Why You Should Outsource Your Internal Audits

outsource-auditingInternal audits often provide the biggest problem for ISO-certified organizations. Fundamentally nobody objects to internal audits, the goal is to optimize them but that can mean different things.

Management recognizes that audits are supposed to review the way the organization is operating to ensure that processes are followed as expected, to ensure they are still achieving the goals set, and to look for opportunities for improvement. However, when they don’t see audits reporting any problems or finding things to improve then the tendency is to move for cost reduction. Can we reduce the duration and the cost of the audit? If there are no findings then my processes must be excellent – I don’t need to audit them. Of course, the problem is that the reason nothing was found and no improvements were suggested is because the audits themselves were not effective. Management must ensure that audits are effective and demand detailed justification if processes are reported without error. They must also demand improvement. All processes can be improved and audits need to provide this for management. Once this is achieved then cost reduction may be possible.

The first problem with internally resourced audits is that nobody wants to do them. This is not what their career path is, this is not their chosen vocation and they know that when they get back to their day job nobody has done their work for them. This is not something to be desired, it is extra work to be avoided and minimized. Of course, some people do want to do auditing. Sometimes this is because they are not busy – usually for a reason, or because they need to find a way to get a leg up in the organization (meaning that probably for good reason management has not selected them for other opportunities). Really good internal auditors would be people with substantial experience in the organization. Overall knowledge of how things work and respect on a business and personal level from all people in the organization. Yes – these people are your senior managers and these people don’t have time, don’t want to audit, and rarely ever get involved. So what the internal audit is left with is an under-resourced team of dedicated personnel.

The next problem is that these people are rarely adequately supported. They may have auditor training but because they do this once a year for a few days it’s easy to forget. It is difficult to remember the types of things they should be looking for, how to determine conformance, how to assess a process for effectiveness and with limited experience, it is difficult to identify opportunities for improvement. Training should ideally be provided every year and each auditor mentored and supported by people who do have the experience of the organization. Typically auditors are cautious about what they say. They are unsure if a process is effective or not and tend not to say anything. Their findings normally focus on errors with procedures and occasional administrative improvements.

One indicator of the performance of your internal audit team is whether they catch all issues before the external auditor has findings. Not only does this protect your certification but it reduces effort and administration. If your external auditor is finding things then you have to question your approach to internal auditing.

Outsourcing internal audits is the solution that all ISO-certified organizations should be doing. Internal people have jobs to do, do not spot the issues before the external auditor, and are not driving improvement. The outsourced internal auditors not only protect your certification but are ISO experts. They should be coaching, training, and helping as they audit (good internal auditors are different from external auditors). They should be experienced enough to identify any issues in your ISO system and allow solutions before the external auditor gets there. They should have wide-ranging knowledge of organizations and subjectively advise about the effectiveness of your system and challenges for improvements. Management should again demand this of internal auditors irrespective of the fact that they are outsourced – it’s just that now the benefits of good internal audits can be realized.

In practice, outsourced audits are probably cheaper. Internal resources would require twice as long to complete the same audit activities that a good outsourced auditor does. Add to that the missed work value, that auditing will be a distraction to their normal job and costs of training, preparation, reporting, and on-going communication and questions.

The outsourced internal auditor should be good enough to spot things before the external auditor. If the external audit does have findings, you now have a resource to at least discuss these findings. Are they valid? Should a challenge be made? What would be a good root cause and corrective action? Access to expertise even on a casual basis is incredibly valuable.

This does all rely on the fact that the outsourced auditor must be good. While simply being good is the ultimate test, someone with lots of auditing experience, IRCA and RABQSA qualifications, experience with consulting, qualified trainer, and other ISO experience all indicate the ability of the auditor.

Perhaps the last point is that if you don’t consider why your internal audit team is not spotting findings before your external auditor… your external auditor might! They should be questioning the effectiveness of your internal audit process if they are finding things that should have been caught internally. This question doesn’t come up often in audits but accreditation agencies are getting more thorough all the time. It can only be a matter of time before they push certification bodies to get tough on internal audits. And why wait anyway. The benefits are there to justify outsourcing your internal audits now.

Five Easy Pieces: The Basic Steps to ISO 9000 - Download our eBook and understand ISO's best known standards