A full internal audit process may be divided into four stages: planning of internal audit, conducting of internal audit, issue of audit findings and closing of audit findings. Let’s see what should be done in each stage.
1. Planning of Internal Audit
- The internal audit should be planned according to the defined frequency (e.g. once a year). In the plan, one must specify the following things:
- Scope of the internal audit and the auditees. An internal audit must cover all the quality processes, all shifts and all departments which are in the scope the quality management system.
- Criteria of audit. The criteria of audit includes the ISO9001 standards (It normally is the latest revision, unless during the transition period), legal requirements if applicable, and the internal procedures or requirements of the organization;
- Audit method. Following the process approach concept in the quality management, the internal audit is also suggested to be conducted according to this methodology, i.e. the internal audit should be carried out for individual quality process respectively as defined in the organization, and the owner and supporters of each process should be the auditee of the corresponding process;
- The auditor team, including the leader and team members;
- The timetable, i.e. when each auditee will be audited. Below this paragraph is an example of the schedule for internal audit;
- A checklist which lists up the key points to be checked during the audit. This is not a mandatory requirement of ISO9001:2015, but it is highly recommended that a checklist is prepared and followed during the audit so that no key point is missed (The checklist is actually mandatory in other standards such as ISO/TS16949).
2. Conducting of Internal Audit
When conducting the internal audit, what the auditors do are asking questions and verifying evidences provided by the auditees. If there is a checklist, questions should be asked according to the checklist. The checklist should be designed and the questions should be asked following the PDCA loop, i.e.
- Firstly, the auditors should ask the auditees whether there is an established procedure to carry out the audited process and specify how the process is controlled to ensure it achieves the intended results. For example, when auditing the document control process, the auditors can ask what the procedure is to create, update or obsolete a document, how it is ensured that new documents are distributed promptly to the users and how it is ensured that obsoleted documents are retrieved to prevent misuse. The auditors have to check whether the established procedure meets the requirements of the audit criteria;
- Secondly, the auditors should verify that the actual process is conducted according to the established procedure. For example, when auditing the document control process, the auditors can check an actual record of document updating and distribution and see whether what shows in the records is consistent to the established procedure.
- Thirdly, the auditors should check whether the auditees evaluate the effectiveness of the process. For example, when auditing the document control process, the auditors can check whether there’s any target for this process and whether the achievement of targets is regularly monitored.
- Finally, the auditors should check whether corrective actions are taken when the process targets are not achieved or whether continual improvement is taken when the targets are achieved.
Based on questions asked and evidences verified, the auditors issue findings to the auditees. In some organizations, the findings can be classified as major nonconformance, minor nonconformance or opportunities for improvement. The classification is somehow subjective. It is not a mandatory to have such classification for internal audit findings. Anything about the quality process which does not meet the requirements of audit criteria or is not effective in achieving the intended results can be considered as a finding.
When issuing a finding, it normally should include the following information: finding, objective evidences and rules violated. Below is an example:
4. Closing of Audit Findings
After the auditees are issued the findings, they’re responsible to provide a root cause analysis, propose the corrective actions and implement the proposed corrective actions within the specified time frame. Various tools can be used for root cause analysis and the most common one is probably 5 Whys (Please see this article about how to use 5 Whys analysis). The auditors (usually leader auditor) are responsible to review the root cause analysis and proposed corrective actions by the auditees. If it is approved, the auditees can proceed to implement the corrective actions. The auditors should follow up to collect objective evidences that the corrective actions are indeed implemented, and also need to collect objective evidences that the corrective actions are indeed effective to prevent the recurrence of nonconformance. Only if the corrective actions are proved effective, the finding can be closed.
