I’m an internal auditor, but I’m not sure if I’m auditing or inspecting | CQI | IRCA Skip to main content

I’m an internal auditor, but I’m not sure if I’m auditing or inspecting

Published: 5 Jan 2022

Andy Lau, an IRCA Registered Lead Auditor, poses some pertinent questions about the scope of internal audits and offers some tips on the right way to address them.   

Audit is defined as a systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled (Clause 3.1 ISO 19011:2018).

When conducting an audit, there is a clear process and steps to be followed. It starts with planning – audit plan, audit checklist, audit notes. Then comes the audit itself – collecting evidence through interviews, observations and checking documents/records. Finally, the auditor needs to make an informed decision.  

This decision is based on the evidence collected and the criteria for the audit (ISO standards/documented information established for the management system and/or legal requirements) and the category of the finding (conform/non-conform/opportunity for improvement). 

Inspection as part of operational control 

Inspection, as an example, is found under ‘A8.1 operational planning and control’ in Annex A of the ISO 45001:2018 standard.  

Some people might ask why inspection is listed under a heading for operational control. The answer is that, when you inspect a machine before using it, you are carrying out an operational control step. When you want to repair a machine, you perform an inspection first, to identify what is wrong. This is the first part of the repair process.  

Auditors are not, of course, expected to ‘inspect’ all the data for a full year.

When a teacher wants to start a learning session, they will perform an inspection by counting how many students are present in the class. The inspection is the first part of the learning operation. Therefore, the act of carrying out an inspection definitely belongs under operational control. 

When I perform an audit, can I choose not to check everything? This is often the question asked by internal auditors – but what does ‘everything’ actually mean here? Does it mean that, as my organisation has gained the ISO standard and knows the procedures and work instructions, I can choose just to check the procedures and work instructions, and leave the ISO standard for next year’s audit? The answer is “no”. 

Does it mean I can focus only on the ISO standard and leave out the procedures and work instructions? Of course not. Does it mean I can just choose those clauses inside the ISO standard with which I am familiar when doing my audit? Again, the answer is “no”.  

Understanding the scope of an audit  

The right way to go about an audit is to take a look at the processes that have been included in the scope of the audit. Based on this, read about the process and understand what the expected outputs are. For example: 

  • Is it to provide a safe machine for the operators to use?  
  • Is it to clean the waste water before final discharge into the environment?  
  • Is it to produce correct results? 

Then, read about what inputs can influence the results of the process. For example: 

  • Will an incompetent workforce impact the results negatively?  
  • Will having the right machines and equipment make it easier for a positive result?  
  • If there are changes and the changes are not communicated, how will this impact the result?  
  • Do you monitor to make sure your results are correct all the time? 

A question of judgement 

Having done this reading, go ahead and audit the process. Use the ISO standard and the relevant documented information and/or legal requirements to check if the process is achieving its intended results. You will need to be sure that the process inputs are being managed effectively and that it is possible to demonstrate consistency between the date of the last audit and the current one. 

Auditors are not, of course, expected to ‘inspect’ all the data for a full year. Instead, they should use sound judgement – based on past historical data of failures – to sample randomly the events of the past year by checking the process outputs and its related inputs.