HOW TO create an INTERNAL AUDIT plan

This month we take a look at how internal audits actually work. As we saw last month, these are there to examine the operation of your management system and provide top level management with the information needed to ascertain whether the system is operating effectively or if any changes need to be made.

An Internal Audit can be performed within the organisation by auditors who are employed by the organisation, but who should have no vested interest in the audit results of the area being audited. Alternatively you can use an External Auditor who will also be free of any conflict of interest. Whichever one you choose, you should make sure that the auditor is actually competent to do the job - this can be based on skills, formal training and experience.

For organisations with a formal management system in place, such as ISO 9001, ISO 14001, or ISO 45001, this is a requirement of the standard, which means it must be done. However, conducting internal audits is a vital process regardless of whether you have to do it or not. It’s there to serve several purposes:

• Ensuring adherence to the company’s processes – the auditor should look to ensure that the organisation is complying with its own procedures.
• Ensuring the effectiveness of the system – the auditor should look at all processes, reviewing the value of each process, and ensure that the procedures still meet the organisation’s objectives.
• Providing information for management reviews – the results of audits should be documented so that they can be reviewed and analysed, providing information for use in corrective action programmes and management reviews.
• Identifying opportunities for improvement – the auditor should examine documented evidence against the management system that is relevant to the function or department being audited. This could include staff competency, qualifications or training. Problems should be discussed with the auditee and corrective/preventative actions should be recorded.
• Driving continual improvement – the auditor needs to follow up and verify that any corrective actions have been completed by the agreed date.

You should conduct internal audits at planned intervals throughout the year. This will enable you to regularly determine whether the system is being effectively implemented and maintained.

The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not!

The wording in pretty much every standard is now the roughly the same, the key wording being: “The organisation shall conduct internal audits at planned intervals to determine……” There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to).

In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it.

Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:

• Low – As required i.e. you may audit once in the 3 years or more frequently if something pops up
• Medium – Audit Every Two Years
• High – Audit Every Year
• Critical – Audit Multiple Times Per year

In terms of things to consider when deciding that risk level, you could use the list below as a good starting point, you should also factor into your thinking when you are deciding if you need to re-audit an area sooner than planned or push it further out (yes, you can adjust your schedule as you go):

• Level of non-conformances within / linked to that process.
• Customer complaints
• Any business risks / hazards
• Importance of the process on your product or customer
• Previous audit results (internal & external)
• Organisation changes e.g. key personnel changes.

A shameless plug here - The Ideas Distillery offers a comprehensive, objective internal auditing service which can be undertaken to verify compliance against International Standards (ISO), legal requirements or internal procedures. This service will ensure impartiality of the audit process therefore maintaining impartiality.

If you would like to look at how to implement an ISO management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).

---