Don't waste time and effort on ISO Internal Audits!

For many, Internal Audits are a sterile and mandatory drudge, carried out solely to obtain some records to show in an inane internal audit report to the external auditor. Such audits add no value to the organization for the resources applied. Yet, many organizations extract great value from the activity, including monetary value, which will please the boss. The choice is yours.

Since internal audits are a requirement of all ISO management system standards, you have to do them—and you might as well do them right! Therefore, you should have an Internal Audit Programme that follows best practices.

Here are ten suggestions from our ISO 19011 Course that can be applied to any Internal Audit Programme, regardless of the management system standard.

Table of Contents

1. Limit the use of Checklists
2. Use the Vertical/Horizontal Auditing method to cover all of the Standard's requirements.
3. Use your Process Map to identify the critical processes
4. Train your Auditors and develop their Interview Skills
5. Select knowledgeable Internal Auditors
6. Pair new Auditors with experienced expert Auditors
7. Seek Improvement Suggestions with three mandatory questions
8. Review all of the Audit Reports and not just the non-conformances
9. Implement value-add suggestions immediately
10. Report value-add suggestions requiring significant resources to the Management Review

How to Make the Best Out of Internal Audits

1. Limit the use of Checklists

Use checklists only when other forms of audit evidence are unavailable. Focus on a range of evidence, including documentation checks, record checks, interviews, auditor observations, auditors' checks, and sampling (e.g., counts).

Result: You avoid audits being sterile, 'box-ticking' exercises, which add no value for the organizations and are BORING for everyone involved. 

2. Use the Vertical/Horizontal Auditing method to cover all of the Standard's requirements.

Vertical Audits focus on following the steps of a process and are often based on the Procedure(s) that control the process. This is an excellent approach and is easy for the auditor and the interviewee to follow - any gaps in the logic of the process can readily be identified. 

However, vertical audits have limitations. This is a problem for audit program managers who historically limited their internal audits to auditing procedures alone. 

ISO 9001:2015 and other Standards using the HLS—high-level structure—have many requirements that are unlikely to be addressed in procedures. These include the organization and its context, the needs of interested parties, and leadership and commitment, to name just three.

Horizontal Audits are based on specific checks for compliance with specific requirements in a Standard. Here, checklists are most appropriately used.

Result: A combination of Vertical and Horizontal Audits ensures that all the ISO audit requirements are included in your internal audit plan and that no requirements are left unchecked. Thus, the risk of external auditors, including suppliers' auditors, finding significant non-conformances is greatly reduced.

3. Use your Process Map to identify the critical processes

ISO 9001 and most of the HLS Standards require identifying the processes involved in delivering quality products or services and establishing relationships between them. Most frequently, the requirements here are addressed by constructing a Process Map. 

But what use is then to be made of the Process Map? It is an excellent tool for a team to use in discussing and identifying those processes that are weakest, are most critical to quality, or are subject to the most frequent breakdown. 

In other words, a tool to aid in identifying those processes that logically should be audited more frequently (and this is reflected in your Internal Audit Schedule). And it is also recommended that all new Processes be audited with greater frequency for a period immediately after their introduction.

Result: You have a rational basis for choosing the frequency with which Processes are audited. And more confidence in the dependability of the overall results of your internal audit program.

4. Train your Auditors and develop their Interview Skills

Auditing skills, including documentation checks, record checks, interviews, auditor observations, and auditors checks and sampling, are not intuitive and need to be learned. 

Unskilled auditors will collect very little useful information, and their interview questions will likely be just a series of direct questions eliciting predictable answers. 

For example, the specific question: 'Do you check the bins daily as it states in this procedure?' will always get a positive answer. That will then be recorded in the audit evidence/report and is exactly useless! 

So, train your internal auditors appropriately. Our ISO Auditor online training courses are a cost-effective and efficient way to do this.

Result: Your trained auditors will gather a body of objective and varied evidence of conformance or otherwise with the requirements of your management system. You can base future decisions with confidence on such evidence. 

Available ISO Internal Auditor Training Courses

ISO Internal Auditor course options. Click on any course you are interested in to learn more about them.

5. Select knowledgeable Internal Auditors

Select Internal Auditors to ensure they have sufficient technical knowledge and/or knowledge of the audited processes to be effective auditors. 

Without a deep understanding of the Standard(s) against which they are auditing and the technical aspects of the processes being audited, auditors cannot, for example, understand whether the records they are examining conform to requirements or are nonsense.

Result: Knowledge of the Standard (s) and technical aspects is fundamental to the quality of the audit evidence being gathered and the confidence that can be placed in it.

6. Pair new Auditors with experienced expert Auditors

Consistently, experienced auditors will tell you that they weren't very good at auditing when they first began and improved greatly with practice. 

Don't then have unrealistic expectations of newly recruited and trained internal auditors. They will be weak and may become despondent regarding their own performance. But initially team them up with experienced auditors (even if this is considered 'overmanning'). 

7. Seek Improvement Suggestions with three mandatory questions

Your internal auditors have an ideal opportunity when interviewing staff at all organizational levels and functions to seek improvement opportunities. It is a shame that so few take advantage of this. At the close of each audit interview, just a few moments are needed to  ask three simple questions, namely:

1. What are we doing well?
2. What should we be doing better?
3. What changes should we introduce to this procedure/process/method/etc? 

Result: You will enjoy the benefits of a consistent and easy way to collect improvement suggestions that may otherwise be difficult to harvest. 

8. Review all of the Audit Reports and not just the non-conformances

Too often Audit Programme Managers scan Audit Reports to promptly initiate corrective actions where required and fail to get the other benefit that Audit Reports may provide. 

Suppose your Internal Auditors have been instructed to note good/best practices when and where they are found as a routine part of their internal audit activity. In that case, you then have an efficient way to identify best practices and a rapid way to spread them throughout the organization. 

Result: You should take every opportunity to promote good practice throughout your organization, whether you operate on a single site or are part of a multinational.

9. Implement value-add suggestions immediately

Don't delay in reviewing Audit Reports. It is too easy to fall into the trap of, say, collecting them and presenting them at the next Management Review, which might be in six or twelve months, to demonstrate how well the gathering of improvement suggestions is going. 

Your colleagues may well be impressed, but it is doubtful that the suggestions will receive the individual attention they deserve. Therefore, act on them immediately and, where possible/practical, implement them without delay. 

Result: Your colleagues at all organizational levels will be encouraged to continue making suggestions for improvement when they see their previous suggestions taken seriously and acted upon promptly. 

10. Report value-add suggestions requiring significant resources to the Management Review

Improvement suggestions from internal audits that require resources beyond current budgets will allow and need special handling. Suppose the benefits to the organization are significant enough (say, a break-even period of nine months). In that case, most organizations will make an exception to budget discipline and find the resources required. 

Such stellar opportunities are rare, and in most instances, the best approach is to assemble a group of suggestions and, with the aid of your colleagues, prepare a costed resource plan to present at the next Management Review. 

Reviewing resources is part of the Management Review agenda, so this is an ideal opportunity to introduce improvement plans that are likely to be quickly approved. 

Result: You will present improvement plans, including the resource requirements, at an ideal forum, ensuring a speedy and positive outcome.

Conclusion: What next?

Good internal audits combine reactive and proactive elements. You should seek to ensure that your internal audit program effectively addresses both these elements and adds value to your audits.

Good audits are reactive in that your auditors seek out non-conformances – failures of your management system to function as intended – and to initiate their correction. 

In many instances, the audits identify non-conformances that routine reporting of non-conformances has missed, perhaps through disinterest or a lack of understanding.

Good audits are also proactive, as the auditors are aware of and look for improvement opportunities. This proactive element may now require more time and effort.

Are you still not convinced? Will you stick with the minimalist approach (as the CB doesn't seem to care)? Well, then, I give up!

Related Articles

• Training ISO Internal Auditors is essential
• Why Checking the Competency of ISO Internal Auditors is Essential
• [Video] When ISO Auditor Training is hard to find
• Affordable ISO Lead Auditor Training Online
• ISO Auditor Training: A Modest Investment for a Big Payday!

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a 'university grade' standard used globally by colleges and universities to demonstrate their competence.

We provide Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Risk Management, Data Protection, and more.