deGRANDSON Global Blog

ISO 9001 Internal Auditing: DOs and DON'Ts

Written by Dr John FitzGerald | Dec 6, 2024

 

Wondering how to approach the requirements of ISO 9001 Clause 2?

For whatever MSS you need to conduct internal audits, you have two basic approaches to choose from:

  • Option 1: do the minimum necessary to satisfy the Certification Body (CB)
  • Option 2: take the best advantage of the opportunity the mandatory requirement offers.

You may well ask: Is it really worth my while putting time and effort into internal auditing, especially when I am going to meet resistance at every turn?

Here we’re going to consider both options and then you can decide which is best for your organization.

NOTE: The advice here applies to all Management System Standards (MSS) and not just to implementing ISO 9001:2015.

 

Option 1: Do the minimum to satisfy Clause 9.2 requirements

 

 

Action The benefit to the Organization
  • Focus on the basic performance and effectiveness of the management system (MS) from an impartial viewpoint (through choosing impartial internal auditors)
Satisfies a requirement of Clause 9.2
  • Ensure that planned arrangements have been completed, not forgetting to audit processes that do not have procedures associated with them (Clauses 4 and 5 in particular)
Satisfies a requirement of Clause 9.2
  • Ensure that the MS is effectively implemented and maintained.
Satisfies a requirement of Clause 9.2

 

 

With Option 1, you’ll have done a good job. But at what cost in terms of lost opportunity?  

Option 2: Take full advantage of the opportunity Clause 9.2 presents

 

 

Action The benefit to the Organization
  • Develop an audit program directed toward ensuring the performance and effectiveness of the management system.
The internal audit becomes part of monitoring the system to check progress towards achieving the Management System Objectives and KPIs chosen, prompting timely action to ensure that they are going to be successfully met.
  • Develop an Audit Schedule to conduct audits throughout the year (e.g., monthly, quarterly, or annually).
Audit activity provides an ongoing reminder to colleagues of the importance of the Management System and its contribution to success. Reinforces awareness training or similar efforts.
  • Apply a risk-based approach to audit program development, considering critical processes, frequency, and other factors.
Processes are audited at a suitable frequency, with critical/failure-prone ones being audited most frequently. Early detection of failing processes saves time, money, and reinforces customer satisfaction.
  • Ensure the audit program considers managerial priorities, performance, audit history, and other factors.
Common sources of noncompliance are addressed, reducing the risk of major non-compliance and ensuring compliance with both CB and regulatory requirements.
  • Conduct audits according to the requirements of your Management System by project or process rather than specific ISO 9001 clauses.
Auditors find it easier to follow workflows and processes, resulting in more thorough audits and less likelihood of missing disjointed steps.
  • Have internal auditors professionally trained in interview, observational, sampling, and information review skills.
A variety of evidence-collection methods enhance the dependability of compliance and non-compliance findings, increasing management’s confidence in the Management System.
Incremental improvements and corrections to processes and procedures will result, with occasional major improvement opportunities emerging from this effort.
  • Follow up on findings of good compliance and improvement opportunities identified during audits.
Audit reports that balance compliance findings and improvement opportunities ensure that audits are not perceived as ‘witch hunts’ and that good compliance is replicated.
  • Present evidence of good compliance and improvement opportunities to top management.
Highlighting positives in audit reports presented to management will reinforce the usefulness of the Management System and help secure additional resources for improvements.

 

Conclusion

In our opinion, Option 1 is ‘what not to do’ and Option 2 is ‘what to do’ and, if you are the Audit Programme Manager for your organization, we strongly recommend it to you as part of your ISO 9001 implementation and maintenance. Yes, it is a lot more work, but the results will significantly benefit your organization (and mostly on the ‘bottom line’). It won’t do your career prospects any harm, either.