How to Audit an Internal Audit Program

How do you audit an internal audit program? Lets begin by reviewing the definition of an audit from ISO 9000:2005, Fundamentals and Vocabulary, clause 3.9.1. An audit is:

“a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”

In other words, an audit is a planned, organized, and documented set of activities performed by impartial and objective auditors. The audit process collects evidence from an area to evaluate conformity to the applicable requirements. Audit evidence is factual, not based on opinion or hearsay.

The sources of audit evidence are:

  1. Statements (noted during audit interviews)
  2. Observations (made watching the activities)
  3. Documents (reviewed before and during the audit)
  4. Records (examined to evaluate past conformity)

The primary audit criteria are:

  1. Standard (e.g., ISO 9001:2000)
  2. Company (organization’s requirements)
  3. Customer (as expressed in contracts and orders)
  4. Legal (from statutes and regulations)

According to ISO 9001:2000, clause 8.2.2, internal audits must be conducted at planned intervals to determine if the quality management system conforms to planned arrangements, requirements of the standard, and requirements of the organization.

In addition, internal audits must verify that the quality management system has been “effectively” implemented and maintained. The responsibilities and requirements for planning audits, conducting audits, reporting results, and maintaining records must be defined in a documented procedure.

An audit program includes all the activities needed to plan, organize, and conduct the scheduled audits. The audit program must be planned to consider the status and importance of the areas to be audited, as well as, the results of prior audits.

The audit criteria, scope, frequency, and methods must be defined. Auditors must be selected to carry out impartial and objective audits. This doesn’t mean that you must show organizational independence, just that auditors can’t audit their own work.

Management must ensure that corrective actions are taken without undue delay to eliminate the detected nonconformities and their causes. Follow-up activities must verify that the actions were implemented and report the results.

ISO 9004:2000, Guidelines for Performance Improvements, clause 8.2.1.3, suggests that an organization:

  • Establish effective and efficient internal audits
  • Assess strengths and weaknesses of the QMS
  • Use as management tool for independent view
  • Obtain objective evidence that requirements met
  • Judge effectiveness and efficiency of organization
  • Ensure improvement actions are taken on results
  • Establish flexible audit plans for internal audits
  • Permit changes in emphasis based on evidence
  • Develop plans with input from areas to be audited
  • Consider planning input from interested parties

ISO 9004:2000 also recommends internal audits assess the following subjects:

  • Effective and efficient process implementation
  • Opportunities for continual improvement
  • Capability of processes
  • Effective and efficient use of statistical techniques
  • Use of information technology
  • Analysis of quality cost data
  • Effective and efficient use of resources
  • Process and product performance results
  • Performance measurements: adequacy and accuracy
  • Improvement activities
  • Relationships with interested parties

And, when reporting the audit results, ISO 9004:2000 suggests you share evidence of excellent performance, provide opportunities for recognition, and motivate people.

Remember, these are guidelines, not requirements. A nonconformity report can only be written against a requirement of the standard. However, the absence of a suggested audit practice may identify an opportunity for improvement to include in your audit report.

So, an audit of an internal audit program should be able to answer questions such as:

  • Are scheduled audits conducted as planned?
  • Are all functional areas and shifts being audited?
  • Are the auditors competent and impartial?
  • Do audit reports show the audit procedure is followed?
  • Is the audit schedule adjusted based on past audit results?
  • Is more audit attention given to the high risk areas?
  • Do audits examine both conformity and effectiveness?