. Setting a Schedule
Audits should usually be scheduled at least once per year and should cover all of the activities you undertake – especially if they are relevant to your Management System. Depending on the process being audited, it may be necessary to change this frequency. Consider the following questions:
- Are there any complex procedures or processes that could be split up and audited individually?
- Are there any aspects or areas that have a history of problems and would therefore require a more frequent or detailed check?
- Does your ‘hands-on’ approach indicate a need for less frequent audits?
An audit programme has to take into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined. The selection of auditors and conduct of audits should ensure objectivity and impartiality of the audit process.
An audit should not be seen as a quick fix, but as a continuous process of investigation, analysis and improvement of the Management System. A concerted approach to improvements over several audits is a better approach than one which attempts to do too much at one time.
2. Picking Your Team
Ideally an Internal Audit should be carried out by an individual with no vested interest in, or direct responsibility for, the work being performed in the area being audited – such as a person from an unrelated team. This has the added benefit of developing an understanding of each team’s working practices and problems. In smaller organisations this isn’t always possible, whereas larger organisations may wish to select one auditor for each department.
Auditors do not need to have any specialist or technical knowledge of the process to be audited, although the auditors must understand what the auditing process involves and be able to judge if the documented process is being followed correctly.
An individual suited to an internal audit role is ethical, open-minded, diplomatic, observant, and decisive. They should also be able to produce the relevant evidence and documentation for the audit. Quite often they will be dealing with privileged information, so they should also be able to maintain confidentiality and discretion.
During the Audit
3. Performing the Audit
Although Internal Audits are formal records, they should be carried out in an atmosphere of friendliness and co-operation. They should be a constructive, mutually beneficial activity and not a way of catching people out.
Internal Audits require information from a variety of different sources to confirm that processes are being followed correctly. To achieve this, some or all of the following activities may be required:
- Studying the expected procedures
- Observing procedures being carried out
- Looking at records and similar documents
- Talking to other members of staff
The results of Internal Audits need to be presented at a Management Review meeting, so part of this process is gathering the evidence needed in a way that can be readily reviewed and analysed.
So that the audit can be carried out in an orderly and systematic way, prepare a checklist of what processes should be reviewed and what evidence needs to be collected. It is important to consider if the area being audited still meets its requirements and achieves its objectives, so the checklist should help the auditor to establish this.
Before beginning the audit, explain to the auditee the purpose of the audit and how it will be performed and reported on. Make sure the latest documented information for the procedure is available so that you can both refer to it.
Together with the auditee, examine the documented evidence and use it to evaluate how the performance of the process compares against the documentation. Make sure to consider the levels of staff competency, qualifications and training. It is also important to determine if the process/area being audited is still relevant or needed.
Any problems identified should be discussed with the auditee and together you should determine a programme of corrective and preventive action that will define how the team/department/business can correct or prevent future occurrences (such as further training, adjusting the process, updating documentation etc.) and when these actions should be achieved by.
After the Audit
4. Recording Findings
An important part of the Internal Audit process is to record and present the results. There are three parts to this:
- Non-conformities: Individual problems found during the audit process should be documented as non-conformities.
- Follow-up actions: You will need to verify that any corrective or preventative actions discussed during an audit have been completed and by the agreed date. In some cases, this may not have been achieved and it may be necessary to provide an extension in time or change to the corrective action.
- Summary report: A summary report on your findings should be written, confirming what you found during the audit, and what actions were agreed with the auditee to address those issues. The report will be reviewed and analysed during Management Review meetings so that recurring issues can be identified and opportunities to improve found, helping to drive continual improvement within the business.
5. Maintaining Documentation
An important part of Internal Auditing is ensuring that any relevant documents are maintained correctly.
Whether a documented procedure has become outdated, has been changed to address a non-conformity, or has been removed from use as it no longer helps the business, you will need to ensure that the manual/documentation is re-written to reflect the current procedure.
The auditor may be asked to correct the documentation themselves, or to verify that it has been completed by the auditee. Whether the responsibility for this task is with the auditor or the auditee, it should be discussed and agreed during the audit.
QMS can also help your team ensure that you’re getting the most out of your Management System with an Internal Audit Training Course. Our 1 day, 2 day or 3 day courses give your team the skills and knowledge they will need to run your Management System more efficiently and achieve your organisation’s goals more effectively.
Contact us at firstname.lastname@example.org for more information.
Originally published on Friday, June 8th, 2016 by Michelle W.