Internal audit
effectiveness
How can auditors measure how effective a client’s internal audit is? gives this advice
Organizations seeking a suitable and effective quality management system need to conduct internal audits to ensure that the system functions as intended. Internal audits identify weak links in the system as well as potential opportunities for improvement and act as a feedback mechanism for the top management. How the internal audit process is managed is a key factor to ensuring the effectiveness of a quality management system.
Requirements and guidance
ISO 9001 states: ‘An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits.’ This is intended to focus the internal audit programme on those processes and areas where past history indicates that problems have occurred, or where problems are likely to occur or be ongoing. These problems may result from issues such as human factors, process capability, changing customer requirements and changes in the work environment.
The processes with high levels of risk of nonconformities should have priority in the audit programme. Special attention should be given to processes where the high level of risk is influenced by:
- severe consequences of failure on process capability
- customer dissatisfaction
- noncompliance with statutory or regulatory requirements
Assessing the audit process
When examining internal audit processes, third-party auditors should evaluate:
- the competencies that are needed for and applied to the audit
- the risk analysis performed by the organization in planning internal audits
- the degree of management involvement in the internal audit process
- the guidance provided by ISO 19011 (note that ISO 9001 does not require the organization to use ISO 19011)
- the way audit outcomes are used to evaluate the effectiveness of the quality management system and to identify opportunities for improvements
A third-party auditor needs to evaluate the organization's approach to identifying critical areas, as well as other parameters. For example, has the organization identified processes that:
- are critical to product quality
- need special attention
- need to be validated
- need qualified personnel
- need close monitoring of parameters
- occur across multiple locations or are labour intensive
Auditors should also ask if the organization has established process performance indicators that define effectiveness measures, and if these measures align with the organization's overall goals and objectives. After identifying these elements an auditor needs to examine whether the organization uses such information when establishing audit frequency
Auditor competency
The next step is to evaluate the competence of the organization's internal auditors. There should be evidence that the organization has identified auditor competence requirements, provides appropriate training and monitors auditors' performance. It should also include personnel on audit teams that have appropriate sector-specific knowledge.
An assessment should be made of whether the internal auditors understand the inherent risk to the outcome of the audit process if they:
- fail to consider something that is material to the outcome of the audit
- select an inappropriate sampling regime
- weight the evidence collected inappropriately
- deviate from the audit plan and internal audit procedures
Examining planning
The organization should be able to maximize the use of available resources during the conduct of internal audit activities. This can be facilitated by the adoption of a risk-based approach to the planning of internal audits.
It should be ascertained whether the organization, through its internal audit process, has considered the use of a risk-based approach in developing the internal audit plan, in order to ensure the effective and efficient use of resources. This should also ensure that the inherent risks of audit failure in the audit process, and to audit outcomes, are minimised. The organization should have a process for using past audit results in the planning of future internal audits.
Finally, third-party auditors must look for evidence that the organization has implemented an effective internal audit programme.
By taking the above factors into account, third-party auditors should be able to form a judgement on whether the organization has implemented an effective internal audit programme and if the outcome of internal audits provides evidence for analysis of the effectiveness of the quality management system.
About the author
The ISO 9001 Auditing Practices Group is an informal group of quality management system experts, auditors and practitioners drawn from the ISO/TC 176 and the IAF. It has developed a number of guidance papers and presentations that contain explanations about the auditing of quality management systems. These reflect the process-based approach that is essential for auditing the requirements of ISO 9001.
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
- Life after BS 31100
- Managing risk: beyond audit compliance
- Achieving sustainability through risk management
- Managing risk in supplier audits
- Understanding the audit trail
- Internal audit effectiveness
This article is an edited version of ‘Auditing the effectiveness of the internal audit’ from the website of the ISO 9001 Auditing Practices Group and is reproduced courtesy of ISO and the IAF. These papers were developed on current best practice and therefore have not been formally endorsed as IAF guidance or ISO/TC 176 interpretations. Follow the link for further information about the Auditing Practices Group.