How to conduct an internal audit
Conducting internal audits is an important part of maintaining and improving a management system. Through an internal audit, your organization assesses whether processes are carried out as intended and whether the management system meets the requirements of the applicable standard and the organization’s own arrangements.
But how do you conduct an internal audit? What should you consider, and which steps are important? In this article, we explain how an internal audit of a management system can be prepared, conducted, reported and followed up.
Guidance for internal audits #
The ISO 19011 standard provides guidance for auditing management systems. It covers, among other things, the principles of auditing, managing an audit programme, conducting audits and evaluating the competence of auditors.
ISO 19011 can be used as practical support when planning and conducting internal audits. The guidance is applicable to organizations that need to conduct internal audits of management systems or manage an audit programme.
Conducting an internal audit #
An internal audit requires a structured approach. This allows your organization to assess whether the management system is functioning effectively and whether processes meet the requirements of the standard, internal policies and internal procedures.
Below are the key steps for conducting an internal audit.
1. Preparation #
Start by defining the audit objective, the audit scope and the audit criteria. Determine which part of the management system will be assessed, which processes will be reviewed and which documents, records or requirements are relevant. Then plan the audit activities and inform the employees involved in good time. Proper preparation contributes to an efficient audit.
2. Document review #
Review the relevant management system documentation in advance. This may include policies, procedures, work instructions, records, objectives, performance indicators and previous audit results. This document review helps the internal auditor understand the processes and conduct the audit in a more focused way.
3. Conducting the audit #
During the audit, the internal auditor collects audit evidence. This can be done by conducting interviews, reviewing documents and records, and making observations within the organization. The auditor assesses whether processes are carried out in accordance with the requirements and whether the management system has been effectively implemented. Findings should be based on objective audit evidence.
4. Findings and analysis #
After the audit activities have been completed, the auditor analyses the information collected. The findings are evaluated against the audit criteria. This may result in confirmations of conformity, points of attention, opportunities for improvement or nonconformities. A nonconformity means that a requirement from the standard, the management system or the organization’s own arrangements has not been fulfilled.
5. Reporting #
Record the results of the internal audit in an audit report. The report should describe, among other things, the audit objective, audit scope, audit criteria, audit method, findings and conclusions. Communicate the report to the relevant stakeholders, including top management. The results of internal audits often also provide input for the management review.
6. Follow-up #
When nonconformities or other issues have been identified, management determines which corrective actions are needed. It should then be checked whether these actions have been implemented and are effective. Follow-up of internal audit findings is important for improving the management system and preventing recurrence of nonconformities.
Internal audit as preparation for certification #
An internal audit is also an important step in preparing for a certification audit. During a certification audit, an independent auditor assesses whether the management system meets the requirements of the standard.
Do you have your first certification audit soon? A well-conducted internal audit can help identify potential points of attention in advance. You can also consult our certification checklist for more steps in preparing for certification.
Internal or external audit? #
Internal audits and external audits both assess aspects of a management system, but they have a different role and purpose. If you want to understand the difference, read our article about internal and external audits.
Conclusion #
Conducting an internal audit requires careful preparation, execution, reporting and follow-up. By applying a structured approach, your organization gains insight into the performance of its management system and potential areas for improvement.
Also review the internal audit requirements in the management system standard that applies to your organization. In many management system standards, these requirements are included in clause 9.
