This month we take a look at how internal audits actually work. As we saw last month, these are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.
An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.
For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:
You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.
The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not!
The wording in pretty much every standard is now the roughly the same, the key wording being: “The organisation shall conduct internal audits at planned intervals to determine……” There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to).
In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it.
Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:
In terms of things to consider when deciding that risk level, you could use the list below as a good starting point, you should also factor into your thinking when you are deciding if you need to re-audit an area sooner than planned or push it further out (yes, you can adjust your schedule as you go):
A shameless plug here - The Ideas Distillery offers a comprehensive, objective internal auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process therefore maintaining impartiality.
Here you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security.
Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...