A well-wrought Internal Audit Schedule is key to a healthy management system. It is part of one of the core elements within all the big hitters, from ISO 9001 to ISO 50001 (Energy Management), and beyond.

An effective Internal Audit Schedule is the handle on the rake that finds nonconformities and potential nonconformities, and does so in a planned, repeatable way. Once found, improvement is possible – and that’s what we’re all about, right?

This can be a fairly broad topic, so in Part 1 we’ll focus on the requirements and a few other considerations, while in Parts 2 and 3 we can do a short recap and look at options for how to construct a great internal audit schedule, with useable examples.

What Needs Be Done?

Each of the more popular standards handles the requirement for Internal Audits in pretty much the same way, with slight differences reflecting that standard’s particular sector.

Let’s look at the meaty part of the requirement in ISO 9001:2008. “[… Internal audits determine if the] QMS conforms to the planned arrangements, to the requirements of this International Standard and to the quality management system requirements established by the organization…”

The 2015 version (in the last Draft) simplifies this slightly by saying “to the organization’s own requirements for its quality management system; and the requirements of this International Standard”

14001 is essentially the same as that, swapping QMS for EMS (Environmental Management System) and adding that it is also a means to provide audit results to management. 50001 does about the same as 14001 by using EnMS (Energy Management System) instead.

And, for completeness, ISO 27001‘s somewhat expanded angle is “[to] a) conform to the requirements of this International Standard and relevant legislation or regulations; b) conform to the identified information security requirements; c) are effectively implemented and maintained; and d) perform as expected”.

ISO 13485 (Medical) and ISO/TS 16949, by the way, since they contain and expand on ISO 9001, have the same text as 9001.

I’m going to make the leap and summarize that your Internal Audits have to cover two things:

1. Your own system,
2. The requirements of your standard of choice.

In all the standards mentioned above, if you’ve built your system according to the other requirements contained within the clauses, then you’ve covered everything else. The only concern the uninitiated would have might be 27001’s “relevant legislation or regulations” – but the requirement to consider and comply to those are in 4.2.1 “The organization shall do the following; define an ISMS …..that “takes into account business and legal or regulatory requirements…”, and similarly under control objectives and risk. And 4.3.3 under Control of Records – well, you get the point – there’s no sense making a special case for relevant legislation when it should be a preordained part of the system anyway.

So, The System and the Standard. It can’t be just The Standard, by the way, otherwise you’d miss whatever else has been deemed necessary, or helpful, along the way. And it can’t be just The System, even if it was all originally created to comply – because things, in the name of Improvement, tend to wander over time and “improve” on a requirement by eliminating it.

In-House Resources, or Hire Out?

One of those questions without a wrong answer. One common approach is to use internal resources for process-related audits and verify actual practice against what is supposed to happen (documented or not) – and to have an external resources, such as a consultant, audit against the standard.

This practice ensures associates and management stay close to the machine, while ensuring the whole ensemble stays on track.

A Few other Internal Audit Considerations

I do want to focus on the Internal Audit schedule itself, but it is worth bringing up a few of the other components to a healthy Internal Audit Program.

There’s a ISO For That

There is a secondary ISO standard specifically called “Guidelines for Auditing Quality Systems (you can buy one at ISO.org – here’s a link to ISO 19011:2011).

It covers audit program monitoring and management, audit performance and it’s various stages including reporting and follow-up. And it provides guidelines for auditor competence and evaluation. I really do recommend adding this one to your library as it is usually half of any test related to becoming an official auditor.

Becoming a Card Carrying Member

Since you’ll most likely be performing audits, it’s a wise idea to make it official; you’ll be able to use some of your internal audits as part of the requirements.

What this means is to become registered with an organization such as RABQSA or IRCA (International Register of Certificated Auditors). Both are recognized by the industry, Registrars in particular, as badges granting the qualifications to do audits. They have different levels of achievement and with them varying combinations of education and experience. One of the paths usually involves a one-week course with a test, along with a certain number of audits in particular capacities.

My advice is if you’ve got to take a course anyway – make sure it’s associated with one of the two organizations I’ve mentioned above, or sanctioned by them.

Contact the sites directly for more information and speak with a human being to start the process. The specific links are here:  RABQSA — IRCA

Scope of the Internal Audit Schedule

For the sake of doing the right thing right, is important to make it clear what needs to be covered by the internal audit schedule – typically it should match the scope indicated on your ISO Certificate – at least as much.

There may be cases where there is a corporate requirement that is beyond the scope of your ISO registration (a slippery slope that I hope is defensible), that could be included as well. Information Security audits sometimes fall in this category, particularly for non-ISO 27001 companies.

It is a good time, however, to ensure that nothing has been left out of your process as an exclusion that should not be left out, or is not an allowed exclusion.

In 9001 , as a general rule, the only allowable exclusions are going to be Design and after-sales-service (including delivery). Occasionally the lack of what are called “special processes” will grant an exclusion, but it is hardly worth the trouble, in my opinion (simple enough to cover it, “just in case”).

Worth noting that it is very possible ISO 9001:2015 will do away with exclusions entirely as it is currently a topic of discussion – though I don’t know exactly how they will do it (seems impossible).

14001 and 50001 have a bit more leeway, so it is important to ensure the scope of your audit schedule matches.

For 27001, the only exclusions allowed are within the controls section – and these must be justified.

Next Time – Making a Great Schedule

See you next week! And thanks!

Until then – go forth, and calibrate thyself.

Sal

Here’s a special deal for my blog readers: Amazon Prime, 30-day FREE TRIAL gives you the ability to Instantly watch over 40,000 movies and TV episodes with titles for everyone on pretty much any device, Borrow books from the Kindle Owners’ Lending Library, and, something I take advantage of all the time, unlimited FREE two-day shipping with no minimum order size.  Clicking from here helps the site, and YOU; please do. Thanks!