Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The ISO Internal Audit - Explained

In order to meet the requirements of clause 9.2 of certain ISO standard certification audits (for those in the Annex SL structure), you need to have evidence of a completed internal audit of your management system by an internal auditor. Without having an ISO internal audit report to show the auditor at the stage two certification audit, it’s unlikely your organization will become certified.

In this blog we explain the added benefits of the internal audit for your ISO management system, who can conduct an internal audit and what the outcome of the audit can provide.

What are the benefits of the internal audit?

Aside from meeting one of the requirements of the certification audit, there are other added benefits of conducting regular internal audits, and these include:

  • Assessing the strength of your management system. The internal audit assesses the efficiency and can identify improvements to save time, money and efforts.
  • Confirming the management system is meeting all relevant statutory, regulatory and management system requirements.
  • Adding value by evaluating and making recommendations for the business, including operational, risk assessment and process control. 

Frequency of the internal audit can depend on requirement of the standard, i.e. meeting your scheduled internal audit programme and organization preference. The standard requires a defined audit plan covering a set amount of time, i.e. annually to meet the scheduled surveillance audit, so it is important to stick to these schedule internal audits on specific sections of your management system.

Who can perform your internal audit?

One of the main questions we’re asked about internal auditing is who is allowed to conduct it. There are two key parts to the answer.

The first is that the auditor needs to be objective and impartial. This means it can’t be someone who has been closely involved in the implementation of the management system and it can’t someone who’s actively involved in running it. If your organization doesn’t have an established audit department, then you’re probably looking at an external resource (such as CertiKit’s internal auditing team) to fulfil the requirement.

The second part of the answer is that the internal auditor has to have relevant education, training or experience to be able to do a competent job of the audit. So, depending on which ISO standard you are certifying to, they’ll need to know something about subject, the standard itself, and how to conduct an audit. There are courses available to train staff members if required, but make sure they’re from reputable providers to ensure accuracy and a high standard.

Technically the internal auditor doesn’t have to have qualifications, but if they do it’s a good idea to obtain copies of their certificates and store them within your management system.

When to audit?

For your first internal audit pre-certification, you’ll need to arrange a full internal audit of the management system prior to your stage two certification visit. Your first internal audit should be scheduled for when the majority of your management system is in place, but don’t wait until it’s perfect or it will never happen. It’s common for the first internal audit to be based around the structure of the standard, but after this some organizations choose to make their internal audits process-based. For example, an audit may address the sales process, the supplier management process or the software development process.

Once you’re certified you have the option of spreading the internal audits out so that they cover all of the clauses of the standard over a three year period. This will depend on your scheduled internal audit plan, and how your organization wants to achieve this.

The internal audit report and other resources

The main deliverable of the internal audit is the audit report which should contain details of any nonconformities found. It should also include observations, positive findings and details of all areas audited. You should use the findings within the internal audit as an action plan for improvements, and you should be well on the way to addressing these nonconformities by the time you get to your stage two certification audit.

If you’re going to conduct the internal audits in-house, the CertiKit toolkits provide a number of resources to help with the internal audit process, including an auditing procedure, audit plan, audit report, programme, nonconformity action plan and a checklist of appropriate questions for the internal auditor to ask during the audit.

An important tool for improvement

Used properly, internal auditing is a useful tool for continual improvement and avoiding nasty surprises when the external auditor next comes to visit. Invest in doing it well, and you won’t regret it.

 

This blog was originally published in April 2021 and has been updated for accuracy and relevance in August 2022.


How can CertiKit help with your internal auditing requirements?

Our qualified lead auditors can provide internal audits for:

  • ISO/IEC 27001 – Information Security Management System
  • ISO 22301 – Business Continuity Management System
  • ISO 9001 – Quality Management System
  • ISO 14001 – Environmental Management System
  • ISO 45001 – Occupational Health and Safety Management System

CertiKit’s internal audits are conducted remotely via MS Teams to clients in the UK, the EU and those +/- 2 hours of the UK time zone.

Find out more

We’ve helped more than 7000 businesses with their compliance

Testimonials

Keep pitching what you do... It works and wins when comparing to perceived competition. Almost a personal touch springs to mind. Personally I like the product, and the way it's delivered.

Reality Consulting
Jersey

View all Testimonials