News & Commentary on ISO Management System Standards

    ISO Internal Audit Programme best practice

    Group of auditors having a discussion with the words ISO Internal Audit Best Practice written beside them


    Don't waste time and effort on ISO Internal Audits!

    For many, Internal Audits are a sterile and mandatory drudge, carried out solely to have some records to show an inane internal audit report to the external auditor.  Such audits add no value to the organization for the resources applied. And yet many organizations extract great value from the activity, including monetary value, which will please the boss.

    Since internal audits are a requirement of all ISO management system standards, you have to do it, and you might as well do it right! And have an Internal Audit Programme that follows best practices.

    Here are ten suggestions, taken from our ISO 19011 Course,  that can be applied to any Internal Audit Programme regardless of the management system standard in question.

    Table of Contents

    1. Limit the use of Checklists
    2. Use the Vertical/Horizontal Auditing method to cover all of the Standard’s requirements.
    3. Use your Process Map to identify the critical processes
    4. Train your Auditors and develop their Interview Skills
    5. Select knowledgeable Internal Auditors
    6. Pair new Auditors with experienced expert Auditors
    7. Seek Improvement Suggestions with three mandatory questions
    8. Review all of the Audit Reports and not just the non-conformances
    9. Implement value-add suggestions immediately
    10. Report value-add suggestions requiring significant resources to the Management Review


    How to Make the Best Out of Internal Audits

    1. Limit the use of Checklists

    Use checklists only where other forms of audit evidence are not available. Focus on a range of evidence, including documentation checks, record checks, interviews, auditor observations, and auditors' checks and sampling (e.g. counts).

    Result: You avoid audits being sterile, 'box-ticking' exercises, which add no value for the organizations and are BORING for everyone involved. 

    2. Use the Vertical/Horizontal Auditing method to cover all of the Standard’s requirements.

    Vertical Audits focus on following the steps of a process and are often based on the Procedure(s) that controls the process. This is an excellent approach and is easy for the auditor and the interviewee to follow - any gaps in the logic of the process can readily be identified. 

    However, vertical audits have their limitations.  And this is a problem for those audit programme managers who historically limited their internal audits to auditing procedures alone. 

    There are many requirements in ISO 9001:2015 and other Standards using the HLS - high-level structure - that are unlikely to be addressed in procedures.  For example, the organization and its context, the needs of interested parties, leadership and commitment, to choose just three.

    Horizontal Audits are those based on specific checks for compliance with specific requirements in a Standard.  Here is where checklists are most appropriately used.

    Result: A combination of Vertical and Horizontal Audits ensure that all the ISO audit requirements are included in your internal audit plan and leave no requirements unchecked.  Thereby, the risk of external auditors, including suppliers' auditors, finding significant non-conformances is much reduced.

    3. Use your Process Map to identify the critical processes

    ISO 9001 and most of the HLS Standards require the processes involved in delivering quality products or services to be identified and the relationships between them be established.  Most frequently the requirements here are addressed with the construction of a Process Map. 

    But what use is then to be made of the Process Map?  It is a great tool for a team to use in discussing and identifying those processes that are weakest, or are most critical to quality, or are subject to the most frequent breakdown. 

    In other words, a tool to aid in identifying those processes that logically should be audited more frequently (and this is reflected in your Internal Audit Schedule). And it is recommended also that all new Processes be audited with greater frequency for a period immediately after their introduction.

    Result: You have a rational basis for choosing the frequency with which Processes are audited.  And more confidence in the dependability of the overall results of your internal audit programme.

    4. Train your Auditors and develop their Interview Skills

    Auditing skills, including documentation checks, record checks, interviews, auditor observations, and auditors checks and sampling, are not intuitive and need to be learned. 

    Unskilled auditors will collect very little useful information and their interview questions are likely to be just a series of direct questions eliciting a set of predictable answers. 

    For example, the specific question: 'do you check the bins daily as it states in this procedure?' will always get an answer in the positive. That will then be recorded in the audit evidence/report and is exactly useless! 

    So get your internal auditors trained properly - our ISO Auditor online training courses are a cost-effective and efficient way of so doing.

    Result: Your trained auditors will gather a body of objective and varied evidence of conformance or otherwise with the requirements of your management system.  You can base future decisions with confidence on such evidence. 


    List of Available ISO Internal Auditor Courses


    ISO Internal Auditor Courses Image Map. Click on any course you are interested in and see the full overview of each one.

    5. Select knowledgeable Internal Auditors

    Select Internal Auditors to ensure that they have sufficient technical knowledge and/or knowledge of the processes being audited to be effective auditors. 

    Without some depth of knowledge of the Standard(s) against which they are auditing, and of the technical aspects of the processes being audited, auditors cannot, for example, understand whether the records they are examining conform to requirements or are a load of nonsense.

    Result: Knowledge of the Standard(s) and of technical aspects is fundamental to the quality of the audit evidence being gathered and of the confidence that can be placed in it.

    New call-to-action

    6. Pair new Auditors with experienced expert Auditors

    Consistently, experienced auditors will tell you that they weren't very good at auditing when they first began and that they improved greatly with practice. 

    Don't then have unrealistic expectations of newly recruited and trained internal auditors.  They will be weak to begin with and may become despondent regarding their own performance.  Best then to team them up initially with experienced auditors (even if this is considered to be 'overmanning). 

    Result: You will accelerate the rate at which they become proficient and, while they build their skills, you can have confidence in the audit reports being produced.

    7. Seek Improvement Suggestions with 3 mandatory questions

    Your internal auditors have an ideal opportunity when interviewing staff at all levels and functions within your organization to seek out improvement opportunities.  It is a shame that so few take advantage of this.  At the close of each audit interview just a few moments are needed to  ask three simple questions, namely:

    1. What are we doing well?
    2. What should we be doing better?
    3. What changes do you think we should introduce to this procedure/process/method/etc. 

    Result: You will enjoy the benefits of a consistent and easy way to collect improvement suggestions that may otherwise be difficult to harvest. 

    8. Review all of the Audit Reports and not just the non-conformances

    Too often Audit Programme Managers scan Audit Reports to promptly initiate corrective actions where required and fail to get the other benefit that Audit Reports may provide. 

    If your Internal Auditors have been instructed to note good/best practice when and where found as a routine part of their internal audit activity, you then have the efficient way to identify best practice, and a rapid way to spread it throughout the organization. 

    Result: You should take every opportunity to promote good practice throughout your organization whether you operate on just a single site or are part of a multinational.

    ISO 14001 Internal Auditor Certification Course button

    9. Implement value-add suggestions immediately

    Don't delay in reviewing Audit Reports.  It is too easy to fall into the trap of, say, collecting them and presenting them at the next Management Review, which might be in six or twelve months time, to demonstrate how well the gathering of improvement suggestions is going. 

    Your colleagues may well be impressed but it is doubtful that the suggestions will get the individual attention they deserve.  No, act on them immediately and, where possible/practical, implement them without delay. 

    Result: Your colleagues at all levels in the organization will be encouraged to continue to make improvement suggestions when they see their previous suggestions being taken seriously and acted upon promptly. 

    10. Report value-add suggestions requiring significant resources to the Management Review

    Improvement suggestions from internal audits that require resources beyond what current budgets will allow, will need special handling.  If the benefits to the organization are great enough (say a break-even period of nine months) most organizations will make an exception to budget discipline and find the resources required. 

    Such stellar opportunities are rare and, in most instances, the best approach is the assemble a group of suggestions and, with the aid of your colleagues, prepare a costed resource plan to present the next Management Review. 

    A review of resources is part of the agenda for Management Reviews and so presents an ideal situation for you to introduce improvement plans with a real chance of them being quickly approved. 

    Result:  You will be presenting improvement plans, including the resources requirements, at an ideal forum for a speedy and positive outcome.

    Conclusion: What next?

    Good internal audits combine reactive and proactive elements.  You should seek to ensure that your internal audit program addresses both these elements effectively and add value to your audits.

    Good audits are reactive in that your auditors seek out non-conformances – failures of your management system to function as intended – and to initiate their correction. 

    In many instances, the audits identify non-conformances that routine reporting of non-conformances have missed, perhaps through disinterest or through a lack of understanding.

    Good audits are also proactive when the auditors are aware and on the lookout for opportunities for improvement.  This proactive element may be the one where more time and effort is now required.

    Still not convinced? Going to stick with the minimalist approach (as the CB doesn't seem to care)? Well, then I give up!

    ISO 9001 Internal Auditor Training and Certification course button

    Note First posted on Jan 18; revised and updated on Jun 21.

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts