Internal auditing, the process
by which an organization examines its ability to meet internal
and external requirements, can be one of the most effective
tools for triggering continual improvement. It can also
be an expensive waste of time and a source of endless frustration
and conflict. Which it becomes for you depends on how your
organization plans and manages its audit system.
Auditing is not only a balancing act--identifying positive
and negative aspects of a company’s performance--but
also a planned activity, with auditors and auditees agreeing
on the audit’s time, place and scope. Surprise audits
are neither necessary nor desired. Internal audits generally
use an organization’s existing personnel for the task,
although outsiders are occasionally called in.
Internal audits offer huge benefits, both to the organization’s
top management and the auditors. Top managers can:
Discover what’s really going on within the organization,
which allows for more objective decision making
Learn of potential problems before they explode into issues
that pose significant risk to the organization
Ascertain where failures occur, enabling the containment
of these problems and initiation of corrective action
Identify where resources should be directed
Determine how effective their training efforts are
Learn which processes and personnel are particularly effective,
which can trigger recognition
For their part, internal auditors:
Gain exposure to other parts of the organization, which
broadens their experience
Are exposed to best practices they can implement in their
Learn how they contribute to the organization’s success,
which increases motivation and employee retention
Expand the organization’s competency and knowledge
base through their experience
An effective internal audit system must work in concert
with other systems, especially corrective and preventive
action. An internal audit takes a snapshot of the organization,
identifying nonconformities, opportunities for improvement
and positive practices. Auditors don’t propose specific
actions, fixes, solutions or recommendations. They simply
identify where failures and successes occur. By their nature,
audits typically identify more failures than successes,
and these failures are called audit nonconformities.
To identify a nonconformity, a requirement is needed.
You might have a concern, remark or opportunity, but it’s
not a nonconformity unless it’s clearly tied to a
requirement, a fact that’s often overlooked.
Any activity, process or outcome that doesn’t meet
requirements is a nonconformity. A number of sources, such
as ISO 9001, inspection checklists, purchase orders and
product specifications, could introduce specific requirements
the organization must implement. The auditor’s opinions,
notions, philosophies and personal experiences, however,
don’t constitute requirements. When people audit with
an eye toward driving continual improvement, requirements
are sometimes “invented,” albeit usually with
good intentions. One of the best techniques for ensuring
audit nonconformities are written correctly is insisting
that they’re structured in two parts:
Requirement--Exactly what the organization has
committed itself to do
Finding--Exactly what the organization has or hasn’t
done that contradicts the requirement
Objective evidence is a factual recounting of what was
seen, heard or experienced during the audit. Gathering this
evidence takes the most time and effort.
It is recorded in the “finding” portion of
the requirement and describes exactly how the organization
failed to fulfill the requirement.
Objective evidence meets a number of criteria. Among other
Not subject to bias or prejudice. Auditors can’t allow
their personal feelings to influence their interpretation
of the evidence.
Traceable. As many identifiers as possible should be recorded
(e.g., date, time, function, department, machine, customer,
order number and product code).
Expressed as simply as possible. Sometimes auditors will
provide a paragraph or more of detail, thinking that more
data will provide more convincing evidence. However, the
objective evidence is best streamlined and to the point.
Objective evidence is stated in such a way that the first
half of the nonconformity directly contradicts the requirement.
Enough detail is provided to facilitate traceability--but
not so much that it overwhelms. Auditees expect concise
and clearly written findings.
Consider the following correct audit write-up:
Requirement: The general manager stated that all employees
are expected to understand the facility’s key measures
and how to contribute to them. (Note that the requirement
comes from the general manager’s statements, which
function as requirements when he’s talking about something
under his control.)
Finding: Three out of five employees sampled randomly in
the shipping department didn’t understand the facility’s
key measures or how to contribute to them. (Note that the
finding’s language mirrors that of the requirement,
stating exactly how the organization failed to meet its
commitment. The sample size is defined, and the location
is also identified. Employee names, however, are appropriately
Now look at this incorrect write-up:
Requirement: All employees should understand key measures.
(Note that it isn’t clear whether this is an opinion
or a requirement. Where did this “should” come
Finding: Employees were ignorant of the organization’s
objectives and strategic direction, and they were obviously
unprepared to assist in continual improvement. (Note that
here, the finding’s tone is subjective and accusatory.
Sample size and other identifiers are omitted, which provides
It generally takes a number of audits before an inexperienced
auditor can confidently draw conclusions from objective
evidence and write nonconformities clearly and concisely.
Practicing the audit process with an experienced auditor
is time well spent.
One of the best ways to understand the system and its
effectiveness is through people: how they receive and interpret
information, carry out instructions, produce goods and deliver
services according to requirements, and satisfy customers.
Nevertheless, an audit must always focus on the system itself.
Some auditees might suspect that an audit constitutes
a personal attack on their jobs, and auditors must be prepared
for that reaction. They should calmly explain that the audit
process is all about the system, put the auditees at ease
and depersonalize the process as much as possible. If people
are uneasy about the audit process, they won’t provide
objective evidence, and the audit, in turn, won’t
trigger continual improvement.
Does this mean people never screw up? Of course not. But
when failures are identified during an audit, they’re
system failures. Very few nonconformities occur due to willful
employee misconduct. If someone makes a mistake or fails
to carry out a job step, it’s usually because the
system is flawed and error-prone. Fix the system, and people
will have less opportunity to screw up.
Not all organizational processes have the same strategic
significance. An internal audit system that’s oriented
toward continual improvement will focus on strategic issues.
Most management system standards such as ISO 9001 require
that organizations schedule audits based on status, importance
and prior audit results. This means organizational processes
with more strategic importance will be audited more often.
The following audit questions reflect on processes that
typically have high strategic importance:
Customer satisfaction. What methods does the organization
use to capture customer perceptions? How are data on customer
perceptions reported and analyzed? Has overall customer
Corrective and preventive action. Is there proof that root
causes or potential root causes are being identified? Are
actions taken to eliminate root causes or potential root
causes? Are data on corrective and preventive actions reported
Leadership. Has the organization determined its mission
and strategy? Are organizational performance and direction
communicated throughout the organization? Has top management
led the review and action on key measures and other important
information that indicates organizational success?
Internal auditing. Do auditing schedules clearly reflect
the strategic importance of processes and the results of
previous audits? Does the organization’s management
take corrective action on nonconformities raised by audits?
Are the corrective actions effective, based on the evidence?
Design and development. Are design inputs and outputs recorded
and approved? Is progress against the design plan periodically
reviewed? Is the design process’s output validated
under conditions of application or use?
Transformation. How is work planned and scheduled? What
information guides work performance in general? How do employees
receive feedback on their work? Do employees understand
how their efforts affect key measures?
These audit questions are examples and might not be applicable
to all organizations. Other processes could have strategic
significance, depending on the organization’s nature
and competitive environment.
Many audits produce poor results because auditors haven’t
received proper instruction or been given opportunities
to practice what they’ve learned. The organization
must invest the necessary time and effort in making its
auditors competent and confident before they’re assigned
Auditors must be familiar with:
Practical interpretations of the standard adopted by the
The audit’s purpose and how it drives continual improvement
(i.e., by providing a balanced picture of the organization
and triggering corrective and/or preventive actions)
Phases of the audit and various activities within each phase
Sources of audit requirements (e.g., the standard, procedures
or sales orders)
Methods of gathering objective evidence and drawing valid
Diplomacy skills and effective interpersonal communication
Audit role-playing under controlled conditions
Writing nonconformities in the prescribed format
Actual auditing with an experienced auditor
Auditor training doesn’t necessarily need to be
formal or even classroom-based. The style and format of
training will differ significantly from one organization
to the next. However, auditors must have a conceptual understanding
of the process and a practical grasp of techniques, both
backed up by sufficient practice. When auditors truly understand
their roles and responsibilities, the process should result
in strategic continual improvement.
A successful audit almost always results when an individual
takes personal ownership of the process. He or she must
be able to carry out the following five complex and linked
activities, which create strategic continual improvement.
An audit schedule defines the auditing that will take
place during an extended period of time, usually six months
or a year. The purpose of the schedule is to communicate
when and where the audit team’s services will be needed,
when the organization can expect to be audited, and what
requirements will be included in the audit.
Audits scheduled far in advance always produce better
results. Note, too, that the processes considered more strategically
important to the organization are scheduled for audits more
often. Processes and functions that have performed poorly
in previous audits are also scheduled for frequent audits.
Regardless of other considerations, all processes, functions
and departments within the scope of the management system
must be audited at least once a year.
The schedule can be keyed to organizational processes,
departments, functions, facilities, an ISO standard element
or something else. However, it must clearly communicate
which audits are coming up and when. Audit schedules should
provide enough detail to guide the overall process and help
with the next step, audit planning.
An audit plan is focused, detailing a single audit’s
scope, objectives and agenda. The plan provides a chronology
of the audit from start to finish: which processes will
be audited, exactly when they’ll be audited, who will
do it and which requirements will be audited in each segment.
Even details such as meetings, breaks and lunches are shown
on the plan in order to clear up any timing conflicts between
auditees and auditors and keep the audit on track.
Typically, the audit plan is distributed several days
prior to the audit. Auditees often request alterations to
the plan based on logical concerns and existing commitments.
By all means, modify the plan to accommodate them. The one
variable that usually never changes, however, is the audit’s
The audit’s on-site phase consists primarily of
gathering evidence. The lead auditor takes part in this
and also manages the overall process. These duties typically
Leading the opening meeting
Managing and communicating changes to the audit plan
Ensuring that the audit stays on track
Insisting that auditors remain objective, consistently evaluating
Encouraging auditors to write up their findings during the
audit to avoid a time crunch directly before the closing
Reviewing all nonconformities to ensure that they’re
logical, valid and clear
Providing performance feedback to audit team members so
individuals can target areas for their personal improvement
Resolving all conflicts constructively
Apprising the auditee of the audit’s progress
Leading the closing meeting
Ensuring that the entire audit is conducted professionally
If these duties sound difficult, it’s because they
are. Many organizations have ineffective audit processes
because the so-called lead auditor doesn’t understand
his or her responsibilities. An accredited lead auditor
course is a very good investment for individuals who function
as lead auditors for their organizations.
The first formal reporting that takes place during an
audit is the closing meeting. The lead auditor presents
a verbal summary of the audit, including positives and negatives.
Depending on the audit’s size and duration, the closing
meeting might last from 15 minutes to more than an hour.
The meeting allows for back-and-forth dialogue between auditors
and auditees. During the closing meeting, auditee management
is presented with the written audit observations and/or
corrective action requests, and these form the basis for
discussion of the audit results.
Subsequent to the closing meeting (and occasionally during
the closing meeting), an audit report is presented to the
auditee management. This summarizes the audit’s overall
themes and trends. Usually it’s written by the lead
auditor, based on evidence gathered by the entire audit
team. The report doesn’t belabor every audit observation
because these should have already been addressed during
the closing meeting. Audit reports should be as concise
and streamlined as possible. Graphics such as matrices and
Pareto diagrams are helpful.
The auditee management is usually asked to respond to
audit nonconformities by an agreed date. The response should
include investigation into the root cause, proposed corrective
action and a date when the action should be completed.
The lead auditor reviews the responses to determine whether
the investigation and proposed corrective actions are adequate.
This is the first stage of verification.
One of the most important jobs the lead auditor and auditing
team can perform is a careful scrutiny of auditee responses.
Accepting weak investigations and/or corrective actions
does nobody any favors and certainly doesn’t trigger
continual improvement. If a response doesn’t identify
a plausible root cause or propose a corrective action related
to it, the lead auditor must diplomatically reject the response
and explain to the auditee why it’s adequate. The
auditee is the audit process’s customer and should
be treated with the same respect that any other customer
The second stage of verification occurs when the auditee
notifies the lead auditor that corrective action has been
implemented. At this stage, the lead auditor or a team member
will verify that the corrective action has been fully implemented
and the root cause of the original nonconformity has been
Verification is sometimes performed by reviewing records
or documents submitted by the auditee; alternatively, an
on-site visit is made to review evidence in person. The
nonconformity’s nature and significance will determine
whether on-site verification is necessary.
Once all audit nonconformities have been addressed with
effective corrective action, the audit is considered closed.
However, this doesn’t mean it’s forgotten. A
high-level discussion of audit results is an important input
to the business review process, and audit trends influence
resource allocation and strategic decision making.
Craig Cochran is a project manager with the Center
for International Standards & Quality, part of Georgia
Tech’s Economic Development Institute. He’s
a RAB-certified QMS lead auditor and the author of Customer
Satisfaction: Tools, Techniques and Formulas for Success,
available from Paton Press (www.patonpress.com).
Send letters to the editor regarding this article to firstname.lastname@example.org.