Starting an Internal Audit - Help with the basics

Hi everyone!

First of all, I would like to thank this community, I've asked like two or three questions and I always get the right answer that helps me to develop new stuff at my work.

Regarding this topic... I'm gonna be honest, I'm completely new on the whole Audit ISO 9001:2008. You see, I got this job because the main requirement for this company is know how to speak English (yes, I'm in Mexico) so that's how I the position of Documentation User and Internal Auditor. This year I took an online class to be an Internal Auditor but got almost nothing from it, since being an Auditor and taking care of Documents is not my only job, I also do Quality checks and look for the 8 Wastes to save the company some money.

Anyway, around July I got my first External Audit, it was a simple audit since the re-certification audit was last year but still... I got my ass handed to me by the auditor (in a good way).

So now... It's time for the Internal Audit and I do have everything set up to start the audit but I'm using the other guy's format (the Internal Auditor before me) and I was wondering if you guys could help me out with some ideas to improve it. I read somewhere on this forum that you cannot do an Internal Audit with the clauses of the ISO 9001, so that's the main reason why I want to make it better because on this company they always audit with the clauses and I want to believe that there is a better and more simple way to do this.

Any help will be appreciated and I hope I didn't offend anyone with this post.

Thanks in advance!

PD. It's most in Spanish, I translated what I thought it was necessary. We audit all the departments using all the clauses that apply from the ISO 9001:2008 and then on a different tab, we use the ISO 9001 statements to make the questions for the interviews and gather evidence.

Let me know if you need more explaining or if you think this is the proper method to continue using.

Thank you again!

Good evening Leonel,

My first advice is to ask you to complete an accredited Lead Auditor course. When you do, I believe you will understand why I recommend it.

Before then I think the Cove is a very good place for research but your search should be focused so I am glad to point the way. You can start with Craig Cochran's good paper in the thread titled Internal Audit Checklist - Production Audit Checklist and there are some more very good resources in the thread titled Internal Audit Format and Content question.

Keep in mind the standard is also asking you to plan your audits based on the importance and performance of the process, including results of previous audits. A registration auditor will expect to see evidence this has been done. What do I mean? Not every process requires auditing every year if it is not critical and has been performing well in output and during previous audits. But you should plan to revisit processes where nonconformities have been found or poor performance has been recognized.

While you are looking at those thread you can also scroll down to the bottom of the pages and see related links to similar threads.

I hope this helps!

I agree with most of what Jennifer has said with one addition, I think attending an internal auditor course first would be best - the LA course is a big step for your first one.

If you read clause 8.2.2 of ISO 9001, it tells us to conduct audits to determine whether the QMS conforms to planned arrangements and to the requirements of ISO 9001.

Therefore, your priority should be to check that what is written in your procedures etc, is what is really happening in practice - then bring in the standard.

Don't forget, your registrar will be verifying that the system satisfies the standard too - albeit for just a day or 2 per year.

I agree with Colin. Not only is the LA overwhelming, but it's the wrong focus. Sure, you get to see what the CB auditor does (if you didn't already experience that) but you know. What you learn different from the internal auditor course, isn't worth the extra time away, and you would be better off having someone guide you through your first audit instead.

Hi Leonel,

Take an Internal Auditor training course that get you certification - two days in a classroom with an experienced certified lead auditor is well worth it.

It appears you are using the standard ISO 9001-2008 Internal Audit Checklist as the basis for your internal audit. This is the defacto standard most of us use. Which makes sense, as it does address all the elements of each Clause.

Auditing by Clause is probably the most commonly used method for internal audits. You could also audit by process, or even function/department. The drawback for the process or department methods is that you have to map the required Clause elements to the specific process (or function/department). When you do that it becomes more complicated to ensure all the elements of the each Clause are compliant. I have been involved in functional department based audits, and it?s not easy.

A few points. One, make sure you are not auditing your own work. Hopefully you have other auditors available, if not it is permissible to hire a contractor. If you are the management representative and responsible for the core procedures ? the mandatory six ? you cannot audit them.

Two, make sure you have an accurate mapping of Cluase/elements to your SOPs and WIs.

Three, make sure you consider the findings of previous audits as you prepare for your audits. Non conformances, opportunities for improvement, and areas of concern may require additional due diligence to ensure compliance.

I wish I could tell you there are simpler ways to do internal audits, but after over two decades of working with ISO 9001 standards I have yet to find one.

Regards,
Eric

I can't agree that an internal audit should be done to any ISO 9001 based checklist - that's NOT the point of auditing! You should audit the processes etc of the QMS which has been established. Too many people go out with a checklist based on ISO 9001 and start asking questions about "Does the organization have blah, blah, blah..."

This is a) ineffective, b) speaking the wrong language and c) nothing to do with the actual QMS to be implemented.

Firstly, you have to know what the scope of the audit is and what criteria you are going to use to audit. This is a step EVERYONE overlooks. The trap is set by saying "Get a checklist and go and ask questions"...

When you know the scope and criteria, THEN you can sit down and study the documentation related to controlling the process. Let's say you are auditing the Purchasing process, against a documented process flow chart. It should identify the inputs - the inventory triggers, the requisitions etc and how those are processed through to POs being issued to suppliers (outputs).

Create your checklist, based on that understanding and your questions which clearly prove you've done your "homework", you'll be able to have a sensible conversation and - importantly - know when they deviated from the documented process. You can also have a discussion about WHY that occurred and if it more/less effective.

Put your ISO checklists away. When you come back from your audit, get the ISO checklist out and ask yourself those questions!

AndyN said:

Create your checklist, based on that understanding and your questions which clearly prove you've done your "homework", you'll be able to have a sensible conversation and - importantly - know when they deviated from the documented process. You can also have a discussion about WHY that occurred and if it more/less effective.

Click to expand...

Such great advice. We do mostly process audits and our QMS processes meet the standards. So I have my auditors audit to our processes and that's their criteria.

I do have a checklist, but it's more like a reference to make sure I hit everything I need to hit. Once you've gotten comfortable with auditing you get a sense of where you need to dig deeper so audits have to have flexibility to go down the rabbit holes which can get you in trouble if ignored.

If you haven't had training I also recommend taking an internal auditor course. How many auditors do you have? When we first began the ISO process we found it more cost effective to have the trainer come to us and do sessions on site. Trick was being non-negotiable on co-workers honoring the time and not calling people out of training.

Eric mentioned opportunities for improvement above and that's one a lot of auditors neglect. Asking people for their feedback and being genuinely interested has the collateral benefit of creating a positive culture around audits. You don't want it to be a game of "gotcha." You want it to be a fact based assessment which means noting the good as well as the sketchy. You don't want fear at the sight of an IA clipboard...unless they have been disregarding procedures.

Thank you so much everyone!

By now I have my taskbar full of documents that I found in The Cove and by putting all together I'm getting the idea on how to do this. I find comfort and sadness in knowing that I'm not the only one struggling to get training for this kind of job; my employer thinks that being an Internal Auditor or a Lead Auditor can be accomplished by just reading, and yeah, you can learn so far by asking or reading on the internet or books, but at the end of the day I think you actually need an expert to walk you through some stuff. (besides the fact that it's better to be a certified Lead Auditor (I think))

Again thanks for all the advice, I realized that our current Internal Audit process is not so bad, but it can be better and simple, we always audit all the departments and always ask the same questions based on the Standard clause, but know that I read all your comments, I see that is more efficient to ask questions based on our Process and WI, dig a little more and then compare that do the Standard.

I work at a company with 120 people (including management). I'm the responsible for the Internal Audits and I have 2 more Auditors, plus I also get 1 Technician and 1 Observer... We always do the Internal Audits once a year so I guess that's why we audit everything; and our Internal Audit lasts 3 months (we separate departments to audit by priority (at least that's what I think)) but with all your feedback I think I can make it simple and be ready for next year's external auditor.

If I have any question I'll be sure to ask The Cove and also I'll keep trying to get more training. Thanks again and if anyone has more feedback, I will really appreciate it!

Start small - take a single procedure or a small activity and just work your way through, (at your desk before the audit), picking the interesting bits that you want to check. Highlight them on the procedure and/or copy them over to a checklist (there are lots of examples in the attachments list) and use that as your guidance.

Don't be afraid to go 'off piste' if something interests you, follow it. You can always come back to the checklist when you have exhausted that line of enquiry.

Don't forget to point out good practice as well as bad (if there is any bad) - you are not there to find problems, you should be looking to prove conformance, not the other way around and besides, there will be more right than wrong.

Have fun!

Please update us periodically on how it's going - many of us face similar challenges and this is a good place to share knowledge, much thanks to our kind host.