![]()
1
INTRODUCTION
Why is the internal audit so important for management systems, and how can it be useful for the company? What will you find in this book? And, is this book the right choice for you?
Note: This book covers the internal audit process for all ISO management standards – ISO 9001, ISO 14001, ISO 27001, ISO 20000, and ISO 13485, but also OHSAS 18001 and IATF 16949 (former ISO/TS 16949) – so when I refer to “ISO standard” or simply “standard,” by this I mean any of these standards. Also, when I mention “management system,” I mean the system that is compliant with any of these standards – e.g., Quality Management System according to ISO 9001, Information Security Management System according to ISO 27001, etc.
1.1 Why companies need internal audits
From my experience as a certification auditor, the sad truth is that most organizations perform internal audits just to satisfy the certification body.
Such internal audits usually uncover a few minor nonconformities, which do not get deep into the real problems of the company’s management system. And this is very unfortunate because this is a waste of time – if companies have invested the time of their internal auditors to perform such jobs, they should gain some benefits out of it.
The point with internal audits is that they should discover problems that would otherwise stay hidden and would therefore harm the business. Let’s be realistic – it is human to make mistakes, so it’s impossible to have a system with no errors; it is, however, possible to have a system that improves itself and learns from its mistakes. Internal audits are a crucial part of such a system.
On the positive side, as a certification auditor I did see some organizations performing internal audits in the right way, and for the right reasons. Although their employees did feel a little uncomfortable about the internal auditor checking their activities, very soon they saw the benefits of such an approach – problems became transparent, and were resolved rather soon.
How are these benefits of the internal audit achieved? Here are some tips:
1) The management should view the internal audit as one of the best tools to improve the system, not only as a means to get certified.
2) The internal auditor should be the right person for the job – this means he/she must be qualified, but also motivated and trained to perform this job.
3) The internal audit should be performed in a positive way – the aim should be to improve your system, not to blame the employees for their mistakes.
In this book I’ll explain how to achieve all this.
1.2 ISO 19011 – A standard focused on auditing
There is an ISO standard that describes how to perform the audits – it is called ISO 19011. It describes the auditing principles, how to manage the audit program, the required activities during the audit, and the necessary knowledge for auditors.
The principles of ISO 19011 can be used for any type of auditing – a certification audit, an audit of suppliers, and of course, the internal audit.
In this book I included all the main principles of ISO 19011, and scaled them down for the purpose of the internal audit – because the internal audit is not as complex as a certification audit, I have simplified many of the guidelines from ISO 19011 to make them easy to use when performing the internal audit in a small company.
1.3 Who should read this book?
This book is written primarily for beginners in internal auditing and for people with moderate knowledge about internal audits – I structured this book in such a way that someone with no prior experience or knowledge about internal audits can quickly understand how the whole audit process works, and what the steps are for its successful completion.
On the other hand, if you do have experience with internal audits, but you feel that you still have gaps in your knowledge, you’ll also find this book helpful.
1.4 How to read this book
This book is written as a step-by-step guide for auditing, and Chapters 2 to 5 should be read in the exact order they are written, because this sequence represents the best way of planning and performing an internal audit.
Here are some additional features of this book that will make it easier for you to read it and use it in practice:
- Some sections contain tips for free tools and for documents that are to be used during the internal audit.
- At the ends of the most important chapters, you’ll see a section called “Success factors,” which will emphasize what you need to focus on.
- At the end of this book you’ll see a chapter that will help you decide whether you want to pursue your career in becoming a certification auditor.
1.5 What this book is not
This book is about the internal audit process; it is not about how to certify your company or how to implement the standard – the implementation process is quite lengthy and involves a lot of steps that are outside the scope of this book.
This book won't give you finished templates for internal audit policies, procedures, and plans; however, this book will explain which documents you will need to perform an internal audit, and how to structure those documents.
This book is not a copy of any ISO standard – you cannot replace reading the standard by reading this book. This book is intended to explain how to interpret the ISO clauses about the internal audit, and describe best practices when performing the internal audit.
Because this book is focused on internal auditing, it does not explain other elements of ISO standards like document management, risk management, operations, measurement, etc.
1.6 Additional resources
Here are some resources that will help you, together with this book, to learn about internal auditing:
- ISO online courses – free online trainings for ISO 9001, ISO 14001, and ISO 27001 internal auditors.
- ISO 27001 free downloads, ISO 9001 free downloads, and ISO 14001 free downloads – a collection of white papers, checklists, diagrams, templates, etc.
- Conformio – a cloud-based document management system (DMS) and project management tool focused on ISO standards that can be used for auditing purposes.
- ISO 9001 Internal Audit Toolkit – a set of all the documentation templates that are required for performing the internal audit; similar toolkits exist for other ISO standards.
- Official ISO webpage – here you can purchase an official version of any ISO standard.
![]()
2
BASIC THINGS ABOUT THE INTERNAL AUDIT
In this chapter I’ll give you an overview of the internal audit in the ISO world – its main purpose, how it is different from external (certification) auditing, the exact requirements of ISO standards, how you should select an internal auditor, the main outputs of the internal audit job, etc.
2.1 Internal vs. external audit
As mentioned earlier, ISO 19011 is a standard that describes how to perform audits – this standard defines an internal audit as “conducted by, or on behalf of, the organization itself for management review and other internal purposes.” This basically means that the internal audit is performed by your own employees, or you can hire someone from outside of your company to perform the audit on behalf of your company.
On the other hand, the external audit is done by a third party ...
