Effective management of an internal audit programme

Many of us who are responsible for meeting the internal audit requirements of ISO 9001:2015 Quality management systems – requirements, or one of its cousins, haven’t much previous experience to draw upon when it comes to setting up and running an internal audit programme.  

Of course, that does not mean we haven’t experienced audits at some time in our careers, be they customer or regulatory in nature. However, that experience doesn’t come close to the job we’re tasked with. If our best efforts are to ensure that the internal quality audit programme is to make a difference to the organisation (why else would we do them?), we must ensure it is properly managed. This means the internal audits are aligned to the needs of the rest of the organisation’s functions, their objectives and performance. Such a programme must be effectively planned to ensure that it supports those needs. 

So, what’s involved in tackling this important challenge? 

Establishing an internal audit programme 

Where to start? In the early days of implementing a quality management system (QMS), the internal audits are commonly performed to meet the short-term objective of preparing for third-party certification. They are implemented to demonstrate: 

1. an audit programme exists, and; 
2. the QMS has been audited, with the aim of mitigating the risk of a major third-party non-conformity. 

To meet this objective, it’s typical to have some people attend quality systems auditor training – which may be a ‘lead auditor’ course. After all, understanding how the certification auditor is going to do their audit, is a key to success, right? 

The audit programme, by default, becomes: 

• audit scope: the whole QMS; 
• audit objective: compliance to the criteria; 
• audit criteria: ISO 9001 (or insert AS9100, IATF 16949 etc).

At this point in preparing for certification, passing the so-called ‘Stage 1’ certification audit is of paramount importance and, sadly, most internal audit programmes begin to languish at this point. Once the organisation achieves certification, the internal audits become part of the ‘rinse and repeat’ cycle, using the same scope, criteria and objective. Too frequently, the programme becomes based on simply preparing for the certification surveillance audits and is only changed when there’s a revision made to the ISO standard. 

Rarely do internal audits mature beyond an activity done because “ISO says so” and with the objective of keeping a certificate “on the wall”. 

Getting beyond compliance 

Effective audit programme management should be part of the overall audit process and the excellent, and often overlooked, guide known as ISO/TS 9002, suggests in paragraph 9.2.2 that “a list of inputs to consider when planning audits includes, but is not limited to: 

a) importance of the processes; 
b) managerial priorities; 
c) performance of the processes; 
d) changes affecting the organisation; 
e) results from previous audits; 
f) trends in customer complaints; 
g) statutory and regulatory issues.” 

Once compliance to the ISO 9001 requirements has been established, it is important to engage with the various stakeholders in the planning for internal audits. The stakeholders have responsibility for the effectiveness of the items listed above and their professional objectives are usually tied to them. It is important to know, objectively, if business process performance, whether good or below par, is down to the QMS processes being followed. This verification and, more importantly, validation, is an important piece of the puzzle that we know as ‘management review’: “We’ve got results, but was it because our people followed the (QMS) processes?” 

“Planning is indispensable” 

Clearly then, attending an auditor training course is unlikely to allow for much time to be spent on how to manage an internal audit programme. Auditor training is focused on teaching candidates how to audit – from a desk review of documentation, creating a checklist, through audit techniques to reporting audit findings. Little time is spent on factoring in points a to g, as listed above.   

After 30 years of experiencing less than effective internal audits, maybe the time is ripe for an accredited Internal Audit Programme Manager qualification and associated training course.

This is somewhat exacerbated by the external audit model, usually that of the certification body, being the way auditors are taught. Since the training is often predicated on a single audit assignment, it is easy to see that little effort is expended on the audit programme. Indeed, audit programme management, for the third-party auditor, is the domain of the Certification Body Operations team and not relevant to internal audits. 

Few people would disagree with the wisdom in Dwight D Eisenhower’s statement: “In preparing for battle, I have always found that plans are useless, but planning is indispensable.”  

Since there is so little about the internal audit programme requirements of ISO 9001 that is institutional to organisations, and attending a (lead) auditor training course does not address the subject, after 30 years of experiencing less than effective internal audits, maybe the time is ripe to establish an accredited ‘Internal Audit Programme Manager’ qualification and associated training course.