ISO Standard Internal Audit. Some Reflections

Nov 12, 2019

Archived Blog & News

The content in this blog was accurate at time of publishing, however as standards (and the understanding of their application) change, some of this information may no longer be applicable.
If you have any questions on this or the other topics we’ve covered; please get in touch and we can discuss any queries you may have.

I’ve yet to meet a customer who actually looks forward to an ISO standard internal Audit.

Taking your blood pressure, weighing yourself. Yes, you need to do it, and yes you may not like the results. Likewise internal audits. You are about to analyse the standard you spent blood, sweat, tears and budget to obtain. This is the time to see if it actually works. You are checking some vital parameters of health. Check these things in the privacy of your own home (internal audit!), or face humiliation in the doctor’s surgery (recertification day!). Your external auditor plays the role of the medic. It’s best to be one step ahead.

Good (-ish) News

Well, that’s the slightly scary side. However, it’s not all bad; the benign side of an Internal Audit is that it will reveal ways to simplify. It should make implementation of the systems easier. It generates the important evidence. Therefore, an internal audit can be your critical friend. It’s an opportunity to make things easier while also ensuring that any legal requirements are met.

Independence, Detachment, and Weaponry

In some ways internal audits can be more difficult for the assessor than external ones. How can you maintain a level of detachment as an employee? Furthermore, how do you not use an audit as an opportunity to persecute those you don’t like etc? Yes, I have seen internal audits used as weapons of corporate sabotage.

Checklists, Clarity, and Reality

External auditors can be critical of audit checklists. This is despite them using them, even if they’re held in their minds, rather on paper. External auditors spend their lives reading standards and looking at processes. Therefore, they tend to be able to memorise them. However, with the advent of Integrated Systems covering multiple standards, this is getting harder. Should you use a checklist, template, or similar? An internal audit is about brutal reality. Providing a checklist is based on business reality, then we would say “yes”. However, a hoop-jumping tick sheet which does not consider the vital processes of your business belongs in the shredder.

The Experts Use Them, Too.

If you are unfortunate enough to be audited against some of the more difficult standards ( ISO 13485, AS9100, IATF 16949 etc), you will inevitably find the auditor uses a checklist. This is because of the complexity of the standard and the amount of information which they have to put into their report in order to get you certified/accredited.

An Example!

Recently, as an exercise, we considered how we would “talk through” a newly-appointed member of our team during an internal audit done on behalf of a customer. Hopefully, this will give an insight into the thought processes of the task. It addresses a classic manufacturing process and the procedures pertaining to it.

Here’s what one of our senior consultants asked a junior one to carry out. It’s an ISO Standard Internal Audit for ISO 9001:2015

This is what the senior consultant wrote:

Contract Review

Get a hold of the enquiry for the orders concerned, then the “design” work which was completed and the costing for the work. Compare that with the order that was received – have there been any changes, has the customer requested anything additional, are the products properly specified (size, weights, specification of parts layout drawings etc). It’s useful if you can get copies of the order and the related drawings/parts lists. There can be problems with controlling design changes so make sure all the versions/issue states stack up and any changes are properly defined.

In the Warehouse, find out how…

How do they receive the parts lists for jobs?

  • make sure they have the parts required for upcoming jobs?
  • find all the parts they need ?

Does anything need special handling because its heavy, sharp, difficult to handle. If so what do they do, and is there a relevant risk assessment?

Are they handling any chemicals? If so, is there an emergency procedure in case anything gets spilled? Are any flammable goods locked away in a fireproof cabinet or stored outside (check any fuel cans are empty!).

How many people can drive a fork lift? Make sure the drivers have valid licences.

Are the fire exits properly marked and kept clear?

When was the last evacuation test, and are there records of it taking place?

Are the floors kept clear and clean?

Assembly

Select a few recent orders, preferably larger significant ones, I usually go for about half a dozen. Make sure you write down (i.e. type into the report) the names and orders number/job numbers because you need to trace them through the whole process.

In the assembly area find the orders and work through each one in turn.

Check the order details, parts list and drawings are the same as those you got from the orders, if not, why not ? who authorised the changes, how have they been controlled into the assembly area to make sure the customer’s requirements are properly understood by the guys doing the work.

Has the assembly been inspected/checked yet, if so by who and where is the evidence? Do order numbers, versions etc stack up.

Are any electrical tools or calibrated measuring equipment being used, check serial numbers and records of PAT test or Calibration are in date.

Are the assembly areas clean and tidy, all trip hazard removed, are fire exists obvious and clear, are they using air powered tools? If so, where is the compressor, when was it last serviced, was the oil changed, and if so what happened to the waste oil. If removed have they got a waste transfer note from the service engineer covering it.

Has the emergency lighting in the assembly area been tested, if so when.

General

Has anything changed since the last visit – in terms of people, facilities, machines, types of work, quantity of work, and if so, does it have an impact on the management system and do we need to change any of the documents?

Did everyone know what they were doing and could they answer your questions ?

Are there any new people employed? If so, is there evidence they have been informed of the requirements of the three systems?

Are the Quality, Environmental and Health and Safety policies communicated to the work force?

Is progress toward meeting the objectives and targets underway, are there any problems?

When it comes to the questions above which refer to orders I’ve found it easier to compose the report if I tabulate the questions, so you get something like:

Questions

Choose five orders and work through the following points:

Order 1 (to 5)

  1. Identifier (i.e. Project or customer name)
  2. Order No/Job No or what ever they use
  3. What was the job
  4. How was it specified
  5. Where there changes between enquiry and completion
  6. Where they properly communicated
  7. What was the date/version of the part list
  8. What was the date/version of the drawings

Need Help?

Hopefully this gives you some idea of the process and rigour involved in an ISO Standard Internal Audit

Meanwhile, if you are still concerned about any aspect of an ISO Internal audit, we are far more than people with clip-boards and checklists. Our experience spans a large range of industries. We can probably help. Please drop us a line.