6 Main steps in the internal audit according to AS9100 Rev D
One of the key tools for ensuring the suitability and effectiveness of your aerospace Quality Management System (QMS) is the internal audit process. It is for this reason that the internal audit requirements of AS9100 Rev D are so important to implement. It is by routinely performing these reviews of your processes that you can continue to know that your QMS is performing as expected, and that the improvements that have been implemented are sustained.
So, you might wonder what the main steps are in the internal audit process.
The internal audit process: The main steps
The internal audit process is a systematic way to compare what is actually happening in your processes to what the expected outputs of your processes are. By doing this you can ensure that your processes are happening as planned and therefore implemented correctly, and you can assess the effectiveness of the processes in place. In clause 9.2.2, the AS9100 Rev D standard defines the six steps that are needed to implement internal audits, so what does it say?
- Audit program – The first step is to plan and establish your audit program. Who is responsible for the audits? What is the list of processes to audit, when will they be audited, and how often? How will you report audit findings to the auditees and management for review? This initial step can take some time because it takes into account the importance of the processes (more important processes may need to be audited more often), changes that are coming to your organization (when a change happens you may need to re-audit that process), and the results of previous audits (if a process has had problems in the past, it may need to be audited more often).
- Audit criteria and scope – For each audit you will need to define the extent of the audit and what the expected outputs for the process are. For example, if you have a purchasing procedure that is used by your purchasing department, then the activities of the department are the scope, and the procedure is your audit criteria. For processes without a written procedure you will need to define what the criteria are.
- Select auditors & perform audit – Who will conduct your audits? How will you ensure that they are impartial in their auditing? What do you consider to be the required competences for your internal auditors (i.e., what training do they need to do their jobs)? These auditors will then perform the audits by inspecting records, observing auditees in action, or interviewing people about the processes. Audit observations will be made with objective evidence, and potentially, these auditors will identify audit non-conformances and opportunities for improvement.
- Report audit results – Without audit reporting it is pointless to perform the audit. The immediate management for the process, sometimes called the process owner, needs to know the outcome of the audit. This allows them to know that their process is performing as expected, know that improvement activities are working, and know when there is a problem. In addition, top management review needs to include a report on audit findings so that adequate resources can be applied.
- Correction and corrective action – When there is a problem, it needs to be corrected without delay. If the problem is systematic, then an adequate corrective action investigation needs to take place to determine and eliminate the root cause so that the same or similar problems do not happen again. Even though the intent of the internal audit process is to verify conformance to the process requirements, when a problem is found it needs to be corrected so that the process can once again do what it needs to do.
- Maintain audit records – The reports of your audits are necessary for your audit program to function. In step 1, the audit plans took into account previous audits, and your audit record is where this is documented. Remember that like every other process, the internal audit process also needs to be audited, by both you and your certification body. These records are the evidence you have to show that this process is meeting the defined outputs and that it is effectively implemented. Without records, it is difficult to audit your audit process.
Is this all that is required for internal audits?
In short, yes. This process is the basic audit process as defined in the AS9100 Rev D standard, but you may wonder if there could be more detail included. The answer is also yes; there are ways to improve your internal audit process so that it goes deeper than the basics of internal audit. The AS9100 standard refers to a standard for auditing, ISO 19011, which contains the guidelines for auditing management systems, and is the standard used for training the certification body auditors who will be assessing your QMS for certification. If you are looking to improve your internal audit process, then this document can provide additional information to progress.
However, the important thing is to make sure that your internal audit process works for you. In many cases, this is achieved by making the process as simple as possible at the beginning, so that it can focus on determining that your processes are doing what is expected, and assessing your performance indicators for evidence that the processes are effective. Once you have determined that your QMS is being maintained, you can look to improving the internal audit process if you wish, because improvement is one of the key reasons for having a QMS.
For more on how to implement AS9100 Rev D, check out this free download: AS9100 Rev D Implementation Diagram.