Internal Audits Done Right

All too often internal audits are looked on as a necessary part of doing ISO.  However, if you have to do it, why not get the most out of it you can?

Any management system audit focuses on three objectives:

  1. Conformance – which shouldn’t be ignored because it will protect you from the registrar’s findings but also ensures your own processes are being followed.
  2. Effectiveness – auditors should determine if processes are effective at performing what they are supposed to.  Ideally there would be documented objectives and measurements to demonstrate the effectiveness of each process, although this is not always practical or desirable.  However, effectiveness is still relevant and this is one of the most important conclusions an auditor can make.
  3. Improvement – ISO requires improvement.  Management also generally finds this a good thing.  Auditors should be questioning and challenging for improvements in all processes.  If there are stated objectives the question relates to how those objectives are being improved upon.

Here are some tips to boost your internal audit:

  • An audit is performed for senior management.  Ask for their involvement.  Be clear about what they want out of the audit.  So long as the audit is conducted in a meaningful and thorough manner, problems uncovered are beneficial.  Even if the audit verifies that the process is reliably and consistently followed, that confirmation is valuable information too.
  • Internal auditors are trainers and mentors too.  Train, empower and encourage them to provide answers, help with solutions and add value whenever possible.  They should also help employees prepare for the external audit.
  • Ensure internal auditors are your process experts.  As they audit, ask them to verify for ISO issues and explain the standard to other employees.  While this is difficult with volunteer auditors, give them more time to prepare and execute the audit.  Get them to look for and encourage best practices.
  • An internal audit should be a learning experience for employees.  It should help the organization prepare for the external auditor.  Employees should be able to practice answering questions and as a result of the audit, employees should be more aware of their own process, what controls are important to make it successful and what measures exist.  This points them towards improvement.
  • Ensure your ISO audit covers all of the requirements of the standard each year.  While not a requirement of the standard itself, registrars, not unreasonably, impose this requirement.  Cross reference your management system to the standard and keep records of the comparison each year.  Management should be keen about this issue as a thorough review of the organization against the requirements of the standard helps ensure no stone goes unturned.
  • Mix up the schedule.  Ensure some audits are conducted by ISO clauses, some by procedures, some by department.  Ensure different people look at different processes from different perspectives.  Spend more time on those areas that are more important to you or that have caused more issues.  Ensure your internal audit team includes people from every department and every level.  Yes that means top management too and the delivery driver.  They see issues differently.
  • Allow the audit team some “team time” to remind themselves how to conduct the audits, review and discuss procedures and introduce areas for focus.  Involve top management to show commitment.   Similarly at the end of the audit allow a separate review meeting to discuss improvements and opportunities.
  • Ensure good practices are identified and communicated throughout the organization.  Get management involved in specifying where discovered best practices need to be adopted elsewhere in the organization.