by Denise Robitaille.
We often forget that internal auditing is a process within a quality management system (QMS) and the necessity for auditing internal audits. However, it’s so closely associated with quality personnel that it doesn’t register that it too must periodically be assessed to ensure continued conformance to requirements. When I conduct auditor training, attendees are often surprised to find out that somebody has to audit the internal audit process.
There are several things to consider when conducting audits of this process. First, ISO 9001 states that people may not audit their own work. As such, the person who conducts this audit can’t be doing any other audits. One of the ways around this is to cycle auditors so that on alternating years one out of the group performs only an audit of the audit process. I’ve seen organizations designate one individual who performs only this one audit. The problem with that tactic is that you end up missing the process approach. Whoever is assessing should also be looking at interrelated processes, such as corrective action, preventive action, and management review. That’s impossible if one person is examining one isolated activity.
What exactly do we look at when we audit internal auditing? We’re looking for the same things as with any other process. Is it properly defined? Are the individuals involved with the process competent and trained? Is the process implemented consistently and in accordance with the documented procedure? Is it integrated into the quality system? Is the process effective? Let’s take a quick look at each of these.
- Is the process properly defined? ISO 9001:2008 requires organizations to have a documented procedure for internal auditing. This procedure should describe the process, including consideration for ISO 9001 (or other sector-specific) requirements and how it is actually implemented. Obviously, the document should be current.
- Are individuals competent and trained? There should be records showing that auditors are trained. This can be in the form of certificates from a qualified training program or evidence of in-house training. There should also be either a job description or similar document that defines the requisite competencies required of an internal auditor. If auditors haven’t had training in many years (for example, pre-ISO 9001:2000), there should be evidence of refresher training. One of the biggest changes in ISO 9001:2000 was its introduction of the process approach. It has relevant applicability to internal auditing and anyone conducting audits should have been trained to the revised standard.
- Is the process implemented consistently and in accordance with the documented procedure? Things to look at include evidence of an audit schedule. This should be matched against dates when audit have been conducted. This will demonstrate whether or not the organization is following its own schedule. Does it have checklists or other forms for reporting? If so, are they properly filled out? Are they complete? Do they provide enough information to prove that an adequate audit was conducted? Things to look for include names of auditees, documents reviewed, records that were assessed, and findings of nonconformity or observations for improvement.
- Is it well-integrated into the quality system? There are two places to look for this evidence. This relates back to the concept of process approach. If things are well integrated there should be traceability to the corrective action process for nonconformances, or perhaps to preventive actions for opportunities for improvement. ISO 9001:2008 requires that action be taken on findings arising from internal audits. Therefore, there must be records to provide evidence. The other process that is linked to internal audits is management review. Were the records of internal audits reviewed as part of the management review process?
- Is the process effective? For a process to be effective, it must provide a positive outcome for the organization. An effective internal audit process will show that there were either findings of nonconformity or observations for improvement that resulted in corrective actions and preventive actions. These, in turn, should have led to improvements in the organization. Any internal audit program that consistently shows records of no nonconformities or no opportunities for improvement should be suspect. No organization is perfect all of the time. Internal audits that simply rubber stamp the status quo without asking probing questions are a waste of time. Top management should appreciate the value of the findings and the accompanying improvements they bring.
The last thing to remember when auditing internal audits and the audit process is that it’s like any other process. You’re not auditing the auditors; you’re auditing the process. This is not a critique of your peers. It’s objective assessment of the control, conformance, and effectiveness of an important process.
About the author
Denise Robitaille is the author of nine books on various quality topics. She’s an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. As the principal of Robitaille Associates, she has helped numerous companies in diverse fields to achieve ISO 9001 registration and to improve their quality management systems. Robitaille is vice chair of the U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She’s also a RABQSA-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of ASQ.
Her books include The Corrective Action Handbook, The Management Review Handbook, The Preventive Action Handbook, Root Cause Analysis, Managing Supplier-Related Processes and Document Control, all published by Paton Professional. She also co-authored The Insiders’ Guide to ISO 9001:2008.
TAG: auditing internal audits.