Audit Response Help Please. ISO9001

[Big Jim]

My comment on internal audit vs external audit is something I learned very early as an auditor / consultant. That was that if anything the internal audit should be more robust than the external audit. Keep in mind that typically external audits are annual events on a three year cycle. The first year includes auditing the entire quality management system. The second and third year audits don't cover the whole system, although the entire system needs to be covered in those two years and the management process covered every year. Then the cycle repeats.

Internal audits often include the entire system every year. If there is a very stable process that doesn't often have problems, it might not be as often. Management may and often does with the better companies audit processes more frequently, and have a better opportunity to determine which processes need extra attention compared to external auditors.

 

[Jean_B]

The (not outsourced) internal auditor has greater exposure to the company he is auditing.
This has its strengths such as efficiency due to familiarity and being able to disperse time to come back at the opportune moment (witness/auditee availability) or locations (trace through process) or request and await analysis for longer.
It also has its weaknesses, of which especially the political exposure that comes with their outcomes being in tension with having to maintain ongoing relations/employment.

Overall the skillsets should develop differently. External auditors without the efficiency/flexibility boon should focus on matters that make them more efficient while maintaining effectiveness in their fields, and develop skills in soft power (since by design of arrangement they hold a power position for as long as there is no contractual conflict).
Internal auditors can specialize deeper into fields relevant to their current employer for greater effectiveness, and should develop additional skills related to data analysis since with their access they can integrate that into their preparations for more powerful sampling/coverage. Instead of soft power (which is rarely guaranteed to them, often due to their part-time nature), they should develop relationship building and negotiation skills, as well as probably crisis communication skills as they might need to communicate 'disaster' to affected persons and motivate them towards an intended state while avoiding undesirable actions/consequences.

The starting point however are the basic auditing skills, of which ISO 19011 provides a default base tacked onto a default process.

Out of scope: external audit programmes (usually derived from widely accepted schemes) versus internal audit programmes, but that has different skills again, and while some auditors are also the audit programme manager, this is by nature at most a "1 out of X" situation.
Neither did I cover the variety of decision makers (certification vs design/QMS/business|sequencing/allocation changes) who have to act on what execution of the audit programme provides as an output. Suffice to say though that they serve different purposes, and only definitely meet in the middle.

 

[Randy]

What on earth are you doing walking into a 7-11 at 2AM ?? You should be in bed.....

I got shot 3 times.

 

[Jake with the Calipers]

Randy rolling out of 7/11 at 2am:

 

[Sidney Vianna]

There is nothing in any auditing standard to suggest otherwise.

ISO 19011:2018 ¶ 6.4.8

When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee

The following is the answer from the AI-enabled Grok3 tool to the question if internal system audits should be performed differently to external ones:

Yes, internal audits and external audits in management systems like ISO 9001 should be performed differently, as they serve distinct purposes, have different scopes, and are conducted by different parties with varying levels of independence. Let’s break this down:
Purpose

• Internal Audits: These are conducted by an organization’s own personnel (or outsourced auditors acting on behalf of the organization) to evaluate the effectiveness of the quality management system (QMS), identify areas for improvement, and ensure compliance with ISO 9001 requirements before an external audit. They’re proactive and improvement-focused.
• External Audits: These are performed by independent third-party auditors (e.g., certification bodies) to verify conformity with ISO 9001 standards and determine if the organization qualifies for certification or recertification. They’re more evaluative and compliance-driven.

Approach

• Internal Audits:
  • Flexibility: They can be tailored to the organization’s specific needs, focusing on high-risk areas, recent changes, or processes with known issues.
  • Depth: They often dive deeper into day-to-day operations and employee practices, providing a granular view of how the system is implemented.
  • Tone: Typically collaborative, with auditors working alongside staff to uncover root causes and suggest solutions.
  • Frequency: Can be scheduled regularly (e.g., annually or quarterly) or triggered by specific events (e.g., process changes).
• External Audits:
  • Standardization: Follow a more rigid structure based on ISO 9001 clauses, with a checklist-style approach to ensure all requirements are met.
  • Breadth: Tend to cover the entire QMS at a higher level, sampling processes rather than exhaustively reviewing every detail.
  • Tone: More formal and objective, with less emphasis on collaboration and more on evidence-based judgment.
  • Frequency: Usually less frequent, tied to certification cycles (e.g., initial certification, surveillance audits, recertification every three years).

Auditor Perspective

• Internal Auditors: Being part of (or familiar with) the organization, they have insider knowledge of its culture, processes, and challenges. However, they must maintain objectivity, which can be a challenge if they audit their own work (ISO 9001:2015, Clause 9.2.2 requires impartiality).
• External Auditors: As outsiders, they bring independence and a fresh perspective but may lack context about the organization’s nuances. Their focus is on conformance to the standard, not necessarily on operational efficiency unless it impacts compliance.

Outcome

• Internal Audits: Results are typically for internal use—management reviews them to drive continuous improvement. Findings might include minor nonconformities or opportunities for enhancement that don’t necessarily jeopardize certification.
• External Audits: Results determine certification status. Nonconformities (major or minor) must be addressed formally, often with corrective action plans submitted to the certification body.

Practical Differences in Execution

• Scope: Internal audits might focus on specific processes (e.g., customer complaints or supplier management) based on organizational priorities, while external audits assess the entire QMS.
• Evidence: Internal audits can rely on informal discussions and observations alongside documented evidence, whereas external audits prioritize documented proof of compliance (e.g., records, procedures).
• Follow-Up: Internal audits often lead to immediate action plans managed internally, while external audit findings may require formal reporting and verification by the auditor at a later date.

ISO 9001 Guidance
ISO 9001:2015 (Clause 9.2) mandates internal audits but doesn’t dictate how they differ from external ones—it’s implied through the standard’s emphasis on internal audits supporting the organization’s objectives versus external audits validating conformity. The standard requires internal audits to be planned, objective, and systematic, but the "how" is left to the organization’s discretion, allowing for those practical differences.
Should They Be Different?
Yes, they should be performed differently to maximize their value. Internal audits are your chance to self-diagnose and fix issues before the external auditor arrives. Treating them like external audits (e.g., overly formal or compliance-only) misses the opportunity for proactive improvement. Conversely, external audits must remain independent and standardized to uphold the integrity of certification.
Does that clarify the distinction? If you’d like, I can dig into specific examples or tools used in either type of audit!

 

[Randy]

There is nothing in any auditing standard to suggest otherwise.

How long you been doing this auditing stuff and how many standards have you got some experience with because this is good to know?

 

[Randy]

Randy rolling out of 7/11 at 2am:

Yeah, kinda, I just didn't get to drive away.