Unfortunately, the purpose of the internal audit is very often misunderstood – it is usually perceived as a bureaucratic activity with no real benefit.
However, the main purpose of the internal audit is to help improve the way your system is managed in your company – this improvement is possible because the auditor is in the perfect position to see what’s going wrong, and by having this deeper insight, he or she can help resolve these problems.
The benefits of the internal audit are manifold. In addition to the improvement of your management system, the internal audit is the key source of information for the management review.
Also, a very important aspect is that through internal audit the employee awareness is raised for, e.g., quality issues in your QMS (Quality Management System) or information security issues in your ISMS (Information Security Management System), as well as their participation in improving the management system.
An ISO internal audit consists of the following seven elements or steps, which should be performed in this sequence:
1.Document Review :
In this step you should review all the policies and procedures and check whether they are compliant with your ISO standard; also, this step is crucial for creating the work documents (i.e., the checklist) in the next step.
2.Creation of the internal audit checklist :
Based on the insight from reading all the documentation, you should prepare your notes in the form of a checklist, which will help you remember what you need to do during the main audit.
3.Writing the internal audit plan :
The internal audit plan will help you plan the detailed timing, people you will talk to, and so on.
4.Conducting the main audit :
This is the most important part of your internal audit, which you will have to perform on-site, where the actual activities are taking place.
During the main audit you’ll need to talk to people, look for records, and observe whether everything is compliant with the standard, with the company documentation, and with other requirements.
5.Writing the internal audit report :
In this step you have to document your audit findings.
6.Writing the corrective action requests :
This is where you have to initiate the process of resolving the non-conformities you have found.
7.Conducting the follow-up on corrective actions :
In this step you have to make sure all the nonconformities have actually been re- solved.
As you probably noticed, these seven steps are logically related one to each other, and you’ll have to perform all seven of them if you want your internal audit to be successful.
Performing Document Review :
The purpose of the document review is two-fold:
- To check whether the policies, procedures, and other documentation are compliant with your ISO standard and other requirements from interested parties, and
- To get to know the company better and prepare the audit checklist and the audit plan.
Basically it works like this: you have to take all the documents and read them one by one in some logical sequence, and determine whether all the requirements from the ISO standard and from interested parties are met.
It is also advisable to take some of the most important records, like list of legal, regulatory and contractual requirements; corrective actions; and management review minutes; and check them during this step.
You should also check the most important records for particular management systems, e.g., incident log for the EMS and ISMS, and customer com- plaints for the QMS.
If you do not have much experience in auditing, the best option would be to read the documentation in the same sequence as the standard is written – start with the documents related to clause 4, then move on to documents related to clause 5, etc.
When you read the documentation, you have to take two types of notes:
• Notes about what you will need to check during the main audit :
For example, check if authorized employees have access to particular reports, or check if the responsible person is performing specific trainings as prescribed by the company’s training procedure – these notes should be part of your internal audit checklist.
• Notes about nonconformities :
if you find that something is not compliant with the standard or with other requirements, you have to formalize these findings through the internal audit report.
You can perform the document review on-site, in the department you’re auditing, or off-site in your own office; it doesn’t really matter where you do it – both approaches are fine.
If you need any explanations from the auditee, you can call the responsible person, so there is no need to be in the same location.
Creation of the internal audit checklist
As mentioned before, the purpose of the internal audit checklist is to remind you of what you have to do during the main audit – the biggest problem during the main audit is that you’ll have to speak to lots of people, look for various types of evidence, think of various clauses of the standard, and have in mind many internal policies and procedures, and all of that is almost impossible without having some kind of a reminder.
As mentioned in the previous section, you’ll create this checklist during the document review – as you are reading the internal documentation, learning what internal rules the company has and which records need to be produced, you must take notes on what you’ll need to check.
So, for example, check if all interviewees have access to the document management system where the entire documentation is stored, check if all the records are produced as prescribed by particular documents, etc.
So, obviously, such a checklist has many benefits; however, it also has its disadvantages – the biggest problem with a checklist is that it might drive you in one direction during the main audit and cause you to miss some newly discovered leads that haven’t been planned for in your checklist.
For example, while checking whether the corrective actions have been performed correctly, you might have heard that the top management did not invest enough resources into resolving the nonconformities, but because it wasn’t on your checklist you didn’t pursue that lead any further.
Therefore, when creating the checklist you have to remember that it is only a helping tool; it is not something you must follow 100%.
There are various approaches to writing the checklist, but probably the best one is where you use a document with four columns:
This would contain, e.g., the clause number of the standard, or section number of a policy, etc.
2.What to look for :
This is where you write what it is you would be looking for during the main audit: whom to speak to, which questions to ask, which records to look for, which facilities to visit, which equipment to check, etc.
This column you fill in during the main audit, and this is where you conclude whether the company has complied with the requirement.
In most cases this will be Yes or No, but sometimes it might be Partially or Not Applicable.
This is the column where you write down what you have found during the main audit: names of persons you spoke to, quotes of what they said, IDs and content of records you examined, descriptions of facilities you visited, observations about the equipment you checked, etc.
In such a document you use only columns 1 and 2 for creating the checklist, while columns 3 and 4 are used during the main audit for recording the findings.
Here’s an example of an internal audit checklist that is focused on ISO 27001 clause 4.2 (Understanding the needs and expectations of interested parties); the data filled out in the third and fourth columns are only examples of what an internal auditor might write during the main audit.
During the document review you can also create some other work documents for your internal audit (e.g., forms in which you will collect the information), but in most cases the internal audit checklist, in the form that is described above, will be
Writing the internal audit report
The internal audit report is a mandatory document according to ISO standards, which is quite logical – how would you be able to communicate the results, if not in written form? More importantly, these results need to be remembered for at least a couple of years, so writing a report is the only way to do it.
Generally speaking, this report has three parts:
- The general part where you have to fill out the dates, name(s) of the auditor(s), which part of the company you audited (audit scope), audit criteria, audit objectives, and other general information.
- Audit findings – nonconformities you have found and your observations.
- Audit conclusions – your general opinion on how much the company is compliant with the standard, and how well the management system fulfills its objectives.
The biggest part of this report will be a list of nonconformities and observations , and the best way to describe the nonconformity is to write down these four elements for each nonconformity:
- An exact reference to a clause of the standard or to the section of a document against which you found the nonconformity – e.g., “ISO 9001 standard clause 7.2 d).”
- A short description of the requirement that was not complied with – e.g., “The standard requires the existence of evidence of trainings.”
- A description of what you have found – e.g., “The training records for induction trainings were not kept in the HR department, although those trainings were important for the QMS.”
- An exact reference to the evidence – e.g., “HR department archive on February 12, 2017, did not contain any records on induction trainings.”
Observations are usually in a non-structured form: a couple of sentences where you describe what is good or what could be better will suffice – for example, “The QMS trainings could include more time for handling customer complaints because in some cases, the reaction to a complaint was not quick enough.”
You do not have to make this report too detailed, but it does need to be very precise
Initiating corrective actions
Corrective action requests or reports (usually referred to as “CARs”) are a formal way to ask the company to resolve a nonconformity.
These CARs are written based on the internal audit report, and in many cases they are written by the internal auditor – although it is not mandatory for the auditor to write them.
Sometimes the corrective action requests will be written by persons who are in charge of certain areas – for example, if a nonconformity related to training records is found, then the head of the HR department might write the CAR.
Once you submit your internal audit report you should agree with your boss as to who should write the corrective action requests.
ISO standards require companies to establish a process for handling corrective actions (and write a procedure if they find it appropriate), so the internal auditor must write this corrective action request according to the established process/ procedure in the company.
In any case, such corrective action must define exactly who is in charge of resolving the nonconformity, the deadline, the cause, etc.
Corrective Action Follow-Up
The internal audit job does not stop with writing the corrective action requests – internal auditor needs to make sure that nonconformities are really resolved.
This is done by looking at the corrective action form that should be filled out by the person who will complete the corrective action – these forms provide insight to the internal auditor on what has been done.
Using this information, the internal auditor needs to make sure that this particular corrective action has been performed, and if it has really resolved the root cause of the nonconformity.
So, in fact, this follow-up will be a kind of small audit, focused only on this nonconformity – the internal auditor should use all the internal audit techniques; the only difference is that the scope in this follow-up will be smaller.
In summary, to make your audit process succeed, take care of the following:
•Be careful not to skip any of the seven steps in the internal audit process.
•Thoroughly perform the document review to prepare yourself for the audit.
•Create your own internal audit checklist that will guide you through- out the main audit.
•Make your internal audit report short and precise.
•Initiate all the corrective actions to make sure that responsible persons will see them.
•Consider your job finished only after you verify that the corrective actions have been resolved.