Management
They Just Told Me I’m Going to Be the New Internal Auditor – YIKES! (Part 1)
Why do we perform internal audits in the first place, beyond the fact that ISO 9001:2015 requires them?

You have worked for your company for just over a year, and you arrive on a Wednesday morning to an email from the director of quality advising you that you will become the company’s internal auditor, and that you will be taking an online internal auditing course in a week or two.
You look around your office and you can’t imagine how you’re going to free up any additional time beyond your current job responsibilities. You ask yourself: What is an internal auditor, exactly? How much time will this take on top of my already overloaded schedule? How important is this role, and will it cause conflict in my daily work life?
Source: Peter Sanderson
If this story sounds familiar, then this article is for you. I will try to outline the role of an internal auditor, share some helpful definitions, and offer practical hints from my own experience.
Why Do We Perform Internal Audits?
The first question most people ask is: How much time will I have to spend on internal auditing? That really depends on the size of your organization, the number of processes involved, and how many internal auditors are on your team. Internal audits are typically performed periodically based on a yearly schedule. However, in my opinion, many companies perform internal audits solely to satisfy their ISO 9001:2015 or AS9100 requirements, and in doing so, they often miss the whole point of what internal audits are meant to accomplish.
So why do we perform internal audits in the first place, beyond the fact that ISO 9001:2015 requires them? Internal audits are a valuable source of information on:
- The effectiveness of the management system
- The effectiveness of training
- Whether personnel are following established procedures
- Opportunities to improve processes and/or the quality system
- Whether quality policies are understood throughout the organization
- The effectiveness of the quality system in meeting organizational objectives
- The relationship between quality and cost. In other words, whether the cost of quality is effectively delivering a product or service in accordance with quality objectives
To put it in a single sentence: a quality audit, or internal audit, is a systematic and independent examination to determine whether quality and operational activities, and their results, comply with planned arrangements, and whether those arrangements are effectively implemented and suitable to achieve objectives.
That certainly sounds like a mouthful, even to me. So let’s start at the beginning with some key definitions.
Key Definitions
Auditor: A person who has the qualifications to perform audits.
Auditee: An organization or part of an organization, such as a process or department, that is being audited.
Client: A person or organization requesting the audit. If your company is requesting the internal audit, then your company is both the client and the auditee. If your customer sends someone in to audit your company, then the customer is the client. If an independent agency requests an audit, they are the client. In other words, an internal audit involves a first-party client, a customer audit involves a second-party client, and an ISO registrar audit involves a third-party client.
Quality Evidence: Qualitative or quantitative information or records pertaining to the quality of an item or service, or to the existence and implementation of a quality system element, based on observation, measurement, or tests that can be verified.
Observation: A statement of fact, made during an audit and substantiated by objective evidence.
Source: Peter Sanderson
Audit Team Structure
An internal audit team normally consists of a lead auditor and, in larger organizations, a group of auditors. In smaller organizations, there is often only one auditor, who serves as both the lead auditor and the sole auditor. Regardless of team size, the lead auditor is placed in overall charge of the audit.
The audit team may be made up of internal auditors, but it can also include personnel with specialized backgrounds or even observers. One practice that is not discussed often enough is bringing in external expertise to support your internal audit team when auditing specific processes. For example, if I were auditing the heat treating process in my organization, I could contact the manufacturer of my heating furnace and ask if they could send a representative to participate in our internal audit of that process. By doing so, we would be bringing external expertise directly into the audit with the intention of discovering opportunities for improvement. I cannot stress this enough: although we often think of an internal audit as a pass/fail scenario, discovering opportunities for improvement is equally, if not more, important.
Understanding Auditor Independence
An auditor should be independent, and that independence should be respected by the auditee.
Auditor independence does not mean that an auditor cannot audit their own department or the processes they oversee. In fact, having the operations manager as part of your audit team when auditing operational processes is invaluable, since the operations manager is likely the most qualified person to understand those processes. So what does independence actually mean? It means that you cannot audit a job function that you personally perform. Therefore, if the operations manager is responsible for reviewing inventory reports and approving purchases, that particular process could not be audited by the operations manager. However, all other aspects of operations that the manager does not personally perform could be audited by them, and they would be a valuable team member in such an audit.
Source: Peter Sanderson
Knowing Your Standards and Procedures
As an internal auditor, you will be expected to understand the standards and procedures you are auditing against. If you are not yet an expert in ISO 9001:2015 or AS9100D, your organization will almost certainly provide training on those subjects. It is important to read the standards, and equally important to read your own organization’s procedures and work instructions, as these will show you how your company complies with the requirements. If you have taken an ISO 9001:2015 course at a previous employer, keep in mind that your new company is not required to follow the same procedures to achieve compliance. Every organization implements the standard in its own way.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!








