In order to meet the requirements of clause 9.2 of certain ISO standard certification audits (for those in the Annex SL structure), you need to have evidence of a completed internal audit of your management system by an internal auditor. Without having an ISO internal audit report to show the auditor at the stage two certification audit, it’s unlikely your organisation will become certified.
In this blog we explain the added benefits of the internal audit for your ISO management system, who can conduct an internal audit and what the outcome of the audit can provide.
What are the benefits of the internal audit?
Aside from meeting one of the requirements of the certification audit, there are other added benefits of conducting regular internal audits, and these include:
Assessing the strength of your management system. The internal audit assesses the efficiency and can identify improvements to save time, money and efforts.
Confirming the management system is meeting all relevant statutory, regulatory and management system requirements.
Adding value by evaluating and making recommendations for the business, including operational, risk assessment and process control.
Frequency of the internal audit can depend on requirement of the standard, i.e. meeting your scheduled internal audit programme and organisation preference. The standard requires a defined audit plan covering a set amount of time, i.e. annually to meet the scheduled surveillance audit, so it is important to stick to these schedule internal audits on specific sections of your management system.
Who can perform your internal audit?
One of the main questions we’re asked about internal auditing is who is allowed to conduct it. There are two key parts to the answer.
The first is that the auditor needs to be objective and impartial. This means it can’t be someone who has been closely involved in the implementation of the management system and it can’t someone who’s actively involved in running it. If your organisation doesn’t have an established audit department, then you’re probably looking at an external resource (such as CertiKit’s internal auditing team) to fulfil the requirement.
The second part of the answer is that the internal auditor has to have relevant education, training or experience to be able to do a competent job of the audit. So, depending on which ISO standard you are certifying to, they’ll need to know something about subject, the standard itself, and how to conduct an audit. There are courses available to train staff members if required, but make sure they’re from reputable providers to ensure accuracy and a high standard.
Technically the internal auditor doesn’t have to have qualifications, but if they do it’s a good idea to obtain copies of their certificates and store them within your management system.
When to audit?
For your first internal audit pre-certification, you’ll need to arrange a full internal audit of the management system prior to your stage two certification visit. Your first internal audit should be scheduled for when the majority of your management system is in place, but don’t wait until it’s perfect or it will never happen. It’s common for the first internal audit to be based around the structure of the standard, but after this some organisations choose to make their internal audits process-based. For example, an audit may address the sales process, the supplier management process or the software development process.
Once you’re certified you have the option of spreading the internal audits out so that they cover all of the clauses of the standard over a three year period. This will depend on your scheduled internal audit plan, and how your organisation wants to achieve this.
The internal audit report and other resources
The main deliverable of the internal audit is the audit report which should contain details of any nonconformities found. It should also include observations, positive findings and details of all areas audited. You should use the findings within the internal audit as an action plan for improvements, and you should be well on the way to addressing these nonconformities by the time you get to your stage two certification audit.
If you’re going to conduct the internal audits in-house, the CertiKit toolkits provide a number of resources to help with the internal audit process, including an auditing procedure, audit plan, audit report, programme, nonconformity action plan and a checklist of appropriate questions for the internal auditor to ask during the audit.
An important tool for improvement
Used properly, internal auditing is a useful tool for continual improvement and avoiding nasty surprises when the external auditor next comes to visit. Invest in doing it well, and you won’t regret it.
