Internal audits are required by management system standards such as ISO 9001 (quality), ISO 27001 (information security), ISO 14001 (environmental), ISO 45001 (health and safety), etc., and need to be conducted to maintain conformance and/or certification to these standards.
Whilst internal audits will vary in purpose and content, the same internal audit process can be applied across all management systems, and ISO 19011 (Guidelines for auditing management systems) provides a particularly useful reference for audit managers.
In this blog, we will look at the key elements of internal audits, consider why they are required, and help you identify potential opportunities for improving your own internal audit operations.
Internal Audits vs Performance Metrics
Why are internal audits necessary? After all, performance metrics are used to measure key areas, such as customer satisfaction, number of security incidents, etc., and by analysing the results you can understand how well the management system is performing and identify opportunities for improvement.
Some performance measurements, such as measurement of customer satisfaction, can be biased towards the subjective – whilst it is an important measure of customer perception at a given point in time, it is not always based on fact. However, if you have correct data and measurements in place, the information obtained from performance metrics is generally accurate and objective. Meanwhile, internal audits require planning, resources, time, and effort.
By their very nature though, performance evaluations are retrospective – metrics reflect processes and outputs that have already taken place and are often determined by past experiences. These metrics are backward-facing, and the information provided is specific to the questions asked and the measurements in place.
Internal audits, however, take place while your organisation is operating and implementing the management system requirements. Audits provide management with information not only on what has happened ‘behind the scenes’ within all areas of the organisation, but what is currently happening and what could potentially happen.
Internal Audit Cycle
As demonstrated by the above graphic, internal audit cycles usually follow a continuous cycle of 4 distinct phases.
Determining Audit Objectives and Scope
To realise the maximum benefit of internal audits, planning is essential, and effectively starts when you determine when and how often each aspect of the management system will be audited and what the purpose and aims of the audits are, i.e., define the internal audit scope and objectives.
Management system standards require internal audits to be conducted to provide information on whether the system is effectively implemented and maintained, and to determine how well it conforms to the requirements of the relevant standard(s), and your organisation’s own requirements.
These objectives apply to all internal audits, but depending on the needs of your organisation, internal audits may also be conducted with additional tailored and specific objectives. For example, audits can be used to provide information on:
- Regulatory compliance
- Waste reduction and potential efficiencies
- Uniformity of products and/or services (process outputs)
- Relevance and accuracy of documentation and records
- Process effectiveness
- Nonconformities and incidents.
Internal audits can also be categorised into different types, depending on their scope and objectives, for example:
Whilst many organisations may only differentiate between system and process audits, the categorisation of internal audits can be particularly useful when implementing an integrated management system, i.e., a system that implements the requirements of more than one management system standard.
To determine what is to be audited and why, management standards require you to consider inputs such as the importance of processes, changes affecting the organisation, and results of previous audits.
However, you can also consider other relevant performance indicators, such as:
- The results of performance evaluations, such as metrics and customer satisfaction
- Analysis of nonconformities
- Stakeholder feedback
- Controls
- Management requirements.
Whilst requirements of the management system and other criteria have probably been identified when developing the system and processes, this information also helps to verify the scope and criteria for each audit – what operations are included in the audit, and what they are being audited against, e.g., processes, objectives, legislation, etc.
Internal Audit Resource Allocation
Management system requirements relating to resources and competence also apply to internal audits, and can vary depending on the audit itself, e.g., safety shoes, high-viz vests, electronic media, etc. However, a resource requirement that applies to all internal audits is the competency and impartiality of internal auditors.
In some ways, this requirement creates the most risks in the audit process – the provision of competent resources can be the most challenging and costly aspect of internal audits, particularly for smaller organisations with fewer personnel and therefore greater difficulty in finding auditors within the organisation that can ‘ensure the objectivity and impartiality of the audit process’. Even in medium to large organisations, it can be difficult to manage the training and availability of suitable personnel to conduct audits. It is not easy for personnel who are not professional auditors to audit their friends and colleagues within the business, so appointing knowledgeable individuals who can be impartial and objective is a key element of the auding process.
Your organisation can determine the necessary competence required for its internal auditors. However, as a minimum for effective internal audits, URM recommends that internal auditors understand the audit criteria, be as objective and impartial as possible and be trained on how to obtain, understand, and report relevant information during internal audits, as well as correctly identify variations, nonconformities, etc.
In addition, depending on your organisation, there may also be a need for specific knowledge, such as technical expertise. Unfortunately, it is almost inevitable that the experts will work in the area being audited.
There are a range of options available to help you mitigate these risks, and avoid the consequences associated with an internal audit that has not been conducted by a sufficiently competent or impartial auditor. Failing to do so may lead to previously unidentified issues being raised during an external (certification) audit, and nonconformities being raised against your internal audit process. These risks can be mitigated by:
- Allocating an ‘expert’ to accompany the internal auditor, to provide the auditor with technical support
- Maintaining a small core team of auditors that have received internal auditor training from a qualified internal or external party
- Defining and implementing stricter controls for internal auditors, such as set checklists, specific rules for when nonconformities are raised, etc.
- Implementing an ‘on the job’ training and evaluation programme for internal auditors, which enables regular monitoring of performance
- Having each responsible manager conduct a ‘self-assessment’ of an area prior to an internal audit and provide this information to the internal auditor for verification
- Utilising external resources to conduct internal audits – which can be particularly relevant when more than one management standard applies
- Reviewing auditor reports before they are distributed
- Obtaining feedback from auditors and auditees so that opportunities for improvement can be identified.
Developing an Internal Audit Programme
The output of all your planning work is an internal audit programme, which meets the management system standard and organisational requirements and provides all of the necessary details for the planned audits:
It is always essential to gain management support for your internal audit programme; not only from the managers providing the auditors, but also those whose areas are to be audited. It is also critical to ensure the audit programme and any subsequent changes are communicated to your organisation, especially those functions to be audited in the future.
All audit programmes should have objectives and be evaluated for any risks or opportunities, and all operations and locations within the scope of the management system need to be included, with some potentially requiring more frequent auditing than others due to factors such as previous audit findings, incidents, risks, process criticality, etc. It can be beneficial to avoid setting a specific date and time for individual audits in the programme, and instead agreeing this between the auditor and auditees closer to the time. If a more generic time is entered, e.g., only the month and year, this reduces the risk of audits being missed due to a specific date having passed or being trumped by another meeting.
If not already defined in an internal audit procedure, you should clearly define the responsibilities and authorities of all parties involved in internal audits, i.e., auditees and responsible managers, as well as auditors. The audit programme should also identify the status of the internal audits, e.g., planned, confirmed, in progress, completed, report issued, closed, etc., as this provides evidence of implementation.
Conducting Internal Audits
If the audit programme has been properly planned, you will be well placed to execute the internal audit effectively. At this stage, everyone involved in conducting the audit should understand what is to be audited and when, what they are required to do, and who is involved. Audit methodologies, meanwhile, should be well known and understood, and applied across all types of management system audits. It is also important that auditors and auditees understand that audits are conducted to confirm conformance and compliance; the aim is not to look for issues and problems.
Internal Audit Reporting
During the reporting stage of an audit, the management system standards require results to be reported to relevant management. However, the distribution of audit reports should also include, as a minimum, the responsible line manager, the auditees, action owners for nonconformities (if different from auditees), and the audit manager.
At the reporting stage, the approach taken can vary significantly from organisation to organisation. As with many aspects of management systems, whilst the Standards define requirements, they do not say how to meet those requirements, and this should be conducted in the manner most suitable and appropriate to your organisation.
Your audit reports can be formal, documented reports that are uploaded into an online folder and recipients notified to view/action as required, or an audit application (electronic system) that provides the facility to plan, report and record nonconformities, opportunities and best practices. An audit can also be reported with a more informal summary of the audit, with a focus on nonconformities, opportunities for improvement, and best practices identified.
If your organisation manages audit outputs (findings) under a separate process, such as a central improvement process where all nonconformities, issues, etc. are managed to closure, the reporting stage may be the point at which the audit cycle is closed.
Alternatively, the audit cycle may include the process of acting against the audit findings, in which case closure will be affected when all outputs of an audit are addressed and completed.
The most common classifications for audit findings raised by external certification bodies are:
- Major nonconformity
- Minor nonconformity
- Opportunity for improvement (OFI).
Whilst often overlooked, it is always beneficial to identify and report good practices when auditing, as these can prove useful in other parts of the business and encourage auditee participation.
It is not necessary for internal audits to classify audit findings, but this can promote familiarity with the classifications. If classifications are used, clear criteria must be determined and identified for each classification, such as:
- Non-compliance with legislation is always classified as a major nonconformity
- Issues that affect customers or could jeopardise certification may be a major nonconformity
- Several issues identified against a particular clause or process could be grouped into one major finding
- A single issue can be a minor finding.
When an auditor raises a nonconformity, it is important to identify, record and report the classification (where used), the relevant criteria, (e.g., the clause of the management standard, process or legislation), the requirements of the criteria that apply, and the issue. With the issue, it could be one of lack of evidence in meeting a specific requirement.
If there is no evidence to support a nonconformity but the auditor has identified an area in which the management system could be improved, then this can be reported as an OFI.
Correction and Corrective Action
Regardless of the process to be followed for addressing audit findings, the need for correction and corrective actions must be considered. The management system requirements regarding this are covered in Clause 10 (Improvement) of Annex SL standards, such as ISO 9001 and ISO 27001.
In many internal audit processes, correction and corrective action requirements are applied to each audit finding. However, for some organisations or types of internal audits, an alternative approach may be more appropriate.
Consider the levels at which internal audits take place, and the definitions of correction and corrective action; correction is the immediate action to fix a problem, whilst corrective action is a more thorough process to identify the root cause of a problem and prevent recurrence.
The root cause of a problem is not always easy to identify when only one issue or nonconformance has been identified. Meanwhile, the analysis of several audit findings identified by several internal audits (e.g., by clause, area, process, etc.) can be effective in identifying a trend or common thread across multiple processes, therefore sometimes allowing for more effective root cause analysis and corrective action.
However, certification assessors will look for root cause analysis to have been undertaken and corrective action applied, regardless of the level of the nonconformance. Management system standards also require that the cause of the nonconformity be addressed to prevent occurrence elsewhere, so a single technical issue for which the underlying cause may be difficult or impossible to identify should still go through this process to ensure the same issue cannot manifest elsewhere.
Closing Thoughts
Whilst internal audits are a requirement for conformance and certification to management system standards, your aims and objectives for audits should extend beyond simply ‘ticking a box’ to achieve and maintain certification to a particular standard. To receive the maximum benefit from your internal audit programme, your audits should look to not only ensure conformance to requirements, but also verify the effectiveness and efficiency of the management system, determine if processes conform to planned arrangements, and identify areas for improvement. And, by following the advice outlined in this blog, you will be ideally placed to establish an internal auditing programme that provides all of these benefits.
To learn more about how to effectively create an audit programme, particularly in the context of ISO 27001, read our blog on Planning Your ISO 27001 Audit Programme.
How URM can Help?
One significant challenge your organisation may face regarding internal audits is a lack of sufficiently competent or impartial resources to conduct your internal audits. To help you overcome this, URM can draw upon its 19-year track record as an outsourced auditing service provider to offer you a fully flexible range of internal audit services which enable you to not only meet the auditing requirements for a range of management system standards, but also tangibly improve the effectiveness of your management system. Depending on the needs of your organisation, we can provide a full audit programme, or conduct audits against specific management system standards such as ISO 27001, ISO 9001, ISO 22301, etc., or particular processes and/or controls.
With our full audit programme support, our experts can help you develop your internal audit schedule in line with your organisation’s conformance requirements. Where necessary, the internal audit schedule can also be prioritised based on a number of factors, such as risk assessment findings, incidents, previous audit findings, etc. In addition, we can assist you to develop your internal auditing methodology, based on an analysis of your requirements and with a guarantee that audit results will be repeatable and accurate.
Once the audit schedule has been defined and the appropriate methodology established, we will discuss the management and reporting of findings, i.e., the format of audit reports, how findings will be classified, how corrective actions will be tracked and how audit reports will be followed up, working collaboratively to determine the approach that best suits your organisation’s needs.
To prepare for the audit itself, URM will define audit objectives, scope and criteria, and agree logistics. In the post-audit report, URM’s auditor will detail the processes and activities they have audited, the documentation, controls and records they have seen, and any findings they have identified.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
This blog talks about information classification. So, what exactly do we mean by information classification?
Broadly speaking, information security is held up by three pillars – People, Process and Technology. It is widely accepted that humans are the weakest link
With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for ISM.