Internal audit is an objective assurance exercise carried out by independent and trained auditors. The purpose of this exercise is to add value and improve the organizational processes. With the help of an internal audit which is a systematic and disciplined approach to evaluate the effectiveness of the Quality Management System, an organization can achieve the objectives set for its Quality Management System. ISO 9001 provides guidance on how these internal audits can be conducted in a systematic and efficient manner to evaluate if the organization is meeting the requirement of its own quality management system, ISO 9001, customer and regulatory requirements.

Why is it important?

Having Internal Audits helps to find non-conformities and prevent them so that they do not lead to non-conforming products in future. To understand this better let's take an example of a Builder. During an audit on builder operations, the auditor could not locate review records of building design and raised a non-conformity on that. When the management came to know of the issue, they analysed the situation and found that the design review was done without following the complete process. The design records were not in place which raised doubts on how efficiently the review was done. As a correction, the review was done again with the help of proper documents and a number of design faults were found and corrected. Such issues when found on time, can help management take corrective actions so that they do not appear in future. A casual approach to a critical process could have led to many faults in the building design and the organization will bear the cost later when customer complaints start pouring in. A simple lapse in the process can lead to bad product quality and can fetch you a bad reputation.

Establishing an audit program

ISO 9001 requires that an organization establishes an audit program with some key elements included. These are:

Methods: Methods include the techniques that you will use to gather objective audit evidence. These will form the basis of determining non-conformities in the system. Examples of audit methods may include an interview with auditees, review of documents, and observation of activities. Some organizations also develop checklists against their Quality Management Systems and tools to plan and conduct audits.

Frequency: ISO 9001 does not prescribe any frequency for the internal audit. But since this is a mandatory requirement, many companies opt for keeping the frequency just once a year. While this is acceptable from an ISO 9001 compliance point of view, this should not be the criteria for determining the frequency. A more logical frequency that suits the needs of your organization and helps you identify issues at the right time should be criteria for determining the frequency of the audits. This decision should be based on factors such as:

• Importance of the processes;
• Managerial priorities;
• Performance of the processes;
• Changes affecting the organisation
• Results from previous audits
  
• Trends in customer complaints
• Statutory and regulatory issues.
• Health of the Quality Management system
• Complexity of the products and services delivered
• Organization Size

Responsibilities: An organization needs to define the responsibilities of auditors and auditees. Auditors will conduct audits and report audit findings and auditees will take the corrective action in a timely manner.

Planning requirements: You need to establish how audits will be planned, this may include an annual audit calendar, audit plan or schedule.

Reporting: You need to define the level of reporting of audit findings to the management.

Conducting Audits

Once the audit program is established, the next step is to conduct audits. You need to take the below steps to conduct effective audits in your organization:

Establish audit criteria:

Audit criteria is the criteria against which the audit will be conducted. The auditor may evaluate the current implementation of processes against Quality Management System policy and procedures, ISO 9001 requirements, regulatory or customer requirements, etc. This needs to be established for each audit or whole audit program.

Select Auditor:

While selecting auditors for conducting audits, you should establish the minimum qualification required for internal auditors. Internal auditors need to be trained in the ISO 9001 standard as they also audit for conformity to ISO 9001 requirements. They should also have a good understanding of your quality management system processes and their interaction, customer or regulatory requirements, audit process and techniques established in your audit program.

Another important requirement of the standard is to conduct impartial and objective audits. To ensure this is done, the independence of the auditor is important. The auditor should not be from the same work area or department being audited.

Conduct audits and report findings:

During the audit, auditors should look at objective evidence, interview auditees and review the evidence obtained against the audit criteria established for the audit. In case the auditor finds that the actual process is not implemented appropriately, the auditor should raise a non-conformity in that area. All audit findings should be reported to the auditees/process owners in the formats provided by the organization.

Take correction and corrective actions:

On all the non-conformities raised by the auditor, auditees must take immediate corrections and plan corrective actions. A correction is taken to correct the problem immediately while corrective action is taken on the root cause identified for the non-conformity. Appropriate action taken against these root causes should be tracked to closure and follow-up needs to be done to ensure that the root cause has been eliminated.

Audit Reporting to Management:

Audit results should be reported to appropriate levels of management. The results of each audit and overall annual audit program may be analyzed to determine opportunities of improvement in Quality Management System processes, their interactions, products, Services etc.

Retain evidence of audit:

ISO 9001 requires you to retain records of Audit, these include annual audit calendar, records of audit planning containing audit criteria, Audit scope, methods used, auditor assigned, etc. Other records may include auditor training records, audit checklists, audit notes, nonconformity details, corrective actions, analysis of non-conformities and overall audit program.