ISO Internal Audits
January 14, 2021
There are 3 basic types of ISO audits, first party, second party and third party audits. First party audits are internal audits. Non-accredited independent audits are second party audits. Accredited certification bodies conduct third party.
ISO Internal audits are the checking part of the Plan-Do-Check-Act (PDCA) cycle of continual improvement. The PDCA cycle is the basis for ISO management system standards like ISO 14001, ISO 9001 and ISO 45001. Internal audits are an important element of the "check" step in PDCA. Clause 9.2 of these ISO management system standards describes the internal audit requirements as follows:
9.2 Internal Audit
The organizations shall conduct internal audits at planned intervals to provide information on whether the XXX management system:
a) conforms to:
-the organization's own requirements for its XXX management systems;
-the requirements of this document;
b) is effectively implemented and maintained.
Effective ISO internal audits help organizations confirm "what should be, is" and "what should not be, is not".
ISO Internal Audits as Risk Management Tools
Enterprise risk managers have many tools to address risk to their organization. Historically these internal audits have on financial accounting. Enterprise risk managers now recognizing the value of non-financial audits that, although not directly related to assessment of financial performance help identify areas of risk that can have significant indirect affect on an organizations financial performance.
ISO audits of ISO 9001 quality management system audits check for risk to the organizations ability to consistently produce products and deliver services that meet the customers expectations. Audits to ISO14001 assess the organizations ability to address risk of potential significant environmental impact and audits to ISO 45001 assess risk management associated with employee occupational health and safety
ISO Internal Audit Programs
ISO Management System Standards require organizations establish internal audit programs. These audit programs help ensure the results of internal audits are reliable.
An audit program helps establish the audit objectives and create a systematic process for planning, conducting and following up on audits. A clear understanding of the audit objectives is crucial to the effectiveness of the audit process. ISO 19011:2018 Guidelines for auditing management systems provides guidance for organizations establishing and operating internal audit programs. Keys to successful internal audit programs are:
- Having the right people managing the audit program
- Using competent auditors to perform the audits
- Establishing audit systematic audit protocol
- Ensuring follow-up on audit results
Audits conducted in the absence of a carefully considers audit program will not help address risk and will provide little or no return on the effort invested in the audits.
Internal Audit Materiality
Accounts performing financial audits have used the concept of "materiality" when planning these audits for centuries. Materiality means the audit needs to focus on the areas that "matter". These are the areas of the organizations performance where potential significant risk exists that needs to addressed. This is also refer to as a risk based approach to auditing.
Audits that focus on non-material issues waste time and also provide little return on investment. ISO management systems require documents are controlled. . However, audits that focus only on document control issues and ignore other important area such as operational controls, are not auditing the issues material to the management system.
Another example is an environmental management system internal audit program at a large papermills that focuses only on recycling of waste pop cans generated in the mill lunchroom. The audit program does not include audit criteria pertaining to significant air, water emissions or to solid waste disposed on the land. Clearly the audit is not focusing on the environmental risks at the papermill that matter. The results of such an audit do not inform anyone of the organizations overall environmental performance and the conformance status of the environmental management system.
Internal Audit Follow-up
ISO management system standards also require that organizations act on the results of management system audits. Audit can result in positive findings. Audits finding "things" are the way they are supposed to be this is good news. Negative findings are also called nonconformities.
Nonconformity corrective action is the "Act" part of the Plan-Do-Check-Act cycle and also needs to be performed with skill to ensure the audit process is effective in addressing risk to the organization. Organizations with ineffective corrective action process are unlikely to get a return on their internal audit investment.