Best practice for conducting an internal audit

Aaron Hoare Date published: Aug 10, 23

Recently, alongside our partners at A2LA, we hosted a webinar with Jonathan Fuhrman their product certification program manager, about best practices for conducting an internal audit.

Jonathan has a lot of experience in the world of auditing. He supports the day-to-day operations of accreditation by assisting A2LA clients in obtaining and maintaining accreditation to ISO/IEC 17065, ISO/IEC 17025, and ISO/IEC 17020.

As a member of the Electrical and Product Certifications team, he works with Electrical and Mechanical testing laboratories and Certification Bodies operating in fields such as Construction Materials, Energy Efficiency, and Wireless device certifications.

Prior to joining A2LA, Mr. Fuhrman served in Quality Assurance, Market Access, and Factory Surveillance roles and has over a decade of audit experience working with organizations such as A2LA, NVLAP, IECEE, OSHA-NRTL, and the Standards Council of Canada.

So, what did he cover in the webinar? All the fundamentals of conducting effective internal audits. Read on for the full breakdown or, alternatively, watch our recent webinar on key skills for auditors if you are ready to conduct internal audits in your organization.

Why do we perform internal audits?

Conducting internal audits is an important step for any organization. It provides a clear overview of performance regarding quality and compliance objectives, as well as potential areas for improvement.

Additionally, these records may help your organization meet certain third-party requirements, from your accrediting body for example. Moreover, audit results provide management with essential information on the direction in which the organization is headed, especially in terms of opportunities for continuous improvement.

There are a few key points to focus on to keep things simple when thinking about audits:

• Does the organization “say” what they do?
• Do they have written documents (policies, procedures, arrangements) that meet the requirements of ISO 17025/17020/17065, or the standard most applicable to your organization?
• Does the organization “do” what they say?
• Are they in compliance with their own management system the applicable standards?
• And can they “prove” it with their records? From training records to standards preparation to bench sheets to customer reports to audit results and everything in between.

Planning for your internal audit and scheduling

You can break down your internal audit schedule into as many parts as you consider appropriate for your organization. The main consideration for this is usually the size of your organization and the number of processes you have in place. The larger and more complex the organization, it pays to have more parts. However, we strongly advocate that you break down the cycle into four core phases that occur over time. You may be familiar with this popular framework:

1. Plan: map out the audit schedule, the audit checklist, and the individuals who will carry out the audit.
2. Do: perform the audit as scheduled, ask the key questions and examine the records.
3. Check: evaluate data, results, and your degree of conformity.
4. Act: take any corrective actions and finally closure.

It is essential that a thorough yearly audit schedule be established, which covers all of the elements of the management system and technical activities. This should also include any applicable risk analysis. This schedule should indicate when each element will be audited and who will be responsible for it. By doing so, your organization can ensure that your policies and procedures remain up to date.

Selecting your internal auditors

After you’ve planned and scheduled, the next step is to figure out who is going to perform the audit. Remember: you can have the best possible plan in place but if you put the wrong auditor on the job, the value of the audit can be diminished.

Here, once again we’ll mention our recent webinar on internal auditing skills. The webinar will be a great way to either learn how to become an effective internal auditor, or to discover who you may already have in your organization who might be a good fit as an internal auditor. Watch it on demand now.

Ultimately, you need someone who has a sound understanding of the management system, its objectives, and the roles of individuals within the system. They also ideally need to be familiar with the history of the organization and have a background in the applicable areas of the audit. So, if you carry out forensic testing for example, it will pay to opt for an auditor with a decent understanding of the forensic setting.

You should also look for someone who can probe and analyze without coming across as if they are carrying out an interrogation. Positivity and objectivity are two great qualities for your internal auditor.

The auditor will also need to maintain independence throughout the audit. So you don’t want people to be looking in great detail at the areas they actually work in every day and grading themselves, as it were. Audits are about fact finding, not fault finding, so the auditor should really focus on verifying compliance. Audits certainly shouldn’t give the auditor joy when writing deficiencies (especially if they are in other teams than their own job role! It’s not a competition after all.)

The ideal auditor should also have strong communication skills. They need to be clear, brief, direct, and focused on the task at hand. It’s also important to realize that there are three ways of receiving information: seeing, listening, and experiencing (we spend most of our time listening). They should know how to express comments and questions in a positive way, too.

Performing the audit

Here’s a typical audit sequence that we recommend:

1. Conduct an opening meeting.
2. Make the introduction to each auditee, gather the information and evidence, summarize the information with each auditee.
3. Compile a final report.
4. Hold a closing meeting.

There are also a few different ways you can go about gathering information and evidence:

• Ask questions. Inspect
• Inspect facilities and equipment.
• Examine documents.
• Examine records.
• Observe activities.

During the interviewing, your auditor should also be asking key questions like:

• What is happening?
• Why is it happening?
• Where is it happening?
• Why is it happening there?
• When was it done? Why was it done then?
• Who did it? Why was it done by that person?
• How was it done? Why was it done that way?

There also needs to be a method behind your sampling of records. So, discuss the process and pick some records along the way. This is the best option when the process is simple, and records are few. If, on the other hand, the process is complex and there are many documents, start with a random selection of records and then discuss the process based on the records.

Audit reporting and follow-Up

The outcome of the audit needs to be documented. The contents of the report need to include a factual description of the audit activities it covers and provide a fair and accurate picture of the quality system audited. We also recommend including a discussion about the planning and sampling methodology.
A good audit report summary should contain:

• Title/Report Number/Traceable
• Observations and recommendations (though make sure they are identified as such)
• Deviations and non-conformances (make sure you’re clear here so they can complete a root cause analysis)
• Auditor activity commends/concerns,
• Next steps

Closing meeting

This is where you are going to establish which next steps need to be taken and where the outcome of the audit is presented. You will want to avoid delivering surprises during your closing meeting and that you should communicate any potential issues early on to avoid surprising anyone. Setting expectations as you go is therefore essential.

Next steps

You need to quickly and efficiently address all of the corrective actions required. This will involve:

• Performing a root Cause analysis that uses the “5 whys”
• Determine a range of suitable solutions to any issues identified
• Implement and record the actions to be taken and those that are taken
• Monitor how effective your actions have been to maximize long-term effectiveness

Audit follow-up

Once the audit report has been approved, the audit team’s responsibilities are completed. From there, corrective actions are initiated for all non-conformances (deficiencies) identified in the internal audit report. The follow up activities and effectiveness of corrective action is later verified at the direction of the quality manager.

In preparation for the organization’s next internal audit, the following should be considered for placement on the audit schedule for the next internal audit:

• Any area with questions arising from the last audit.
• Any area that had deficiencies identified.
• Any areas not fully evaluated.

Use Ideagen Quality Management to make auditing simple

Ideagen Quality Management is trusted by organizations across the globe to help them manage their compliance and be ready when accrediting bodies perform audits. Powerful quality management software like Ideagen QMS makes all aspects of carrying out an internal audit and ensuring external audit preparedness simple.

Including robust document management, simple CAPA management, training and competence modules, and even a range of dashboards and visualization tools so you can track issues and make improvements, Ideagen QMS will allow you to go beyond compliance.

Interested to learn more about how Ideagen QMS can benefit your organization? Learn more about our quality solutions now and book a conversation with our team.

Discover the right tool for managing your internal audits

Find out more about how Ideagen Quality Management is the perfect tool for carrying out internal audits and ensuring your organization’s compliance at all times.

Learn more