Internal Quality Audits are a requirement of ISO 9001 that rarely bring value to an organization past simply maintaining compliance to the standard. Despite

ISO 9001
The Football is an example of process auditing applicable to a manufacturing process. Source: Andrew Nichols

their best efforts, even well-trained internal auditors may not be as effective as they could be.

So, how can an internal audit program bring the “Wow” factor and improve the overall performance of the organization, its management and the auditors? By adopting the following two key features focused on business concerns.

Often in the early phases of implementation of an ISO 9001–based quality management system the focus of the internal audit program is to ensure that no significant issues are found during the Certification Body assessment. However, once found in compliance, the internal audits should be scheduled to ensure that their focus changes to give value to the organization as well as continuing compliance to the ISO standard. To do this, the scheduling of audits must be changed from a ‘push’ system, where audits are scheduled to an annual calendar, to one of a ‘pull’ or demand system, where they are scheduled according to managements’ needs.

The ISO 9001 requirements for internal audits (8.2.2) gives us a clue what might be considered when establishing an audit schedule, also called an audit program. It states, in part, “An audit program shall be established taking into consideration the status and importance of the processes to be audited.” This requirement gives us some opportunities to consider that all processes are not created equally, that some might need to be audited as a priority and possibly more frequently than others. So, how can an audit program meet these requirements and be value-added to an organization?

Let’s consider what’s meant by the status of the processes of the quality management system processes:

Status might include something being new and/or changed, performing below or above expectations. Having something new or changed associated with some function of the organization is frequently associated with causing problems with:

  • customers and requirements
  • suppliers
  • technology
  • regulations
  • process requirements
  • materials and equipment

These are normally considered to be risks to the business.

In fact, how many of us have heard that it’s not a good idea to by a new model car until after it’s been on the market for a year to ‘work the bugs out’? Likewise, a process not performing to expectations, causing scrap, rework, and downtime—in fact, any kind of waste—also is a risk. Got a process that exceeded its goal? Better find out why! Once the reason has been discovered, it could be used to improve other, similar processes.

In some cases, these are planned situations—including the new and changed aspects. Some, like poor performance, are unplanned. What could be done to give a priority to an audit of a new, changed or poorly performing process? This is where the importance of that process must be considered. We have to ask ourselves, is the process important to meeting:

  • customer needs and expectations
  • regulatory compliance
  • costs?

The importance of the process to the customer or other aspects of business can be considered as the impact of that process on the business.

Risk, and the effects of risk on customers, operation performance and regulatory compliance, are what keep management awake at night.

It is common for internal audit programs to be developed on an annual calendar that predicts which aspects of the quality management system are going to be audited. Often the objectives for developing the schedule are to ensure that all of the system is audited in that year, or to ensure all the ISO requirements are covered. However, since there is no requirement to schedule audits in this way, they often miss critical processes when they become a potential risk.
An annualized calendar forces audits of processes that are either not a high priority or before/after any problems transpire, instead of helping to identify what contemporary actions need to be taken to improve things. No wonder then, that in many organizations, the internal audit program is not well supported! Internal audits should be scheduled using current process performance data and feedback from customers to ensure that auditors are focused on what is on managements’ radar screen.

Internal audit management programs, scheduled based on risk and impact, can help usher in a new era synonymous with risk assessment and continual improvements, rather than something done simply for compliance.

Internal audits should be focused on the processes of the quality management system and recurring questions auditors have including:

  • “How do I audit a process?”
  • “Which processes should I start with?”
  • “How will I know if the process is effective?” 

A process can be defined as “activities which transform inputs into outputs.” One might add, “under controlled conditions,” since we usually want to be able to predict a (good) result! From this definition, we know a number of things about any given process, including that they have:

  • Input(s)
  • Output(s)
  • Activities
  • Controls

This is helpful, but heading off to do an internal audit with four topics on our checklist is unlikely to help us reveal if the process is working as intended. As auditors, we have to develop a better understanding of what an effective process requires to deliver a satisfactory outcome for the organization and its customers.

Most business processes have some form of goal or objective assigned to them, so that performance can be determined. This might be focused externally on customers’ needs or internally on the organization. It is common that these goals and objectives have a measurement associated with them. If the process is working effectively, it’s by these performance criteria that an auditor can tell what’s being achieved.

In addition, it’s desirable to produce a consistent result; therefore, the process must be under control. Most of us know the wailing sound (output) made by a loudspeaker when the microphone (input) is placed too close to that speaker—it’s called feedback! You can certainly measure the sound level, but the process is out of control! Our business processes need controls to ensure that things don’t get out of hand.
Process controls for the activities are accomplished in many ways:

  • People—competent, aware and trained
  • Equipment—maintained and calibrated, if necessary for measurement
  • Methods—procedures and work instructions, as necessary, under document control
  • Materials—approved, available, identified

In listing these control criteria, our list of audit topics has grown quickly. We also must consider some other controls that must be in place: documentation controls, non-conformance, records generated from the process, corrective/preventive actions and improvements.

The challenge of preparing for any audit is the sequence in which to place these controls so that we can gather useful information about the process, rather than just a number of facts, since creating a simple list of these topics is not as helpful. There are a number of ‘visual metaphors’ that have been used as tools to assist auditors. One unique approach has proven successful in helping auditors to organize these topics in an appropriate sequence—the Football©.

The use of this tool to ‘visualize’ the path an internal auditor should take when auditing a process has a number of advantages.

One such advantage is comprehensive planning, so that all relevant controls are considered, in their correct sequence (the Football is an example applicable to a manufacturing process). Another is the structure added to audit checklists or questions, they follow the appropriate process flow allowing information to be gathered and used later to verify performance.

It also can assist management with ensuring the assigned auditor(s) does the relevant research of those requirements and controls and develop better understanding of them before the audit interviews. The auditor has a ‘bigger picture’ to audit and is, therefore, more likely to see systematic issues and evaluate the risks that are of concern to management. Where risks are encountered, any audit reports requiring action are likely to get the fullest support and lead to the required improvements being made. 

Andrew Nichols is with NQA.