ISO Internal Audits & Corrective Action
Kevin Lehner
March 29, 2021
Introduction
There are 3 basic types of ISO audits, first party, second party and third party audits. First party audits are internal audits. Non-accredited independent audits are second party audits. Accredited certification bodies conduct third party audits or certification audits.
ISO Internal audits are the "checking" part of the Plan-Do-Check-Act (PDCA) cycle of continual improvement. The PDCA cycle is the basis for ISO management system standards like ISO 14001, ISO 9001 and ISO 45001. Each of these ISO management system standards require internal audits be planned and performed as follows:
9.2 Internal Audit
9.2.1 General
The organizations shall conduct internal audits at planned intervals to provide information on whether the management system:
a) conforms to:
-the organization's own requirements for its management systems;
-the requirements of this document;
b) is effectively implemented and maintained.
Effective ISO internal audits help organizations confirm "what should be, is" and "what should not be, is not".
ISO Internal Audits as Risk Management Tools
Enterprise risk managers have many tools to address risks to their organizations. Historically organizations have focused their internal audits on financial performance and accounting. Although they are not directly related to assessment of financial performance ISO internal audits help identify areas of risk that can impact an organizations financial performance.
Audits of quality management systems check for risk to the organizations ability to consistently produce products and deliver services that meet the customers expectations. Audits to ISO14001 assess the organizations ability to address risk of potential significant environmental impact and audits to ISO 45001 assess risk associated with employee occupational health and safety.
ISO Internal Audit Programs
ISO Management System Standards require organizations establish internal audit programs. These audit programs help ensure the results of internal audits are reliable. An audit program helps establish the audit objectives and create a systematic process for planning, conducting and following up on audits. A clear understanding of the audit objectives is crucial to the effectiveness of the audit process. ISO 19011:2018 Guidelines for auditing management systems provides guidance for organizations establishing and operating internal audit programs.
Keys to successful internal audit programs are:
- Having the right people managing the audit program
- Using competent auditors to perform the audits
- Establishing systematic audit protocol
- Ensuring follow-up on audit results
Internal Audit Materiality
Accountants performing financial audits have used the concept of "materiality" when planning these audits for centuries. Materiality means the audit needs to focus on the areas that "matter". These are the areas of the organizations performance where potential significant risk exists that needs to addressed. This is also referred to as a risk based approach to auditing.
Audits focusing on non-material issues waste time and provide little return on investment. An example of this is a large paper mill that focuses on recycling of waste pop cans generated in the mill lunchroom. The audit program does not include audit criteria pertaining to significant air, water emissions or to solid waste disposed on the land. Clearly the audit is not focusing on the environmental risks at the paper mill that matter. Audits like this do not help improve performance or conformance of the management system.
Internal Audit Follow-up and Corrective action
Audit findings can be positive or negative. When "things" are found the way they are supposed to be, these are positive audit findings. Findings made when things are found not the way they should be, are called nonconformances. ISO management systems standards like 9001, 14001 and 45001 all require organizations to take corrective action when a nonconformity is discovered.
Clause 10.2 of the ISO management system High Level Structure requires the following:
10. Improvement ...
10.2 Nonconformity and corrective action
When a nonconformity occurs, the organizations shall:
a) react to the nonconformity, and as applicable
- take action to control and correct it;
- deal with the consequences
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:
- reviewing the nonconformity;
- determining the cause of the nonconformity;
- determine if similar nonconformities exist, or can potentially occur;
c) implement any action needed:
d) review the effectiveness of any corrective action taken
e) make changes to the management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformaties encountered.
Documented information shall be available as evidence of:
- the nature of the nonconformaties and any subsequent action taken;
- the results of any corrective action
Corrective action is the "Act" part of the Plan-Do-Check-Act cycle. Management systems need to have effective corrective action processes if they are to achieve the intended results. Effective corrective action processes have two basic components. These are:
- A defined systematic process for performing corrective action
- A method to keep track of the corrective action process from beginning to end.
Corrective Action Process
Effective corrective action process have several steps that should be followed in sequence. These steps are:
- Correct the nonconformity - a short term, quick fix
- Investigate the nonconformity - determine the cause(s)
- Identify a corrective action(s) - to address the cause of the problem and ensure it does not recur
- Implement the corrective action - fix the problem
- Verify the effectiveness - check to see that the corrective action was implemented as planed and actually fixed the problem.
These steps are similar to phases or stages in a design project. A review process should be performed to confirm the stage has been competed before the corrective action proceeds to the next stage. The approval should be done by someone other than the person or team assigned to work on the corrective action. Auditors are often a good choice for performing this review, especially if the corrective action is the result of a nonconformity the auditor discovered during an audit.
Tracking Corrective Actions to Completion
Tracking corrective actions can also be challenging for many organizations. Three ring binders for paper copies can be lost, damaged or awkward to work with. Excel workbooks have been used by many but also pose problems when searching for information or trying to analyze trends. Inexpensive cloud database applications like CorrectTrack.com are a better long term solution to tracking progress on corrective actions. Database applications also provide automatic reminders and notifications when changes occur to the corrective action.
Conclusion
Internal audit programs and corrective action processes are essential parts of a PDCA management system. Taking the time and effort to develop good, effective internal audit programs is a good investment and good risk management practice.