Five Main Steps in ISO 9001 Internal Audit

Many companies see the required process for Internal Audit as a form of necessary evil that they need to endure in order to maintain ISO 9001 registration. At best, they think it is a duplicate effort of the registrar, not realizing that the Internal Audit can be much more effective because it looks at the processes more often and more thoroughly than the registrar has time for. At worst, the Internal Auditors are seen as some sort of internal police force that it is best to protect yourself against by hiding essential data or outright misleading with false information.

Steps in ISO 9001 Internal Audit

1) Planning the Audit Schedule
2) Planning the Process Audit
3) Conducting the Audit
4) Reporting on the Audit
5) Follow-up on Issues or Improvements Found

Steps in the internal audit

In fact, as a process owner, the ISO 9001 Internal Audit process can be the best way to have an outside set of eyes take a close look at your process. They can help identify areas for improvement, or possibly complacency, which can help your process to run better, faster or more efficiently. Below are five main steps that explain how to conduct an internal audit according to ISO 9001, and how they can best be used to focus the internal process owners on improvement of those processes.
ISO 9001 Internal Audit: Five main steps to make it more effective
1) Planning the Audit Schedule. A key part of a good process is having an overall Audit Schedule that is readily available to let everyone know when each process will be audited over the upcoming cycle (usually a yearly schedule). If you were not to have a plan and went with surprise audits, the message that is given from senior management is “We don’t trust our employees.” By publishing the audit intentions, the message is that this is meant as a support to the process owners and the auditors are there to help. This can allow the process owners to time the finish of any improvement projects that they are working on to be before the audit, so that they can gather valuable information on the implementation, or to request the auditors to focus on helping to gather information for other planned improvements.

2) Planning the Process Audit. The first step in planning the individual process audits is to confirm with the process owners when the audit will take place. The overall plan above is more of a guideline as to how often processes will be audited, and roughly when, but the confirmation allows the auditor and process owner to collaborate to determine the best time to review the process. This is when the auditor can review previous audits to see if any follow-up is required on comments or concerns previously found, and when the process owner can identify any areas that the auditor can look at to assist the process owner to identify information. A good audit plan can make sure that the process owner will get value out of the audit process.

3) Conducting the Audit. An audit should start with a meeting of the process owner to make sure that the audit plan is complete and ready. Then there are many avenues for the auditor to gather information during the audit: reviewing records, talking to employees, analyzing key process data or even observing the process in action. The focus of this activity is to gather evidence that the process is functioning as planned in the QMS, and is effective in producing the required results. One of the most valuable things that an auditor can do for a process owner is not only to identify areas that do not have evidence that they are functioning properly, but also to point out areas of a process that may function better if changes are made.

4) Reporting on the Audit. A closing meeting with the process owner is a necessity to ensure that the flow of information is not delayed. The process owner will want to know if there are any areas of weakness that need to be addressed, but will also be interested in knowing if any areas exist that might be improved. This should be followed with a written record as soon as possible to provide the information in a more permanent format to enable follow-up of the information. By identifying not only the non-conforming areas of the process, but also the positive areas and potential improvement areas, the process owner will get a better value from the Internal Audit, which will allow for process improvements.

5) Follow-up on Issues or Improvements Found. As with many areas of the standard, follow-up is a critical step. If problems have been found and corrective actions taken, making sure that the problem is actually fixed is a key part of fixing it. If improvement projects have been completed from opportunities identified in the audit, then seeing how much the process has improved is a great motivator for future improvements.

Focus on process improvement to get the most out of an Internal Audit

By using the Internal Audit process to focus on helping to improve the processes, and not just to maintain compliance, the company can see more value out of the audits. Process improvement is one of the key elements of an ISO9001 Quality Management System, and should be one of the main motivators of a company that wants to implement and maintain a good QMS. Process improvement not only helps with efficiency, but saves time and money in the process. If used properly, the Internal Audit, instead of being a “necessary evil,” can be one of the biggest contributors toward process improvement in the QMS.

To learn how to perform these steps, see this free online training: ISO 9001 Internal Auditor Course.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.