How to Conduct Internal Audits

Firstly, let’s start with why should we conduct internal audits?

The most obvious answer to this question is because ISO 9001:2015 clause 9.2 says we shall conduct internal audits. It isn’t an option. It’s non-negotiable in order to comply with the requirements of the standard.

In all fairness, the International Organisation for Standardisation (the main ISO body) puts itself through a similar process to ensure standards retain relevance amidst a shifting landscape. In fact, ISO 9001 was last reviewed in June 2021.

“Like all ISO standards, ISO 9001 undergoes a systematic review every five years to decide whether it is still valid or needs updating” it explained. “This is important to ensure the standard is still globally relevant and meets the needs of its users”.

You could say what’s good for the goose is good for the gander!

You see, internal audits are key for evaluating compliance of your management system to the standard. So, think of internal audits as opportunities to identify improvements, rather than a chore to grin and bear under duress.

Preparing to conduct internal audits

Before you actually go ahead and conduct internal audits, there are a few simple but effective steps to follow that make the process as hassle-free and painless as possible:

1. Make pre-arrangements - It’s vital to get an audit in the diaries of all involved personnel in advance, so that everyone has time to prepare and nobody feels like they’re being “caught out”. So, it helps to conduct internal audits on a date and time that allows relevant team members to get themselves audit ready.

2. Agree scope of audit – Besides setting a date, your team also needs forewarning about which part/s of the process or clause you’re auditing. This should be defined by the Audit Programme as part of your quality management system (QMS). In terms of how often you should conduct internal audits, the frequency depends on factors such as:

• Risks and opportunities identified
• Any previous non-conformities
• Results of internal and / or external audits

3. Choose an Auditor – You need to choose a credible Auditor or Audit Team who are independent of the process/es and / or activity/ies being audited, ensuring objectivity and impartiality.

Conducting the internal audit

With the preparation done, there are still certain steps to follow when you get stuck in and conduct internal audits.

First up, it’s essential to hold an opening meeting, as prescribed by ISO 19011: Guideline for Auditing Management Systems. This can range from a simple coffee chat to a formal staff meeting, depending on the complexity of the audit the nature of your business.

Whatever format your open meeting takes, the aim remains the same - To ensure auditees are aware of three fundamental things about the audit. These are it’s:

1. Nature
2. Scope
3. Objectives

It’s a logical step to conduct internal audits where previous audits left off. This means reviewing the following factors:

• Any previous audit findings
• The effectiveness of the actions taken to correct any non-conformities

Now, you’re ready to motor on with the audit of the selected processes, which might include steps such as, but not limited to:

• Interviews with staff members, (ensuring you record their full name and job title)
• Viewing of evidence such as calibration records, meeting minutes, reports, site inspection records, competency and training records, depending on the process being audited

The process or activity will be viewed as part of the audit process, including typical factors such as:

• Equipment used
• When equipment was last serviced or calibrated
• Whether equipment requires statutory inspection and when it expires

The Role of the Auditor or Audit Team

Bear in mind your Auditor or Audit Team is there to gather information, not provide it. You and your team will be doing most of the talking, not the other way around. 

Your Auditor will usually ask open questions about specific subjects, in order to drill down into the process, verify implementation and assess the effectiveness of your management system.

In addition to discussion, they’ll also base their findings on a sampling of evidence. To this end, it’s better to err on the sides of caution by pre-empting anything and everything they might ask to see. They won’t view every piece of documentation or evidence, but it’s better to provide them with too much than not enough.

What Happens When It’s Done?

So, what’s next after you conduct internal audits? Once you’ve achieved the criteria of the audit and are satisfied, a closing meeting is the perfect way to conclude proceedings till next time. 

It’s completely normal for closing meetings to include team members who were and weren’t part of the audit process, to:

• Clarify the scope and objectives of the audit
• Understand what was audited
• Assess whether the audit covered all the expected areas you initially talked about in the opening meeting 

Your Auditor should give a summary of the audit findings, including:

• Feedback on where the system is working well, (which helps reduce any negative perceptions about audits)
• Presentation of areas for improvement or observations about any non-conformities flagged during the audit, (should non-conformities exist, they shouldn’t be sprung on you during the closing meeting)
• Agreed timescales to close out any non-conformities, (assuming you accept them)

Finally, your Auditor should thank you and your people for your time and co-operation, invite any questions about the development of the system, and advise when you can expect your audit report to be ready.

Audit follow-up

If non-conformities are unearthed, you’ll need to switch to ‘mini audit’ mode.

This means taking a deep dive into the root cause and taking action to mitigate any non-conformities, leading to one (or more) of the following culminations:

• If no action or attempt is taken to close out findings in the agreed timeframe, your Auditor might choose to escalate this to senior management. 
• If action is taken but didn’t work, your Auditor might raise another non-conformity report or agree an alternative course of action.
• If action is taken and deemed effective, the non-conformity is closed out.

A final word… This article isn’t intended as an exhaustive list of all the mandatory elements for inclusion when you conduct internal audits. But it’s packed full of invaluable guidance. 

At the end of the day, every business and audit are different. There are varying levels of complexity to each audit, factoring in elements such as:

• Maturity of a management system
• Number of management systems being audited
• Location of business
• Size of business

Got questions? Get in touch with me, Meggan at Brookfields. Let’s see how I can help you, too, get through the auditing process with minimum of disruption and expense.