13 Steps for ISO 9001 Internal Auditing using ISO 19011
How can you make internal audits more effective? By using the 13-step method of audit activities outlined in ISO 19011, you can use the same trusted framework that is employed by the certification bodies. The standard also outlines audit principles, auditor competence and setting up an audit program, but in this article I will focus only on the 13 audit activities to follow.
The main 13 steps of an internal audit
The audit activities of ISO 19011 detail the management of the activities for the audits themselves. This formalized approach can help to ensure your internal audits are effective and consistent, and builds the integrity of the internal audit system. These steps are not mandatory (e.g., smaller companies might skip some of them), but they are a best practice for conducting an audit. Below is a flowchart of the process of conducting an individual audit:
1) Initiate the Audit: To start, the auditor must initiate the audit by contacting the process owner to be audited and ensuring the audit will be feasible. It is just a good idea to make sure someone is available to present evidence when you want to audit, rather than try to surprise them.
2) Review the Documents: You then need to review the documents for the process. This will help you to know how big of an audit it will be, whether it might take a whole day or only an hour. This knowledge is critical for the next step.
3) Develop Audit Plan: The purpose of the document review is to develop your audit plan of what will be audited, who will do the auditing, when it will happen and who will be audited. Here you decide how the audit will be split up if more than one auditor will be used, and how much time will be dedicated to each process in the audit.
4) Assign Work to Auditors per Plan: Larger audits may assign work amongst several auditors, with each taking more than one process to audit. In this way you can shorten the amount of time that an audit disrupts the processes, such as having three auditors working for one day rather than one auditor working for three days.
5) Prepare Working Papers: The assigned auditor then prepares the audit working papers that will identify what the auditor wants to verify, what questions to ask, and what they expect as evidence. This will be drawn from the QMS documentation and the ISO 9001 standard.
6) Determine the Audit Sequence: The next step is to determine the sequence of audit from the opening meeting through presenting audit findings. If done right, the sequence of process audits can help to make the audit flow easier. Some examples are starting a large audit with a review of internal audits and corrective actions, which will give you an idea of what weaknesses have already been identified; or ending the audit with a review of documentation records and training records, because the process audits will have identified records to review, making this easier.
7) Conduct Opening Meeting: The audit begins with an opening meeting. This is to reiterate to the auditees that this is not a surprise audit, and is there to verify conformance rather than to find fault. Some fine tuning of the audit times can be done at the opening meeting, as well as making sure that everyone understands the scope and extent of this particular audit.
8) Review Documents and Communicate: After the meeting, any documents immediately presented by the auditee should be reviewed to gather relevant information that might not have been available before (an example would be a process improvement that is being used on a trial basis, but is not yet in the documentation). A general rule is that communication should be maintained throughout the audit (sometimes an audit guide is used, especially with external auditors).
9) Carry out the Audit: This step is often thought of as the actual audit. The auditor asks the questions, and collects the records and observations that will demonstrate if the processes meet the QMS requirements. Again, it is important to remember that an auditor is there to try to verify that a process conforms to the requirements set out, not to dig until fault is found.
10) Generate Audit Findings: After the auditor finishes the verification, they must generate the audit findings and prepare any audit conclusions to be presented. If all is found to be conforming, then there will be no corrective actions presented; but if not, then the corrective actions need to be properly prepared. It is equally important to highlight best practices in a process as it is to identify any shortcomings. Some companies also use a process of having internal audits identify opportunities for improvement (OFIs), which the process owner can review and accept if they wish.
11) Present Findings and Conclusions: The findings and conclusions are then presented, normally at a closing meeting, in order for the process owners to understand and ask questions as well as present clarification if something was misunderstood in the audit.
12) Formally Distribute Audit Report: The final findings are formally written and distributed in an audit report. This gives everyone an easy reference on actions needed, as well as providing a record of the outcome of the audit.
13) Follow Up on Actions / Corrective Actions: Probably the most important part of an audit is for the auditor to follow up on any actions, as a way of ensuring remedial action is taken and completing the audit. Without follow up of corrections and corrective actions, the same problems could be found continually during subsequent audits, which defeats the purpose of the audit being done. For more information, see Seven Steps for Corrective and Preventive Actions to support Continual Improvement.
Why it is a good idea to use ISO 19011 to plan your internal audit process
In a QMS audit process it is important to make sure you do not miss anything important, such as auditor knowledge and proper audit planning, so using a known method to set up your process can help make implementation easy. ISO 19011 provides this method.