Regular internal audits play a crucial role in strengthening organizations across various industries.
By ensuring a systematic and structured evaluation of processes and practices, internal audits allow organizations to identify and address issues proactively, reducing the risk of compliance failures.
This continuous cycle of audit and improvement fosters a culture of ongoing enhancement, contributing to operational efficiency. And it applies whether we are talking about financial internal audits or ISO Management System Audits.
Note: In the Anglosphere, the term internal audits is, for historical reasons, taken to mean a financial internal audit. In this Post, on the other hand, we are discussing ISO Management System Audits when we speak of internal audits.
Table of Contents
- Five Steps to Identify Improvement Opportunities from Internal Audits
- How to Ensure Your Internal Auditors Get the Training They Need
The Role of ISO Internal Auditors in Successful Audits
ISO Internal auditors play pivotal roles throughout the audit process, starting with the crucial responsibility of planning and preparation.
In the initial audit phase, internal auditors define the audit's scope, objectives, and criteria, laying the groundwork for a focused and efficient examination. They then conduct risk assessments to identify potential areas of non-conformance and inefficiency within organizational processes. This risk-focused approach guides their audit activities, ensuring a targeted and comprehensive evaluation.
Internal auditors gather evidence and assess compliance against established criteria in the actual audit phase. This includes interviewing personnel, reviewing documents, and observing processes. They also discuss the audit objectives, expectations, and findings with auditees, encouraging collaboration and a constructive atmosphere throughout the audit process.
Once they're done with the auditing, they conduct a thorough analysis and evaluation of collected evidence to determine the effectiveness and compliance of organizational processes. With this, internal auditors make sure that they not only identify non-conformities but actively seek improvement opportunities.
Lastly, internal auditors make sure that they document results accurately and comprehensively so they can provide recommendations for corrective actions or improvements. They may also participate in follow-up activities to verify the implementation of corrective actions. As a result, organizational responsiveness to identified issues is ensured.
Traditional Internal Auditing Practice
Historically, internal auditors have not been formally trained, and certification bodies (CBs) have accepted this practice.
Furthermore, CBs have accepted internal audit programs based solely on the auditing of procedures, work instructions, and other lower-level documents.
When many organizations migrated to the 2015 standards, the question arose as to whether the traditional approach would continue to be acceptable. Examination of ISO 9001:2015 and/or ISO 14001:2015 clearly indicates that formal training of internal auditors will be necessary.
In this article, we list five reasons highlighting the importance of training internal auditors. The first three arise directly from the standards themselves, and the final two are concerned with maximizing the benefits achieved with the best internal auditing practices.
Benefits of Having Trained Internal Auditors
In the ever-evolving landscape of quality management systems, having well-trained ISO internal auditors is beneficial and a necessity for organizations.
Because internal auditors play a crucial role in ensuring an organization's processes align with ISO standards, investing in their training can yield several benefits.
First and foremost, training equips internal auditors with the knowledge and skills needed to understand and interpret complex ISO standards. Because these standards are continuously subjected to updates and revisions, staying up-to-date on the latest changes is critical.
Proper training ensures that auditors are familiar with the current standards and prepared to adapt to future updates.
In addition, some standard requirements heavily emphasize different organizations' unique nature, needs, and capabilities. Because of this, trained internal auditors can tailor their auditing approach to align with their organization's specific needs, ensuring that the audit process is not just a checkbox exercise but a valuable tool for continuous improvement.
Moreover, trained internal auditors are equipped with methodologies for planning, conducting, and reporting audits in a systematic and organized manner. They also possess the interpersonal skills necessary to relay information clearly and constructively. When all of these are combined, trained internal auditors not only help organizations save time but also enhance audits' overall effectiveness, leading to more meaningful insights and actionable recommendations.
What Specific ISO Standards Say About Having Trained Internal Auditors
ISO 9001 and ISO 14001
Significant changes were made to ISO 9001 and ISO 14001, including many for which documented procedures are unlikely to exist. Consider just four such examples:
- Context of the organization, where the monitoring and review of information regarding external and internal issues affecting the organization is an entirely new concept
- Leadership, where the involvement of management is greatly expanded, and the need to involve top management in internal audits is a requirement,
- Planning, where the auditing of actions to address risks and opportunities is now a requirement and, consequently, an understanding of the application of these terms is needed and
- Organizational knowledge, where both the consideration of tangible and intangible assets is needed.
Internal Auditors will need to understand these terms and their interpretation and application.
There are also the Requirements of ISO 9001 Clause 9.2 Internal Audits. Could someone auditing the effectiveness of the implementation of procedures alone fulfill the requirements here?
Sub-clause 9.2.1 a) 2) requires audit evidence on whether the QMS/EMA conforms to 'the requirements of this International Standard.'
Without training, it is unlikely that an internal auditor will understand the requirements relating to policy, processes, procedures, and other documentation (including records).
Another example is the Requirements of ISO 9001 Clause 7.2 Competence.
Sub-clause b) here describes competence as an appropriate combination of 'education, training or experience.' Note that here, the word 'or' is inclusive and should be interpreted as 'and/or.'
Sub-clause c) requires the organization to 'take actions to acquire the necessary competence.'
Education and experience alone cannot make someone a competent internal auditor. And 'sit by Nellie' is hardly an effective or credible training method.
Any reasonable interpretation of each standard's Clause 7.2 requires internal auditors to be formally trained.
ISO 27001:2013, Clause 7.2 states:
"The organization shall determine the necessary competence of persons doing work under its control that affects its information security performance."
This clause emphasizes the need to determine the competence required for individuals involved in information security-related activities. Organizations are expected to ensure the competence of internal auditors through appropriate means, which may include training.
In ISO 13485, the requirements for internal audit competence are addressed in Clause 6.2.2 - Competence, training, and awareness:
ISO 13485:2016, Clause 6.2.2 states:
"The organization shall:
- a) determine the necessary competence for personnel performing work affecting conformity to product requirements;
- b) where applicable, provide training or take other actions to achieve the necessary competence;
- c) evaluate the effectiveness of the actions taken."
This clause emphasizes the determination of competence, provision of training as needed, and evaluation of the effectiveness of those actions. It encompasses personnel involved in activities affecting product conformity, including internal auditors.
ISO 45001:2018, Clause 7.2 states:
"The organization shall:
- a) determine the necessary competence of person(s) doing work under its control that affects its OH&S performance;
- b) ensure that these persons are competent based on appropriate education, training, or experience;
- c) where applicable, take actions to acquire the necessary competence and
- d) evaluate the effectiveness of the actions taken."
This clause aligns with the structure found in other ISO management system standards. It emphasizes the importance of determining the competence required for individuals involved in activities that impact occupational health and safety (OH&S) performance. The organization is responsible for ensuring this competence through education, training, or other means, and the effectiveness of these actions should be evaluated.
Trained Internal Auditors and Gathering Evidence of ISO Standard Compliance
Various ISO standards mention different data-gathering tools and techniques. These include:
- interviews with employees and other persons;
- observations of activities and the surrounding work environment and conditions;
- documents, such as policy, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts, and orders;
- records, such as inspection records, minutes of meetings, audit reports, records of monitoring programs, and the results of measurements;
- data summaries, analyses, and performance indicators;
- information on the auditee's sampling programs and procedures for the control of sampling and measurement processes;
- reports from other sources, for example, customer feedback, additional relevant information from external parties, and supplier ratings;
- computerized databases and websites.
Without training in these techniques, weaknesses and noncompliances will likely be left undetected and be found subsequently by external auditors.
Consider for a moment how much better your internal audits would be in gathering interview evidence and in identifying improvement opportunities if they followed the following 5-step guide.
Five Steps to Identify Improvement Opportunities from Internal Audits
- Begin with Open Questions (as in 'open-ended' - What is the role of your function? How do you do that?)
- Ask Specific Questions to get specific information (Which lot numbers were involved?)
- Ask 'What-if' Questions to get more information on a topic.
- Ask to see the records, documents & other evidence
- Listen; don't talk except to ask questions or paraphrase answers.
Only with trained internal auditors familiar with these methods can your organization benefit!
How to Ensure Your Internal Auditors Get the Training They Need
We would suggest that formal ISO 9001 internal auditor training and/or formal ISO 14001 internal auditor training (with certification examinations) is the best approach to ensure the competency of internal auditors and maximize the potential benefit arising from the internal auditing process, which process you cannot avoid.
Of course, we have a vested interest; we are an online ISO Auditor Training Company. However, that doesn't mean everything stated above isn't absolutely true!
ISO Internal Auditor Courses Image Map. Click on any course you are interested in and see the full overview of each one.
- ISO Auditor Training: A Modest Investment for a Big Payday!
- Certified ISO Auditors Need Further Training - It's About Competency
- Internal Auditor Courses - Overview
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.