ISO 9001 Internal Audit
The ISO 9001 Internal audit requirements (ISO 9001:2015 – clause 9.2) provide a platform for self-assessing compliance to both the ISO 9001 standard and your own internal processes. The main purpose of internal auditing is to verify that the management system has been effectively implement and maintained. It also allows for identification of continuous improvement opportunities throughout the organization.
You have two choices as to how your internal audits are executed. You can train and maintain your own internal auditors or outsource this activity and allow external auditors to complete the work. Either way, you will still be responsible for audit planning activities and implementing corrective actions to address nonconformances cited.
The ISO 9001 internal audit clause requires you to plan your audit activities and establish the “audit program”. Planning can be accomplished in numerous ways, however, plans should be appropriate for your organization. Some organizations complete their entire audit all at once, usually on an annual basis while others spread audit efforts throughout the year in monthly or quarterly events. Note that the audit plan should cover and include assessment of all aspects of the ISO 9001 management system and all related system and organizational processes.
When establishing audit schedules and assigning resources, make sure that internal auditors do not assess areas of the organization for which they have responsibility or influence. For example, someone who works in purchasing should not be assigned to audit the purchasing processes. This will ensure that objectivity and partiality are maintained as require by ISO 9001-9.2.2c.
Back in the day, auditing each aspect of the organization and management system once per year was considered adequate. Now, based on changes to audit requirements (clause 9.2.2a), audit planning should consider the following:
- The importance of processes to be assessed,
- Changes to the organization and/or management system,
- Results of previous audits.
This provides another opportunity to utilize a risk-based approach within your organization, in this case, to define the audit plan and schedule. Use the criteria above along with any other applicable criteria to determine where and when to complete audit activities. This might result in more frequent audits for one function or management system element as opposed to others. One area might get audited every 6 months and another every 2 years. This allows for flexibility in the schedule and for allocation of audit resources towards the areas of the organization that are most important or present the greatest risk.
You will need to complete a full initial internal audit prior to your ISO 9001 stage 1 certification audit so plan accordingly. If you intend to utilize internal auditors, they will need to be trained and demonstrate competency prior to executing this audit. For many smaller organizations, it might be easier to outsource this initial audit, especially if certification timelines are tight and internal auditor availability is limited. With the right external resource, you might even be able to leverage the auditor to complete some of the internal auditor training, if desired.
The audit plan and schedule should be documented and records should clearly demonstrate that the audit plan has been properly executed.
Internal Audit Resources
We eluded above to the fact you can choose to either train and maintain internal employees as auditors or elect to retain and utilized external resources to fulfill and execute your audits. There are pros and cons to each solution and you should consider these when deciding how to proceed. Here are a few things to consider:
- Cost: The cost to train a new auditor can be significant. We recommend a 2-3 day classroom course for lead internal auditors at a cost of $1200 – $1500 plus travel expenses. Getting two or three auditors initially trained can cost upwards of $5,000. Outsourcing isn’t cheap either. Auditors will often charge around $1,000 per day plus expenses and you can generally count on a full day of audit time plus an additional day for every 10-15 employees in the organization. A full internal audit completed by an external resource for a 25 person company could cost north of $2,000. Also consider employee and auditor turnover and factor that cost into your long-term budget projections.
- Employee Productivity: Using internal employees temporarily removes them from their assigned roles. Consider possible disruptions and decreased productivity when employees step away from normal duties to complete audit activities. This goes beyond the actual audit and includes time to plan for the audit, establish logistics, write reports, etc.
- Audit Quality: It is most likely that your internal auditors will be novices and lack significant audit knowledge and experience. External auditors are professionals and auditing is just about all they do, so there is no question that an external auditor will bring superior knowledge and competency to the table. On the flip side, your internal personnel know the organization and how it operates. They will understand many of the nuances and details about the company that the external auditor won’t be able to pick up during their limited time in the facility.
- Partiality / Objectivity: One concern about using internal auditors is the ability for the audit to remain objective especially when you consider conflicts of interest which might exist between various employees or functions. External auditors bring full objectivity eliminating conflicts of interest that might exist internally. This is one of the reasons that no auditor is allowed to audit any functional area in which they have responsibilities or influence. Also consider if management within a functional area can significantly influence the auditor and audit outcome in an inappropriate manner.
- Audit Effectiveness: Internal auditors, especially those who are inexperienced, can often focus on the small insignificant findings rather than the bigger-picture issues. External auditors can often see the forest for the trees and identify the more systemic issues which result in significant improvement opportunities.
Also consider the culture within your organization and your employees desire or passion to be auditors when determining whether to use internal auditors or external contractors.
Internal auditors should complete some level of training to obtain appropriate audit competencies and training records should provide objective evidence of competency. Most organizations require internal auditors to complete formal auditor training, usually through an external training organization. You might also consider having a trainer complete the course at your facility when it makes sense. A Google search will uncover numerous training resources for ISO 9001 internal auditors. Do your homework and choose wisely as not all training is equal. You get what you pay for in life.
If you choose to utilize external auditors, be sure to evaluate and qualify these resources per your “Control of External Provider” process. These resources must be included on your Approve Provider List (APL).
As you execute each audit, be sure to define the criteria and scope for assessment. Criteria will certainly be the ISO 9001 standard requirements and clauses which apply to the area to be audited along with all applicable processes and process documentation. Scope just clarifies the areas, functions, personnel, etc. to be included in the assessment. Be sure to define things that are out of scope where needed.
Results of the audit must be reported to relevant management, usually the personnel who have oversight for the area of the organization assessed. Results must be documented, usually in some type of audit report. Remember that audit findings absolutely should NOT be used to punish or penalize the area of the organization where the nonconformity happened. This will only result in behavior to hide issues and avoid future findings. You want to find the areas of the organization that might be out of compliance to drive overall improvement for the whole organization. Plus, you would rather find these issues during an internal audit, not during your ISO 9001 certification or surveillance audit. Celebrate internal audit findings and support corrective actions in a positive manner.
Note that results of audits form a direct input to Management Review activities. Also audit results need to be analyzed and evaluated to help determine the performance and effectiveness of the management system per ISO 9001-9.1.3c (Analysis and Evaluation). More on these clauses in future articles.
Upon completion of the audit, appropriate corrective actions should be initiated and completed for any cited nonconformities per your established Nonconformity and Corrective Action process.
ISO 9001 internal audit requirements provide an excellent tool to fully assess the performance of your organization and the effectiveness of the management system. Findings offer an opportunity to drive improvements within the organization and become a better company. Define an ISO 9001 internal audit process that best fits your organization while instilling an associated culture of improvement and growth rather than punishment and retribution.