Management systems such as ISO 9001, ISO 14001 and OHSAS 18001 require that internal audits are scheduled at planned intervals; they do not establish a specific frequency nor do they establish that all processes need to have an annual internal audit. Therefore, organizations must establish a frequency which is right for their business. But how often should you be having internal audits for compliance? Audits can be performed monthly, quarterly, twice a year, or once a year. It is important to understand the criteria which should be considered before defining an internal audit frequency, as not all processes should be considered on the same timeline.
Complexity of the Processes
- Crucial or high-risk processes should be audited on a more frequent basis, perhaps quarterly or twice a year
- Low-risk processes can be audited just once a year or every other year
Maturity of the Processes
- Well established processes that run efficiently can be audited once a year or every other year
- Newly developed processes should be audited more frequently, for example, quarterly, until they are stable
- Processes that have a history of frequent deficiencies or non-conformities, should be audited on a more frequent basis, such as quarterly or twice a year
- Processes with troubles achieving targets and objectives should also be audited on a more frequent basis, such as quarterly or twice per year
Other factors that may influence the frequency of auditing:
- Budget for the execution of internal audits
- Regulatory or customer requirements
There is no need to audit every process all at once; consider spreading out internal audits throughout the year by auditing different processes at different times. Auditing many processes all at once can be exhausting and process deficiencies or areas for improvement may be overlooked.
Although most standards do not require that all processes be audited every year, it is a common practice in many organizations. Some organizations with mature and well-established management systems may wish to schedule their audits over a 3-year time plan instead of annually. Every organization needs to take a close look at each of their processes, their management systems, and other applicable requirements to establish a rational schedule which fits their needs and is right for them.
This article was written by The Registrar Company and published with permission.