5 Top Tips for Creating a Great Internal Audit Schedule
It does not matter if you are working to achieve or already have your International Standards Organisation (ISO) certification internal auditing is a key element you need to master. Internal auditing seems to be one of the areas of real trepidation and confusion around the requirements for internal auditing programs. When we talk with clients who are trying to get certified and indeed those already certified looking to improve the system there is uncertainty around what you must audit, how often, who should do it and what process to follow. With that in mind, we thought we would put together 5 top tips for creating a great internal audit schedule to help ease the stress of meeting the internal auditing requirements.
1. Frequency of Audits
The first and most important thing to understand is how often you need to audit your systems. There is a myth out here that you need to audit your entire ISO Management System every year, and it is just that a myth, you do not! Imagine if you had a triple certification for ISO9001 Quality management Systems, ISO14001 for Environmental Management Systems and ISO45001 for Organisational Health & Safety, while there is a lot of overlap between these in terms of structure, and you would certainly create an Integrated Management System, the requirements for each standard are different so that means a lot of procedures, if you try and audit everything then you best hire a permanent internal auditor. The wording in pretty much every standard is now the roughly the same, the key wording being:
There is nothing there about every year it just says planned intervals. Planned intervals just means that you should have a documented planned frequency for auditing your system, it maybe you decide you want to do it all within the 3-year cycle of your certification but again you do not actually have to (you should, but you do not have to).
2. Take a Risk Based Approach
In all the newer revisions of the ISO Management System Standards, right at the very start of them they all talk about taking a risk-based approach to your compliance system. That means throughout your entire ISO9001 Quality Management System or ISO14001 Environmental Management System or even your ISO27001 Information Security Management System you should look at the risks of each policy or procedure and make a call on how often you will carry out an internal audit on it.
Grouping things into a risk category does not need to be complicated, keep it simple and allocate each on a simple rating in terms of the impact each one could have on the performance of your ISO Management System, the possible impacts on your product or your customer if things were to go wrong. For example, a rating like this works well in terms of setting out your audits:
- Low - As required i.e. you may audit once in the 3 years or more frequently if something pops up.
- Medium – Audit Every Two Years
- High – Audit Every Year
- Critical – Audit Multiple Times Per year
- Level of non-conformances within / linked to that process.
- Customer complaints
- Any business risks / hazards
- Importance of the process on your product or customer
- Previous audit results (internal & external)
- Organisation changes e.g. key personnel changes.
3. Who should Audit?
Ideally you want to build a good internal auditing team, leaving it to just one person is never a good idea. Importantly you cannot audit yourself or your own department, equally auditing your own manager is also not a great idea! That means leaving it to one person is not going to fly. Each audit should have 2 people involved as auditors, ideally one would be a subject matter expert so they can smell the answers that are not quite on the level. Ideally one of the audit team should be trained as a lead auditor and so they can train other internal auditors on the basics of auditing. A great place to start is ISO919011, Guidelines for Auditing Management Systems.
4. Know when not to Audit!
There are certain times of the year that you know your organisation has key things happening, you can choose to avoid these times for auditing. For example, avoiding a financial year end is usually a good thing to do, especially if you intend on auditing the finance team. You may have a new product launch planned or a large conference coming up, all those things should factor into when you audit and when you do not.
5. Smooth Out your Auditing Program
As we have explained you have complete control over your internal auditing program. That translates directly into your ability to even out the level of work your auditors must do and when they do it. For example, we tend to plan our client's internal auditing programs in such a way that there an ideally no more than 2 audits per month happening. Where you are short of skilled auditing resource this really helps manage their workload, but it also means very little disruption for the organisation. What it also means is when the external auditor arrives and asks to see your internal auditing program and results, they are not all in the month before the external audit, which believe me will have an impact on the view your external auditor takes to their own audit.
We use a simple excel table to create all our internal auditing plans which you can download below. As a side note, in most of our clients we can then translate that into structured and self managing audit program within their Mango QHSE Audit module so the audits self plan and alert those involved up front.
Summary
You control your internal auditing program for your ISO Management System. By taking a risk-based approach to your internal ISO auditing requirements you can dramatically improve the benefits for your organisation in terms of the right feedback at the right time and also in smoothing out the work. The result is a great internal auditing program and a dramatic reduction in the stress that can come with having to keep on top of your internal auditing program.
Ready To Start Your ISO9001 Journey?
Copyright
© Many Caps Consulting | All Rights Reserved
By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/
Comments