Published: 10 Sep 2018
Sponsored article: Auditing is not a new technique and has been used in various guises for many years, especially for financial purposes. This article aims to show how management system internal auditing has changed in recent years and where to start with conducting one.
By: David Winterburn, NQA Quality Principal Assessor
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organisation itself for management purposes and can form the basis for an organisation’s self-declaration of conformity.
Perhaps the first question to ask is: Why should we perform internal audits?The most obvious answer to this question is that the internal audit clause 9.2 in ISO 9001:2015 says we ‘shall’ conduct audits; it is not an option if we wish to comply with the standard. Internal audits are a key management tool for evaluation of conformance of the management system to the standard.
To understand what is required with regards to internal auditing, we first need to take a look at the 9.2.1 clause in ISO 9001:2015, which says internal audits should be conducted at planned intervals to provide information on whether the quality management system conforms to the organisation’s own requirements; conforms to the requirements of ISO 9001; and is effectively implemented and maintained.
But how does this relate to the context of an organisation’s quality management system?
Audit criteria are used as the reference for determining conformity, they effectively describe what should be achieved for any given process or activity. The criteria to be audited against will be set by the process owner of the internal audit programme (normally the quality manager) and agreed with the auditor and the departments concerned.
How to define the internal audit process
ISO 9001 requires an organisation to have a management system which reflects its processes. The system must satisfy the requirements of the standard but should be based around the requirements of the organisation as a priority, not simply to reflect the standard.
To give priority only to satisfying the standard inevitably leads to a management system which does not help the organisation, indeed, it would often hinder it. The whole purpose is to create a system which helps to manage the way in which the organisation operates.
In summary the organisation must:
- Determine the processes within the organisation;
- Determine their sequence and interactions;
- Determine the methods of control;
- Establish and implement measures for monitoring purposes;
- Maintain documented information to support the operation of its processes.
A simple list of steps to follow for an internal audit could be:
- Planning the internal audit
- Opening meeting
- Conducting the internal audit
- Closing meeting
- Follow up
How to start planning for an internal audit?
It is vital for the audit to be arranged with the auditee department to avoid any impression of ‘catching them out’. Some companies adopt a formal written notification method, but in a small company it might be equally effective to call in and arrange to visit ‘next Friday afternoon’.
The first important aspect is to agree the scope of the audit (i.e. the part of the process to be covered). This may be specified by the Quality Manager as part of the Audit Programme and essentially defines the boundaries of the audit.
The next aspect is to agree which people in the department concerned will be involved and have set aside the necessary time. Another point may be that a guide may be needed to cover any safety issues, and perhaps to agree findings as the audit proceeds.
Some organisations adopt the idea of auditors working together as a team. If so, then one of the auditors should take the lead. There should be some prior agreement between the auditors to agree a division of the work (e.g. who is taking notes, who is tackling which aspects of the process?)
When preparing an Internal Audit Programme, the following should be considered:
- The particular risks and opportunities to the business.
- The registered scope and strategic direction of the organisation.
- Previously identified nonconformities and the effectiveness of the actions taken.
- Results of internal and external audits.
- How often should each process be internally audited and the frequency (after reviewing the above points).
- Who will be undertaking the audit, to ensure objectivity and impartiality.
- Are they independent of the process / activity to be audited?
- Are they competent to undertake the audit?
- How has their competency been determined?
- Experience / qualification / training.
- How will the internal audit programme and actual audit be communicated to the auditee(s).
- What internal audit reports (documented information) will be used.
When the audit is being undertaken, the following points should be considered:
1. An opening meeting with the auditee(s) to explain that the internal audit will verify the effectiveness and efficiency of the organisation’s processes, including evidence of continual improvement, for example, by auditing:
- Customer information, score cards / dashboards / reports / claims.
- KPIs and objectives; relevance, trend analysis and continual improvement.
- Links with other processes and control of these interfaces; inputs / outputs.
- Risk control.
2. Confirm the internal audit standard(s) and /or requirement(s).
3. Categorisation of findings, for example:
- Major nonconformity;
- Minor nonconformity;
- Opportunity for improvement.
4. Who will be involved.
5. What will be looked at, the process approach internal audit is based on the Plan / Do / Check / Act (PDCA) model and will be sampling the documented management system, including:
- Documented information;
- Physical processes / activities;
- Interviewing personnel.
6. Actions to be taken if findings are identified, for example:
- Correction: Action taken to address and correct the immediate nonconformity.
- Root cause analysis: How and why did the finding occur.
- Corrective action: Action taken to eliminate the nonconformity and to prevent recurrence.
7. Timescale for implementation of these actions.
Conducting the internal audit
The international standard ISO 19011 ‘Guidelines for Auditing Management Systems’ states that there is an opening meeting for all audits, whether first, second or third party.
In an internal audit the company style will dictate the degree of formality. The important thing for the auditor to remember is to treat the audit seriously. If the word ‘meeting’ is too grand, then do not use it. The initial aim is to ensure that the auditees are aware of the overall objectives. If this is best covered by a handshake, and a chat between colleagues over a cup of coffee, then that still meets the requirement. ISO 19011 includes the following practical help: “In many instances, for example internal audits in a small organisation, the opening meeting may simply consist of communicating that an audit is being conducted and explaining the nature of the audit.”
The first action is the review of the previous internal audit to verify if any findings were raised, and if so, the effectiveness of the actions taken to correct these.
The second action is to audit the selected process, sample and record the contextual objective evidence that is seen during the audit, this may include:
- Documented information - don’t forget to detail, document name, reference, issue date, etc., which may include:
- Sales orders
- Meeting minutes
- Purchase orders
- Delivery documents
- Job cards
- Calibration records
- Statutory inspection records
- Site inspection records
- Product / service inspection records
- Competency records
Note: This list is not exhaustive, but indicative. The actual documented information sampled will vary due to the process being audited.
- Personnel interviewed during the internal audit - don’t forget to detail, person’s name, job title and department. You will need this to follow up the competences of the people seen during the internal audit.
- Physical processes / activities seen during the internal audit - don’t forget to detail what was actually seen and include:
- Equipment being used, for example machine / asset number;
- Date of last service;
- Date of expiry of the statutory inspection;
- Job number and description, including details of drawings, process cards, work instructions / process flow charts / procedures;
- Inspection equipment, for example: Is it identified for its calibration status? Is it actually OK and suitable to use?
- Components / products - are there any expiry dates?
Note: This list is not exhaustive, but indicative. The actual items sampled will vary due to the process being audited.
We must remember that when we are auditing, we are there to gather information, not to give information. Therefore, the auditee should be doing most of the talking during the audit interview. In terms of the balance of time spent talking, a good target would be 80/20% in favour of the auditee. It may not always be possible to achieve this, but it is a good target.
“I kept six honest serving men, they taught me all I knew, their names are What and Why and When, and How and Where and Who.” Rudyard Kipling, The Elephant Child
In order to achieve this, the auditor will normally need to ask questions about specific subjects and then listen to the answers. The amount and type of information given by the auditee will often depend upon the type of question asked by the auditor.
Conducting the closing meeting
Introductions will not always be necessary, but the report back may be presented to people who have not been involved in the audit until this point. The scope and objectives need to be clarified to ensure that the auditee understands what was audited, in particular if the audit did, or did not cover all of the expected areas as specified at the opening meeting, e.g., perhaps the auditor was unable to complete the whole of the proposed audit due to lack of time or unavailability of personnel.
The auditor should now give a general summary of his/her findings during the audit. This is an opportunity to ‘round up’ his/her thoughts and to provide feedback to the auditee on the areas where the system is working well. This helps to reduce the impression that auditing is a negative exercise. Quite often there will be non-conformities to discuss (though not always) and these should now be presented individually.
Assuming that the non-conformities are accepted, the auditor should seek to obtain corrective actions including timescales for their completion. After the non-conformities, any observations raised should also be presented. Non-conformities that are not accepted should be explored and attempts made to reach agreement, but if not, they should be referred to the quality manager (or whoever is responsible for arbitrating on these issues). Alternatively, they may be passed forward to the next management review meeting for resolution.
Finally, the auditor should offer thanks to the auditees for their co-operation during the audit and inform them as to when the audit report will be produced.
The following needs to be taken into consideration:
- Thank the auditee(s) for their assistance during the internal audit.
- Explain that the internal audit is sample based, thereby introducing an element of uncertainty.
- Advise the auditee(s) of any findings, including the category of the finding.
- Advise the overall outcome of the internal audit.
- Explain and agree the timeframe for the auditee(s) to undertake the correction and corrective action for any findings raised.
- Invite any questions.
So what next? How do you follow up?
It is important that when nonconformities are raised, they are acted upon and checked to ensure that they have been properly cleared. Follow-up is more than just checking that action has been taken, it is also verifying that the action taken has been effective in removing the nonconformity originally raised.
When conducting the follow-up, it is important to treat it like a ‘mini audit’ in that evidence of what was seen must be recorded on the form.
If the action has not been taken, the auditor must determine whether it is a genuine case of perhaps being forgotten, in which case another week or so of time may be allowed. Or, has there been no attempt to resolve the problem in which case it is most likely that the nonconformity may have to be ‘escalated’ to the management representative for resolution.
If the action has been taken but has not worked i.e. the nonconformity still exists, it is normal to agree another action either on the same form or to raise another nonconformity report.
Once the action has been taken and deemed effective, the nonconformity can be closed out.
The following needs to be taken into consideration:
- Has the auditee(s) undertaken the immediate correction and corrective action?
- Was this undertaken within the agreed timeframe?
- Has the corrective action been evaluated as effective?
- If not, what are the follow up requirements?
- Does the Risk and Opportunities Register need to be reviewed and updated following the implementation and evaluation of the corrective action?
General tips from a NQA auditor
The internal audit must be robust enough to drill down into the process to verify the implementation and the effectiveness of the quality management system.
Remember, you can have too little objective evidence, but never too much! Consider that if you looked at this internal audit report in three to six months, would you still be able to follow the audit trail.
This is not an exhaustive list detailing that all the above are mandatory elements and are required to be included in an internal audit process, but an article to provide some guidance on the elements that should be considered when internal audits are being undertaken.
It is appreciated, that not all the elements will be applicable, as this is dependent on a number of factors including:
- Size and locations of the organisation.
- Activities and complexities of the organisation.
- Number of standards the organisation is registered to.
- Maturity of the organisation’s management system.