Internal audits can be daunting, especially for a small business where most quality personnel wear many hats. There are a lot of resources available online, from certification companies and books—and it can be overwhelming. The internal audit process is reviewed at every ISO type audit (ISO9001, AS9100, ISO13485, etc.), so the pressure is on for the quality function at any size business.
Here are a few tips to make the process less complicated.
Developing The Schedule For The Internal Audits:
1. Create a cross-reference matrix showing the connection between the clauses of the ISO standard and your company’s procedures and the processes you intend to audit.
The cross-reference matrix helps ensure that all the required elements or clauses of the standard are covered in the internal audits.
2. Spread the internal audits over a few weeks or months so as not to overwhelm the auditor(s).
Cautions:
If you plan to audit your full quality management system every year, try not to schedule any internal audits 45-60 days before the 3rd party audit. This will ensure that all the internal audits are completed and that any corrective actions for any nonconformance identified during the internal audits are recorded in the corrective action system.
This will also give some time to those that are working on the corrective actions to start the investigations and even implement the corrective actions. The 3rd party auditor will be reaching out to you to collect some information to aid in developing their audit plan and they will most likely be asking for the internal audit schedule and perhaps some examples of the internal audit reports.
3. Review customer and 3rd party audit reports from the previous year.
These reports and checklists provide insights as to what is important to your customers that you can then integrate into your internal audits.
Reviewing the 3rd party auditor reports provides a level of detail as a reference for your internal audits.
4. Core processes like Production, Purchasing and Contract Review can be large audits as the clauses and requirements for these processes in the ISO standard(s) can be quite involved and detailed.
Consider breaking these audits down into smaller audits. Smaller audits can be a great for introduction for new internal auditors or auditors from other functions.
Using a smaller audit approach can also ensure the core process is covered within a few weeks and no one auditor is overwhelmed. In fact, having a lead auditor work with several auditors over the course of a few weeks can bring a fresh set of eyes to that part of the process as well as some ideas for improvements.
Planning To Perform The Internal Audits:
1. If you use checklists for internal audits, note the procedures that apply to that internal audit and the requirements of the related ISO standard. This aids in defining the scope of the internal audit; the scope of internal audit is a requirement in the ISO standards.
2. Review any audit findings within the last year as you plan each internal audit.
Access the previous year’s audit reports (customer, internal, and 3rd party audits) and review the corrective action log or listing for audit related corrective actions. This is a requirement of the ISO standards.
Add notes to your checklist for the procedure/process and/or requirement where the previous year’s findings were written. This will help ensure you review the associated corrective actions when you are performing the internal audit.
3. Do some homework:
Read the applicable procedures as you develop the plan for each internal audit.
As a 3rd party auditor, I have reviewed internal audits where it appeared that the internal auditor noted that a procedure existed and was more focused on confirming the procedure’s compliance to the ISO standard requirements versus ensuring the process is compliant.
Also, review a few purchase orders from key customers to note what requirements they have flowed to your organization. These flow down requirements may have an impact on your processes above your procedures and the ISO requirements. If you do see some unique requirements (i.e. record retention, directed suppliers, or inspection records) add a note to your audit plan and checklist so you can review those activities to ensure compliance. Internal audits are more than ensuring your QMS complies with your procedures and the ISO standards; complying to customer requirements is just as important.
Performing The Internal Audit:
1. Interview those involved in the process.
Talk to operators, inspectors, buyers, sales reps, and managers. The key to a solid internal audit is ensuring that those in the process are aware of the requirements noted in their procedures and they can access those procedures. This is also an opportunity to assess the awareness of those in each of the audited processes of their impact on the quality management system – how they impact the quality of the process they perform and their impact to the quality of the product, process or service of your organization.
Awareness is a requirement of the ISO standard and many organizations I have audited seem to focus on employees just knowing the quality policy. When in fact awareness is so much more than that – the ISO requirements are intended to bring the quality management system to all employees in the organization. Every employee has an impact on the quality management system because they can impact the quality of the product, process or service that you offer to your customers.
2. Review records over the course of a few months or a few quarters to confirm the consistency of the processes over time. It is encouraged to get a good sampling of records over the course of about three to six months. Sampling records over time gives you visibility into the consistency of the process.
Caution:
If there have been any procedure or process changes over the last year, focus your records review to the time frame after the process changes were implemented. This gives you evidence of how well the change was implemented.
3. Be as detailed as you can, list the records (travelers, purchase orders, customer POs, etc.) reviewed. It is encouraged to review a minimum of three records/forms/reports/work orders/etc. You may have heard the phrase “three data points indicate a trend,” well this can be applied to internal auditing as well. A sample of a minimum of three records, preferably more, provides evidence of process consistency.
4. Process based auditing – it’s not just for 3rd party auditors.
The objective of a process-based audit is at its foundation to assess a process from start to end. Internal audits can and really should be process-based. If you have process flow charts or turtle diagrams that overview the process, there are great tools to use as a guide for a process based internal audit.
An example would be a process-based audit for production. The internal auditor would walk through the production process just as if a new work order was being issued, from release of the traveler through the shipping process. An internal auditor can look for the connections from one activity or operation to the next. Third party auditors do just that when performing their audits. There are some great resources online to get an understanding of a process-based audit to see how you can integrate this into your processes if this would be a new approach for your team.
5. If the process is not followed as defined in a procedure or as required by the ISO standard and/or your customer, document it – write the nonconformance and open a corrective action.
It’s better to find the issue and document it in the internal audit than have a customer or 3rd party auditor find it for you. Corrective actions are often seen as a negative, rather, it is an opportunity to address the problem and look around to see if the problem might be prevented in other areas. Try to see internal audit ‘findings’ as a learning experience.
6. Verifying the effectiveness of corrective actions from previous audits (both internal and external audits) is important. Internal audits are a vehicle to assess the effectiveness of previous audit corrective actions. Noting the specific activities and records reviewed to ensure effectiveness is key to ensuring both the effectiveness of the corrective action process and an effective internal audit program.
Reporting
An internal audit report is more than just a completed checklist. It should include a summary or commentary on the overall process compliance to the defined requirements (procedures, ISO standards, and customer requirements). In addition, including information on the effectiveness of previous audit corrective actions ensures a closed loop process for the corrective action process. The audit report is an executive summary for the management team to understand where their attention may be needed and on risks that could compromise the overall process and even product quality.
Let’s not forget, the results of internal audits are an input into the management review process. The information provided from internal audits is used by management to make decisions on resource allocations and process improvements.
Summary
Internal audits not only assess compliance with quality system standards (i.e., ISO9001, ISO 13485, AS9100, etc.), customer requirements and company procedures; it’s an opportunity to look for process and procedure improvements.
The internal audit process is a great learning experience for those in other functions too. Recruiting personnel from other functions to support the internal audit process can benefit both the employee and the function they audit. Those outside the quality function bring fresh perspectives and questions.
I do hope these tips have taken some of the mystique out of the internal audit process. The examples provided are intended to give you some insight into the 3rd party auditor’s perspective that you can integrate into your own internal audit program.