An ISO Audit is the systematic process of collecting and evaluating information about an organization’s processes to determine their level of compliance with the standard they are being audited against. Audits are completed to check the effectiveness of measures in place and to determine if the organization is operating at full capacity within the requirements to achieve certification and continue to grow. Within an audit cycle, which is typically 3 years, an organization will have both ‘internal’ and ‘external’ audits completed at least once per the calendar year, with the scope of the audit and the scale of the audit dependent on who is conducting it and its purpose.
Internal auditing is carried out independently by an organization, utilizing internal personnel or an ISO Consultant with experience and knowledge of your organization and industry. It is an appraisal of the efficiency and effectiveness within certain departments or the organization. External Audits are done to evaluate your organization and recommend certification to the standard you are compliant with. External audits are performed by third-party auditors affiliated with a Certification Body. Internal audits are a requirement of ISO Standards, but cannot grant you an ISO Certificate.
Goals of Internal Audits:
The purpose of an ISO internal audit is to assess an organization’s efficiency as measured by the level of its quality and risk management systems and its overall business practices against one or more ISO Standards. Companies and organizations conduct internal audits to evaluate and improve the efficiency of their business practices capabilities by highlighting any existing flaws or shortcomings and ensuring plans are in place to properly address them.
While conducting regular and effective internal audits of your management system is a requirement of the standard, it’s also a requirement for a reason. Internal audits are a chance for your organization to truly see the progress you are making, and a chance for your employees to show off their skills and voice any concerns. Some of the major ways an organization can benefit from an internal audit:
- To review and evaluate the reliability and soundness of its internal control system;
- To ascertain the degree of compliance with established standards, policies and procedures;
- To minimize losses and maximize profits;
- To ascertain whether the information generated in an organization is accurate and reliable;
- To ascertain the level of integrity of the data provided to management;
- To provide informed advice and feedback to management on next steps and growth opportunities;
- To seek opportunities for improvement in the existing systems.
Internal auditing is based on several guidelines that are dependent on the organization’s specific vision and strategy. To be beneficial, it should provide appropriate and unbiased information that the organization can utilize in the enhancement of its performance. This means that auditing should be undertaken while keeping in mind the specific requirements and criteria of the organization and the environment within which it operates. While you might be tempted to download and follow a checklist, don’t use these as a one-stop-shop for the perfect internal audit, utilize them as guidance and tailor them for your specific needs.
Principles of Internal Auditing:
Following are some of the basic principles of auditing that should be universally applicable regardless of the size, scope or industry.
Objectivity: An internal audit should be an objective activity. All internal auditors must maintain objectivity in their judgment. Consider if you are auditing your peers, to not hold previous judgement or past experiences against an individual or team, audit within your scope, do not audit with an objective of proving a point. Audit with the objective goals of bettering the organization and providing a value-added practice to the organization.
Ethics: Like all other business practices, internal audits should also be done within the confines of morals and an ethical code. (link)
Confidentiality: Auditors have access to sensitive information about the organization and its employees. It is very important to ensure the highest level of confidentiality to avoid possible misuse of such information.
Competence: Auditing is a complex procedure. It must be done by skilled, experienced and competent auditors. When selecting an auditing team, consider their questioning skills, and their listening skills. An auditor must be prepared to ask questions that will give them the information they need, without causing stress for the auditee. Consider offering employees ISO Training to help reduce stress and increase engagement.
Planning: The audit process should be thoroughly planned to avoid confusion at later stages. Once an audit plan is in place and dictated to the auditees, do not stray from the scope of the audit. This will avoid issues with timing and employee engagement.
Documentation: It is important to maintain proper documentation of the audit process. Internal audits conclude with a closing meeting where findings are shown to management and you must provide a detailed report promptly after the audit is completed. By ensuring you are documenting your findings effectively, you will have much more success in your closing meetings and when you create your report.
Integrity: The audit reports must accurately depict the facts discovered during the audit process. The integrity of the audit findings is essential.
Selection of Auditors:
Internal auditors should be carefully selected. An internal audit team must be adequately staffed in terms of both numbers and experience. They should also be properly trained to ensure that the needs of each audit task are fulfilled. The success of the internal audit largely depends on the quality of the audit team that is determined by the level of their training and expertise.
Internal Audit Process:
The internal audit process should be planned well beforehand so that objectives are clearly defined, and priorities are established. You will need to provide the audit plan in advance to ensure you are able to talk with those you need to and can access the documents or processes needed to complete the audit on schedule. The planning process should include setting a schedule for each activity and setting deadlines. All tasks that need to be performed must be clearly defined. An audit plan should be made with a thorough understanding of the organization and its environment and presented clearly at the opening meeting.
The internal audit process must be continuously supervised by a designated audit team leader. The Lead Auditor will ensure that the audit process is proceeding according to the plan. The performance of the audit team should also be reviewed just like that of other employees and members of the organization. A comprehensive report should be issued once the internal audit is complete with findings communicated promptly and concisely. These findings must be presented in a way that makes them helpful for management in deciding their course of action.
The findings of the internal audit must be supported by ‘Audit Evidence’ which provides reasons for the conclusions of the internal audit team. This evidence must be easily understood and articulated in your reports to allow the external auditors to come to a similar conclusion during any third-party audit activities.
If done correctly, internal audits can have a very positive impact on the overall organizational performance of any company and be a value-added experience your company will benefit from.
To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.