Management systems such as ISO 9001, ISO 14001 and OHSAS 18001 require that internal audits are scheduled at planned intervals; they do not establish a specific frequency nor do they establish that all processes need to have an annual internal audit. Therefore, organizations must establish a frequency which is right for their business. But how often should you be having internal audits for compliance? Audits can be performed monthly, quarterly, twice a year, or once a year. It is important to understand the criteria which should be considered before defining an internal audit frequency, as not all processes should be considered on the same timeline.



Complexity of the Processes

  • Crucial or high-risk processes should be audited on a more frequent basis, perhaps quarterly or twice a year
  • Low-risk processes can be audited just once a year or every other year

Internal Audit Frequency - How Complex is your Process? - ISOUpdate.com

Maturity of the Processes

  • Well established processes that run efficiently can be audited once a year or every other year
  • Newly developed processes should be audited more frequently, for example, quarterly, until they are stable

Internal Audit Frequency - How Mature is your Process? - ISOUpdate.com

Past Experience

  • Processes that have a history of frequent deficiencies or non-conformities, should be audited on a more frequent basis, such as quarterly or twice a year
  • Processes with troubles achieving targets and objectives should also be audited on a more frequent basis, such as quarterly or twice per year

Internal Audit Frequency - What is your Processes History? - ISOUpdate.com
Other factors that may influence the frequency of auditing:

  • Budget for the execution of internal audits
  • Regulatory or customer requirements

There is no need to audit every process all at once; consider spreading out internal audits throughout the year by auditing different processes at different times. Auditing many processes all at once can be exhausting and process deficiencies or areas for improvement may be overlooked.

Internal Audit Frequency - Establish a Rational Schedule - ISOUpdate.com

 

Although most standards do not require that all processes be audited every year, it is a common practice in many organizations. Some organizations with mature and well-established management systems may wish to schedule their audits over a 3-year time plan instead of annually. Every organization needs to take a close look at each of their processes, their management systems, and other applicable requirements to establish a rational schedule which fits their needs and is right for them.


This article was written by The Registrar Company and published with permission.

SIMILAR ARTICLES

12 COMMENTS

  1. Our last Recertification Audit for ISO9001-2008, the auditor insisted IA’s need to cover the standard within 1 calendar year. This does not seem to be the case! Do I have an opportunity to challenge this interpretation?

    • Hi Jim,

      You are correct, there is no requirement in the ISO 9001:2008 standard that makes it mandatory to audit all clauses of the standard in any specific amount of time. It only indicates that you must “conduct internal audits at planned intervals” and this shall consider “the importance of the processes and areas to be audited, as well as the results of previous audits”. If you can demonstrate that you have planned the frequency you audit each process, taking these things into consideration you have met the requirements. You definitely should challenge this interpretation. Hopefully this was helpful!

  2. One other consideration, review your agreement with your registrar, they may have stipulations regarding frequency or scope is audits.

  3. An Accreditation Body auditor for ISO 17020 insisted that our Control Body type C must perform internal audits every year on the same date! We could not agree on it and she gave us a nonconformity . The same happened with a management review! I think that it is not possible… Pls, advice.

    • Looking at the requirement for ISO 9001:2015, it says it is an annual requirement. Your internal audit must happen on or before the date of the last one technically, some would argue that means a calendar year. If you do not agree with a finding from your Accreditation Body, the preferred course of action is to lodge an appeal using your Accreditation Body’s appeals process.

  4. How are discrepancies or nonconformities (findings) discovered when conducting internal audits of the OH&S management system recorded?

  5. In reference to Internal Audit:
    ISO 9001-2015 section 9.2:
    9.2.1 The organisation shall conduct audits at PLANNED intervals to provide information on whether the Quality Management System:
    The ISOupdate.com in its Feb 24th 2020 statement is not correct in referencing ‘it says Annual requirement”.

    • Thank you for this comment Eric. We will review the mentioned statement and make changes to our wording. Yes, audits should be conducted at planned intervals. The comment was in response to a question and we mentioned annually because if an audit was not scheduled or conducted that year, it would be a nonconformance. However, the standard does not state it must happen on the same date every year, only that it must be planned intervals, i.e., annually, monthly, quarterly, etc. I hope that clarify’s our intention with that comment, and thank you for bringing our attention to how it could be misunderstood.

Leave a Reply