Internal auditing
The internal audit is perhaps not the most popular aspect of the quality industry. Jim Wade of Advanced Training finds out why and examines the alternatives
Internal auditing is the activity associated with ISO 9001 that used to be called internal quality auditing. Perhaps a few internal auditors love it. But, almost universally, other people in most organizations do not have it high on their list of favourite business mechanisms.
If you doubt that, observe carefully your colleagues' reactions when the subject of internal auditing comes up. Ask them what words or phrases they think of when the words 'internal audit' are mentioned. Ask them about the value (to them) of the activity. Note the flicker of unease on the faces of the managers of the areas being audited as you ask them about the business value of the non-conformities with which they are presented (and about the close-outs for which they know they will be asked).
Of course, many readers will suggest that these reactions stem from internal audits not being done well. They will argue that, if done correctly, we would see more positive responses. Perhaps they are right; internal audit practice - like everything else - varies.
Why do it?
Rather than asking how internal auditing can be done better, we should consider why we do it at all. Internal auditors are often trained on exactly the same courses as third-party auditors. As a result, many internal audits mimic third-party audit practices - checking that things were done the way they were supposed to be done, gathering objective evidence, reporting non-conformities by clause, and so on.
I do not have the space here to argue for or against the value of checking, often months after the event, what was done or not done. However, it is worth noting that, as well as receiving a negative response in organizations, conformity-focused internal audits have very little to do with what ISO 9001 requires.
The internal audit requirements (contained in ISO 9001 clause 8.2.2 with an important link to clause 7.1) translate in plain English to:
- check the degree to which you have implemented the plans for your operating processes, specifically those that are to do with getting work, doing the work, delivering the results and getting paid
- check the degree to which you are meeting your objectives
- a third requirement (newly introduced to internal audits by ISO 9001:2000) is to check the degree of conformity with the requirements of ISO 9001 but, in comparison with the other two items, this is relatively unimportant
These checks are fundamental to the business, but is it not the job of management to carry out those checks as an integral part of the normal business cycle, not months later when an audit is scheduled?
No more internal audits?
ISO 9001 has a set of requirements (under the heading 'internal audit') that describe good basic management practice, but which do not fit into an 'audit-it-later' scenario. In practice, through training and habit, many internal audits put a heavy emphasis on what is being done despite the requirements making it clear that this is only a part of what is to be checked.
So many internal audits fail to meet the requirements of both the standard and the business. There is a general assumption that if an organization wants or needs to be certificated to ISO 9001, it must continue doing internal audits because the standard requires it. This is not true. There are UK-based organizations, with certificates from UKAS-accredited certification bodies, which have opted out of the need to employ auditors and which no longer conduct internal audits.
One FTSE 100 company uses a self-assessment approach to replace internal audits (despite the fact that ISO 9004 says that this is not feasible). The European subsidiary of a Japanese company makes sure that managers meet the internal audit requirements during the normal course of their work.
Essentially, what is common about their approaches is that these organizations have studied clause 8.2.2 and have devised alternative ways, better suited to their business needs, to address its requirements.
About the author
Jim Wade is a director of Advanced Training and also runs the free membership Business Improvement Network (
www.bin.co.uk). For more details contact t: 0118 987 5120, 07788 6666 08 or e:
[email protected]