Internal ISO 9001 Audit—Preparing for Certification
For any organization aiming for a certification to ISO 9001, an internal audit is a mandatory prerequisite. In this article I explain why internal audits are a key driver for organizational self-control and development, and how they are conducted.
Internal Audits—a Key Driver for Organizational Development
Internal audits are typically 1st party audits conducted with the intention of organizational self-control that cover the entire organization or clearly defined parts thereof, and have been a mandatory element in the ISO 9001 standard since its first publication in 1987—for good reasons.
Let me explain this by looking back at my previous article, where I established a definition of quality, which is tailored to fit the principles of quality management systems in general and the ISO 9001 standard in particular.
„At the end of the day, quality is when your customers perceive your products or services as high quality. This is the case when they receive what they have ordered, in the form in which they ordered it, at the agreed time, in the agreed quantity, and so on. If a company can deliver this quality all (or at least most of) the time and not just on coincidence, it is very likely that they have some sort of quality management in place.“
Every organization that is seeking (re-)certification for its quality management system or that simply wants to improve it must ask itself:
- How good is my QM system?
- How is my QM system designed?
- What are the strengths and weaknesses of my QM system?
- Is my QM system compliant with ISO 9001 (or another standard of choice)?
The internal audit is an excellent tool to take a close look at your organization, question and benchmark it, and thus come to a well-founded evaluation that should, ideally, give you the correct answers to these questions. This should be the basis for the continuous development and improvement of your organisation, with the internal audit being the indispensable institution of regular self-control. This involves internal audit planning as well as the documentation of findings, risk analysis, and defined measures.
From Theory to Practice
Clearly structured processes based on a well thought-out and sustainably developed strategy are the prerequisite for both plannable and trackable goals and results. In an internal audit, you can find out whether an organization can live up to this aspiration or not.
Every internal audit begins with a professional review of the existing documentation, which serves as a basis for the following audit steps. Usable audit results can only be achieved if processes are examined in parallel to the practical workflow, virtually on the living object. This includes the review of documented specifications, the comparison of agreed process flows with actual practice and the comparison of the results achieved with the planned goals.
…an internal audit is always a challenge to the social and communicative skills of the persons involved.
This also means that an internal audit is always a challenge to the social and communicative skills of the persons involved. When the auditor looks at the practical implementation of a process, he observes, accompanies, and interviews the employees involved. This sometimes leads to discussions that must be conducted correctly. Here, the repeatedly confirmed premise applies, that the root cause for problems lies—almost without exception—in the system itself. Possible causes problems are, e. g., system inconsistency, lack of clear communication, gaps in the documentation, etc. To find such potential for improvement is exactly what you should aim for in an internal audit.
Objectivity is Invaluable
One of the great advantages of an internal audit, especially with regard to the continuous improvement of the organization, is the fact that it forces the employees to give up their daily view, take an objective standpoint, and openly think about possible alternatives to existing regulations and circumstances. In this respect, an internal audit offers much more freedom than an external certification or supplier audit.
This is also the reason why internal audits are usually conducted more thoroughly than external audits and are experienced by employees as much more intensive. However, the people involved often find it very difficult to be questioned by colleagues they are often familiar with and to comment as clearly as possible on processes, situations, and conditions. The organisation can circumvent this by appointing external auditors to carry out its internal audits. Many consultants offer this service in their portfolio.
…the people involved often find it very difficult to be questioned by colleagues they are often familiar with…
From Findings to Improvements
Whether you choose to carry out internal audits within the organisation or commission them externally, at the end of the day you have to deal with the results of the audit, with the most pressing question being: what should be done if problems or inconsistencies have been found in the structural or process organisation of the organisation?
First, the audit results must be summarized and analyzed in a structured manner in order to then derive concrete actions to change and improve the organization. At this point, all decision-makers and process owners are called upon to weigh up the results and appropriate measures for improvement, and to decide how to proceed. This is where the course is set to effectively and efficiently translate the findings of the audit into concrete, measurable improvements.
Ideally, implemented improvements should demonstrably lead to more efficient processes, clearly defined responsibilities, reduced costs without any loss of quality, better coordinated and clearly communicated interfaces, etc., which leads us to the well-known Plan-Do-Check-Act (PDCA) Cycle, also known as Deming Cycle or Shewhart Cycle (figure 1).
After the Audit is Before the Audit
Internal audits are also conducted according to the PDCA Cycle. They are planned and coordinated with respect to specific focal points, the results are analysed, and the findings are implemented. This cycle continues on a rolling basis, leading to constant change and improvement as well as to an increase in the performance and maturity of the organization.
Each audit leads to an increase in the organization’s degree of maturity, which then gradually decreases again in the the course of the daily work routine. In order to ensure a constant increase in the organization’s maturity, audits (internal or external) must be planned at regular, not too large intervals, so that the slow drop in performance is stopped before the performance improvement achieved by the last audit is completely lost again. This phenomenon is know as the Audit Effect, which is illustrated in figure 2.
Other Forms of Audits
The internal audit is only one step on the way to successful certification to ISO 9001. Another requirement is to evaluate your suppliers—and in specific industries it is even common to conduct so-called 2nd party or supplier audits. Most often, these audits are only one part of a broader supplier development program.
To achieve certification, a so-called 3rd party or certification audit needs to be passed successfully. This external audit is commissioned by the organisation and carried out by an independent certification body. The obtained certificate then confirms that the organisation works in compliance with the standard, in this case ISO 9001.