For almost every standard it is required to perform an internal audit. Especially in ISO 9001, it is an important part of the standard and quality improvement. In this article we discuss internal audits from the perspective of ISO 9001.
What is an internal audit?
An internal audit for ISO 9001 is the testing of a management system or a process on the basis of aspects:
- Are the requirements of the standard being met?
- Are the internal agreements such as the procedure or verbal agreements about the process being met?
- Can the process or the management system be improved?
During an internal audit, you determine whether work is done in accordance with the agreements made and whether there is room for improvement in this work method. The aim is to look at the processes and working methods, not at the person who carries them out! The ISO 9001 standard also requires that internal audits be carried out periodically. This comes down to at least annually, with the requirement to test all processes of the entire management system once every 3 years. Where it is important that a clear distinction is made between processes that contain more risks or have a chance of going wrong. Therefore these must be audited more frequently than other processes.
What requirements are set for the internal audit?
Section 9.2 of ISO 9001 states a number of requirements which the internal audit must fulfil. The most important are discussed here:
- Objective and impartial: you may never audit your own work during an internal audit.
- Knowledge of the auditor: the auditor must have knowledge of the standard and audit techniques.
- Audit programme: an audit programme must be drawn up showing that the entire management system and all processes are demonstrably tested once every 3 years.
- Report: an audit report must be drawn up of each internal audit.
- Follow-up of nonconformities: nonconformities identified must be followed up without unnecessary delay.
The findings of internal audits must be shared with the relevant management.
What requirements are set for an internal auditor?
The standard states that an auditor must at least have knowledge of the relevant standard and of the basic techniques for performing internal audits. There is no extensive training required, so that on-the-job training or experience already gained can also be a good basis for the training in question. However, it is often useful to at least follow a training or elearning course for the basic skills of internal auditing. The fastest method is to follow an eLearning. Through this link you can start directly: eLearning Internal Auditor.
In addition, as an internal auditor you may never audit parts of the management system or processes for which you yourself are responsible.
Objectivity and impartiality during the internal audit
As mentioned, one of the most important requirements is to perform internal audits in an objective and impartial manner. In reality, this means that you are not allowed to perform internal audits on parts of the management system for which you are responsible, or on processes that you carry out yourself. As a result, within larger organisations you will see an audit team made up of several internal auditors to ensure that the objectivity and impartiality are not compromised. This team must also be trained to perform internal audits.
Can an internal audit be outsourced?
Another way to conduct internal audits objectively and impartially is to outsource to an external consultant. This is permitted. Because the consultant is not part of the organisation, the quality of the internal audit will benefit. The experience and knowledge of management systems and processes often make the results of the internal audit even more valuable.
How do I perform an internal audit?
Internal audits can be performed in several ways. The most common way is by conducting interviews. By interviewing the person responsible for a particular part of the management system, it is determined on the basis of a number of samples whether the agreed processes are still being complied with and whether they can be organised more efficiently.
Another method that is often used is the documentation or file evaluation. By performing an internal audit on the documentation present, it can be assessed whether it is complete. The disadvantage is that no explanation is given by the person who is working on it. Therefore, in actual practice, a combination of both methods is often performed.
Internal audit programme
The requirement is to perform internal audits on the management system at least annually. Internal process audits must be carried out once every 3 years. Logically, it is sensible to include all these parts of the management system and the processes in the internal audit programme and to plan them for 3 years. In our internal audit programme format, this can easily be planned.
What do I include in the internal audit report?
A report must be made of each internal audit. This does not necessarily have to be very extensive, but it is important that the internal audits executed can be reproduced properly. That is why you always include at least the following parts in the internal audit report:
- Name of auditor
- Name of the person interviewed
- The process or component that was tested
- The date of the audit
- The general findings
- The samples taken (the documents viewed)
- The conclusions drawn (deviations, potential improvements)
- These elements may be included in a Word document, but a fixed format may also be created to include the internal audit report.
ISO 9001 internal audit questionnaire
As indicated, the internal audit is used to check whether the standard is being met and whether the processes are being followed. It is possible to create questionnaires for this in advance. We have included a format for the internal audit ISO 9001 standard later in this article. To carry out internal audits of processes, one can start with a few basic questions, namely:
- What tasks and responsibilities have been agreed in the processes?
- What inputs (information or documents or goods) are needed in the process?
- Which process steps need to be taken?
- What are the results to be obtained from the process?
- What resources are needed to carry out the process?
- What documentation and registrations are required for this particular process?
- Are these registrations properly maintained and are they complete?
- Have there been complaints or deviations concerning this process? How were they dealt with?
- What can be improved in the process?
Want to become an ISO 9001 internal auditor?
To carry out internal audits for ISO 9001, it is important to have knowledge of the standard (can be followed as an elearning or classroom training) and the basic skills for internal audits (can also be followed as an elearning or classroom training).
Checklist internal audit for ISO 9001
When setting up the processes for the ISO 9001 internal audit, don’t forget to:
- Ensure objectivity and impartiality.
- Acquire knowledge and possibly put together an audit team that is trained or acquires knowledge via, for example, an elearning Audit Skills.
- Draw up an audit programme with which you can demonstrate that all processes and parts of the management system are tested at least once every 3 years.
- Draw up a report of performed audits.
- Pick up deviations and solve them in a timely manner.
- Report the findings of internal audits to the relevant management.