ISO internal audits – guidelines

G3 Solutions, Inc. can conduct ISO Internal Audits

“How do we conduct our ISO internal audits?”

This is one of the many questions that plagues smaller companies with limited resources and makes for interesting discussion.  Many organizations struggle with the resource availability to either conduct internal audits themselves and contract the job with a reputable consulting group.  Many companies are finding that this arrangement makes it far easier to manage their audit program.  And now, in the age of pandemic protocols and the increase in working from home, remote audits or virtual audits are becoming quite popular.

G3 Solutions can provide the expertise helping your company maintain its internal audit program.

In many quality and environmental-based standards (such as ISO 9001:2015 and ISO 14001:2015), there is a reference to ISO 19011, with the most current revision being ISO 19011:2018. This document provides guidance on the management of an organizations ISO internal audit program, on the planning and conducting of management system audits, as well as on the competence and evaluation of an auditor and an audit team.

Remote audits and virtual audits are becoming more the norm to not only cover people working from home, but also as a cost saving alternative to travel expenses.

ISO internal audits are key to maintaining your quality or environmental management system.  ISO 19011:2018 reflects current best practices in auditing management systems of all types and sizes, and for all quality standards based on the ISO 9001 standard.  Since its last edition (2011), there have been a few minor changes, and major additions.

Additionally, ISO 19011 provides guidance for all audits of varying scopes and scales, including those conducted by large audit teams, typically of larger organizations, and those by single auditors, whether in large or small organizations. It is intended to apply to a broad range of potential users, including auditors, organizations implementing management systems and organizations needing to conduct management system audits for contractual or regulatory reasons. Users of ISO 19011 can also apply these guidelines in developing their own audit-related requirements.

Audit Types

When it comes to types of audits for ISO standards, there are essentially three types: 1st party audits, 2nd party audits, and 3rd party audits. This document concentrates on internal audits (first party – as conducted by your organization) and audits conducted by organizations on their external providers and other external interested parties (second party – such as a customer, consultant, or conducted on a supplier). This document can also be useful for external audits conducted for purposes other than third party (certification bodies/registrars) management system certification.

ISO/IEC 17021-1 provides requirements for auditing management systems for third party certification; this document can provide useful additional guidance for ISO internal audits by understanding the certification body/registrar audit process.

The Auditing Process within your Organization

The process of auditing, both internal and external, has evolved in the ways that audits are managed, planned, and executed.  An important change in ISO 19011:2018 is that it now defines a key approach in internal auditing – a move from element-based auditing to a methodology that emphasizes the interrelationships between processes.  This is extremely important for companies that perform their own audits.  Companies that have had systems that met earlier editions of the 19011 can no longer afford to conduct audits using the tools from earlier standards, which were more element-based, and simply followed the flow in order of standard requirements.

To give a quick summary, or refresher of the key principles of ISO 19011, the guidance was broken down into the following categories:

1 – Integrity of the auditor as being unbiased in any way

2 – Fair presentation of the report which must be accurate and objective.

3 – Due professional care during the audit to maintain objectivity

4 – Confidentiality of any and all company information, documents, records, etc.

5 – Independence from the audit evidence being presented

6 – Evidence-based approach in the findings of the audit, making sure the evidence supports the conclusion.

7 – Risk-based approach across all aspects of auditing – from your overall audit program management through the planning and performance of an individual audit and into auditor competence.

ISO 19011:2018 reinforces its importance across industries in all types of management systems by elevating it to a core principle. In doing so, ISO is encouraging auditors to place more emphasis on risks in planning and conducting audits. The resulting risk-based audit focus should increase the value of audits to an organization by providing actionable information about where significant risks exist in the QMS.

More Competence Expected of Auditors

ISO 19011:2018 takes on the topic of auditor competence more directly than the 2011 edition of the standard.  ISO 19011:2011 housed information on suggested competence measures in an Annex, but that information has been moved up to the normative clauses for the 2018 revision.

The standard outlines expectations for auditor knowledge and skills, as well as for achieving competence through ongoing experience and audit delivery. Specific guidance is also given for ways to measure and demonstrate the competence of an auditor, including to consider audit experience, audit versatility, certifications earned, report accuracy and completeness, report timeliness, and auditee/client feedback.

The 2018 version of the standard discusses the importance of considering the competence of the entire auditing team in addition to just an individual auditor. The standard notes that any member of the auditing team should be competent to speak authoritatively with executives within their own company. Thus, communication skills and conducting oneself in a management setting are important, specific competence requirements for all auditors.

More Emphasis on Audit Planning and Process Approach

Audit planning takes center stage in ISO 19011:2018 and ties in nicely with the emphasis on the risk-based approach. The best way to address a risk is to have a plan for it.  ISO 19011 guides you to consider the risks that may endanger an individual audit from being completed or achieving its objectives. What could prevent you from completing your audit as planned? Travel issues? Language barriers? The standard prompts you to think about these risks and add elements to your audit plan to mitigate or eliminate them.

Need audit help?  Let G3 Solutions become your go-to resource!

If all of this ISO alphabet soup is sounding way too much to handle based on how thin your resources are stretched, contact G3 Solutions today!

Whether having ISO internal audits conducted for you, or training your own personnel, we can put together a program that will take the worry out of your audit process.