In this article, Jerry Lawrence, CertiKit’s Lead ISO27001 auditor shares his thoughts on internal auditing and the benefits of an established internal auditing programme.
Many years ago, as a freshly trained auditor, I was asked “why did I need to audit the process when we had external auditors coming in every 6 to 12 months doing the same?”. In my naivety, I soon learnt not to say “because the standards require it” as this isn’t exactly a huge selling point to the Senior Management Team, and it certainly doesn’t get their buy-in as to why they should divert time and effort to your audits.
In my defence though, the various management system standards such as ISO27001, ISO9001 and ISO14001 etc do require internal audits, but in my eagerness to get out and practice my newly trained skills on the workforce, I hadn’t really understood the reasons why the standards require it and the included benefits.
There are several reasons why internal audits are a mandatory requirement for various management systems standards.
The first and most obvious one is the fundamental process approach adopted by various ISO standards namely the Plan-Do-Check-Act (PDCA) cycle that can be applied to all management system processes.
Maintaining process conformity and continual improvement are essential – you have spent time, effort and financial resources working towards or achieving an ISO certification, and one of the most difficult things is maintaining that certification. Audits are a way of ensuring that the defined processes continue to be implemented as intended and that they reflect process changes that may result from adopting new technologies, changes in business operations or key staff.
In a recent blog by CertiKit’s Technical Author, Ted Spiller on Why ISO management systems fail, Ted highlights a number of key reasons for management system failure and these include:
Imagine running a business where some or all these reasons are ignored. It would be easy to see why the business would quickly fail to deliver quality products and have an unmotivated workforce, but most of all these inefficiencies could lead to larger operating costs and lower profitability.
Internal audits are a way of checking the following:
So, to answer the question are audits a necessary evil or a great benefit, I would argue they are both! They need to be done as a health, wealth, and strength measure of the Management System BUT more importantly if they are done in a timely, professional, and presentable way to Senior Management then they do add huge benefit and insight into the operation of the system within the organization.
CertiKit offer both full pre-certification audits and ongoing internal audits performed by a qualified ISO27001 lead auditor. Whether you’re a toolkit customer or not, we’d be happy to assist you with your ISO27001 internal auditing requirements. CertiKit’s audits are performed remotely via MS Teams by our consultants in the UK and are most suitable for organizations +/- 2 hours of UK time zone. Please note, CertiKit are not a Registered Certification Body and cannot provide you with a formal management system certification.