How to Conduct an Internal Audit: Step-By-Step Guide with Sample List

A key component of maintaining ISO compliance is simply evaluating the performance of your Management Systems at routine intervals. Thankfully, the ISO Certification Standards do include recommended guidelines and frameworks for ongoing performance monitoring and for formally evaluating ISO Management Systems. This is where ISO audits factor into the process of securing and obtaining ISO Certification.

There are three different types of ISO audits, these being:

1. Internal audits
2. External audits
3. Third-party audits

Whilst external and other third-party audits are carried out by your CB (Certification Body) or other independent organisations, internal audits are conducted entirely within an organisation to assess the relevance and effectiveness of your tailored ISO management systems, be they traditional Quality Management Systems or even dynamic HSEQ Management Systems that relate to one or more ISO Standards.

Today, our ISO consultants at S & J Auditing & Consulting will be outlining in detail how you can conduct internal ISO audits within your organisation, with a bonus sample internal audit checklist resource to help structure your own audit processes.

What is an Internal Audit?

An internal ISO audit is a systematic and evidence-based self-assessment from an organisation of the compliance of their ISO Management System/s and/or processes. ISO internal audits are an integral part of maintaining ISO Certification across all Certification Standards.

Internal audits are evidence-based as they’re specifically designed to confirm compliance and identify potential non-conformances by evaluating all the processes and procedures that comprise a Management System

Key Objectives for Internal Audits

Internal audits are used to determine whether or not an ISO Management System:

• Meets ISO compliance requirements
• Meets regulatory compliance requirements
• Meets client and customer needs (contractual requirements)
• Performs optimally
• Is up to date with process/policy changes

Internal audits are also vital for identifying potential non-conformities and supporting auditors and compliance officers in preparing non-conformance reports.

Who Can Conduct an Internal Audit?

Internal audits must be conducted by trained and qualified internal auditors. Often, a lead auditor is assigned to planned given internal audits, with compliance officers playing a supporting role in facilitating audit activities (i.e. sending notices out to staff to alert them to of upcoming internal audits, scheduling audit interviews, collating audit reports, etc.).

Want to know who’s who for your next ISO audit? Learn more about the key differences between ISO consultants vs. ISO auditors.

How to Conduct an Internal Audit: Step-By-Step

If you’ve assembled your compliance team consisting of qualified internal auditors and compliance officers, then be sure to follow the below step-by-step instructions outlining how to conduct an ISO internal audit, as outlined by our dedicated ISO consultants here at S & J Auditing & Consulting.

Step 1: Schedule and Prepare for Your Internal Audit

As they’re naturally systematic processes, an internal audit should never be conducted without effective tools such as internal audit checklists. So the first step you’ll need to take is simply scheduling and planning your internal audit.

At this phase of the process, your compliance team should:

• Create a risk-based internal audit plan/schedule and notify relevant staff and stakeholders (ideally 3-4 weeks in advance) of up and coming internal audits
• Prepare an internal audit checklist
• Outline the audit objectives
• Outline the scope of the audit and all policies/procedures/documentation that are set for review
• Outline the evidence required to confirm compliance of all the policies/procedures/documentation that are set for review
• Prepare the questions you will ask staff and stakeholders during audit interview processes
• Review any previous internal and external audit reports to include previous corrective actions and non-conformance reports

Step 2: Conduct the Audit by Following Your Tailored Internal Audit Checklist

At this stage of the process, you should commence to request and review evidence in relation to the process being internally audited, whilst also cross checking the applicable ISO clause, to ensure the process is not only accurate and well-implemented, being compliant to the relevant ISO clause.

What Should you Include in Your Internal Audit Checklist?

Your internal audit checklist will act as your guide throughout the internal audit. This document will help provide structure and consistency to your internal audit processes, and should ideally be updated as your policies, procedures, and supporting documentation for your Management Systems naturally evolves over time.

At a minimum, your internal audit checklist should include the following details:

• The audit scope (i.e. what the audit covers)
• The audit criteria (i.e. what standard, clauses, policies or processes is the internal audit against? E.g. ISO 9001 clause 4.2, or the “Procurement Process” etc.)
• The name of the person conducting the internal audit
• The date

Internal audit checklists are most effective when they’re tailored to fit the unique reporting and compliance requirements for your organisation and ISO Management Systems. We recommend working with a qualified internal auditor and even external ISO consultants to develop an internal audit checklist that’s tailored to your organisation.

Once the internal audit checklist is prepared, its time to start reviewing the evidence provided, capturing comments in text as evidence is sighted and verified. It is also good practice to use photographs in your internal audit checklist, as this provides “more weight” to your evidence.

Step 3: Collate Your Internal Audit Report

At the completion of the internal audit, it is now time to ensure a comprehensive internal audit report is collated and complete. Your internal audit report should include:

• Nonconformances, opportunities for improvements, and associated corrective actions, and
• A summary of internal audit findings.

Summary of Internal Audit Findings

Your internal audit summary should outline all identified non-conformances, opportunities for improvements, and corrective actions, as well as the evidence supporting the correct identification of actions raised.

Corrective Action Plans

Corrective action plans are developed in direct response to all identified non-conformities following an internal audit. Your corrective action plans should include recommendations for next steps, which can then be proposed as continuous process improvement strategies to business leaders (i.e. department heads, company managers, stakeholders, etc.).

Step 4: Conduct a Management Review

Compliance teams should review internal audit findings with their lead auditor and other relevant business leaders. Leaders can also sign off on record-keeping following audits (i.e. cross-referencing the dates of record or report preparation, interview transcripts, etc.).

Depending on the scope of your internal audit, this review of audit findings can either be conducted internally within a specific department, or it can be raised in a formal management review in the context of dynamic or whole systems processes.

Step 5: Implement and Monitor Decided Corrective Actions

If all corrective actions are approved in the management review phase, then your compliance team can work directly with department heads and staff to implement these decided corrective actions and monitor the performance of these changes as needed.

If those process improvements have been successfully implemented and are delivering positive results, they can then be integrated into your organisation’s policies, procedures, and documentation. This is how internal audits aid in facilitating and confirming continuous process improvements.

Key Questions to Include in your Internal Audit Checklist

Staff interviews are an integral component of internal audits, which is why your checklist must also include operational questions to ensure your interviews deliver relevant insights.

Be sure to use our sample internal audit checklist as a reference point when preparing interview questions for your organisation’s internal audit processes.

Note: for the purpose of this internal audit checklist, we’ll be using a template relating to ISO 9001 internal audits. Note that while this template may refer to Quality Management Systems (QMS), this questionnaire is also universal and can be easily adapted for ISO 14001, ISO 45001, and other ISO internal audit audits.

Implement Internal Auditing Processes Tailored to your Management Systems

Internal audits are best conducted by professionals with a strong working knowledge of the ISO Standard/s that your organisation is currently certified to. Our ISO consultants at S & J Auditing & Consulting are specialists in conducting internal audits, and have a large portfolio of clients that currently engage us for this exact reason. The benefit of engaging S & J Auditing & Consulting for this is there is no need to spend money of training or resource allocation for this process internally, and the quality of the internal audits will be conducted by professionals who live and breath these sorts of processes.

Get in touch with our dedicated ISO consultants today to secure expert support in implementing and managing robust internal auditing processes for your organisation.