I have a confession to make – I love internal auditing. I love the opportunity to examine what is going on in your business, it is only by finding out what your people are actually doing that you will find out how effective your management system is at managing your risks and achieving your objectives.
As many of you will know, internal auditing is a specific requirement of ISO 9001:2015 (clause 9.2), ISO 14001:2015 (also clause 9.2) and OHSAS 18001:2007 (clause 4.5.5) and all of these clauses fall into the ‘Check’ part of the Plan, Do, Check, Act cycle.
A recent issue of IOSH Magazine contained a very interesting article on auditing titled “Reality Check? Is auditing a vital check or a false comfort?” This article really made me think about the effectiveness of internal auditing in contributing to the continual improvement of your management system.
My approach to internal auditing varies on the maturity of the management system. Towards the end of an implementation project, I will carry out process based audits against critical business processes (usually the ones that make the money!) to check that the management system and associated documentation supports those processes. At the end of an implementation project (before the selected certification body carries out their Stage 1 audit) I will carry out a clause based audit as a final check that all the requirements of the standard have been met and to clearly identify where all of the supporting information is. This audit report also acts as an aide memoir for the client during the audit if I am not required to be with them.
In an established management system, I will carry out process based audits to check effectiveness and highlight any opportunities for improvement. I don’t subscribe to the idea that internal audits should be programmed around the requirements of the ISO standard, or that everything should be audited on a regular cycle. Instead I believe that the internal audit programme should be designed on a risk basis including consideration of the risk level of the process, any areas of change and the results of previous audits. The internal audit process itself can also link to the strategic direction of the business, for example, if the strategic direction of your business is to grow sales, a worthwhile audit would be to check the processes involved in approaching a potential new customer, providing them with a quote, converting that quote to an order and fulfilling that order on time and to budget.
Of course, internal audits are only effective as a ‘checking’ tool if the results of the audit are acted on – either to resolve a non-conformance and prevent it happening again, or to implement an improvement. It doesn’t matter how robust your internal audit process is, how competent your auditors are and how beautifully written the report is if you are going to ignore the findings!
As the final paragraph of the article states, internal auditing should not be the only way to ‘check’ your management system but when an effective internal auditing process is used in conjunction with other methods of monitoring, you can get a proper picture of how your management system is performing for your business.
If you’d like any help or support with your internal auditing process please contact me.