Best Practices for Conducting an Internal Audit

In our latest webinar with our partners at A2LA, we heard from Jonathan Fuhrman, their product certification program manager, about best practices for conducting an internal audit.

A little about Jonathan’s background: he supports the day-to-day operations of accreditation by assisting A2LA clients in obtaining and maintaining accreditation to ISO/IEC 17065, ISO/IEC 17025, and ISO/IEC 17020. As a member of the Electrical and Product Certifications team, he works with Electrical and Mechanical testing laboratories and Certification Bodies operating in fields such as Construction Materials, Energy Efficiency, Halal, and Wireless device certifications. Prior to joining A2LA, Mr. Fuhrman served in Quality Assurance, Market Access, and Factory Surveillance roles and has over a decade of audit experience working with organizations such as A2LA, NVLAP, IECEE, OSHA-NRTL, and Standards Council of Canada.

While this blog will serve as a general overview of the webinar, I recommend you watch the full recording available here. The full recording provides a lot of information in great detail and includes a 20-minute Q&A session at the end full of great questions from your peers in the industry. You don’t want to miss that!

So, with that said, let’s dive in!

Why do we perform internal audits?

There are multiple reasons that your organization might need or want to conduct an internal audit. First off, the audit records can serve as an objective picture of where your organization stands in respect to quality and compliance goals. Beyond that, audits can be an investigative exercise to look for opportunities for improvement.

One major reason for conducting internal audits is to meet third-party requirements (like from your accrediting body!).

You could also use the results of internal audits to serve as a status report for management. It’s going to give them insight into where the organization stands and where it’s headed in relation to its goals. It can give management an idea of how to steer the organization moving forward.

According to Jonathan, there are a few main ideas to think about that will help keep things simple:

1. Does the organization “say” what they do?
2. Do they have written documents (policies, procedures, arrangements) that meet the requirements of ISO 17025/17020/17065?
3. Does the organization “do” what they say?
4. Are they in compliance with their own management system and ISO 17025?
5. And can they “prove” it with their records? From training records to standards preparation to bench sheets to customer reports to audit results and everything in between.

Planning and scheduling

The internal audit cycle can be divided into as many parts as is appropriate for your organization. However, Jonathan breaks the cycle down into four core phase that occur over time:

1. Plan: the audit schedule, the audit checklist, and the auditors.
2. Do: the audit as scheduled, ask the questions, and examine the records.
3. Act: degree of conformity.
4. Check: corrective action/closure

One thing to think about when putting together that audit schedule is to address all elements of the management system and the technical activities. That includes all policies and procedures. This needs to be done each year and should include risk analysis when applicable. The schedule should also define when each element will be audited and who is responsible for each audit.

Selection of Auditors

After you’ve planned and scheduled, the next step is to figure out who is going to perform the audit. Keep in mind — you can have the best possible plan in place but if you put the wrong auditor on the job, the value of the audit can be diminished.

Jonathan says you need somebody who has a solid understanding of the management system and the objectives. They also need to be familiar with the history of the company and a background in the areas of the audit. You want someone who is going to be able probe and analyze without giving off an interrogative vibe when they’re interviewing the team. Positivity and objectivity are important. The auditor needs to maintain independence throughout the audit – so you don’t want people to be grading their own work. Audits are about finding facts, not faults so the auditor should really focus on verifying compliance. Audits shouldn’t give the auditor “joy” when writing deficiencies.

An ideal auditor also needs to have strong communication skills. They need to keep it simple by being clear, brief, direct, and focused. It’s also important to realize that there are three ways of receiving information: seeing, listening, and experiencing (spend most of your time listening). They also need to know how to express comments and questions in a positive way.

Performing the Audit

Here’s another typical audit sequence that Jonathan recommended during the webinar:

1. Conduct an opening meeting,
2. Make the introduction to each auditee, gather the information and evidence, summarize the information with each auditee,
3. Compile a final report,
4. Hold a closing meeting.

There are also a couple different ways you can go about gathering information and evidence:

1. Ask questions,
2. Inspect facility and equipment,
3. Examine documents,
4. Examine records,
5. Observe activities.

During the interviewing, your auditor should also be asking key questions like:

• What is happening?
• Why is it happening?
• Where is it happening? Why is it happening there?
• When was it done? Why was it done then?
• Who did it? Why was it done by that person?
• How was it done? Why was it done that way?

There also needs to be a method behind your sampling of records. So, discuss the process and pick some records along the way. This is the best option when the process is simple, and records are few. If, on the other hand, the process is complex and there are many documents, start with random selection of records and then discuss the process based on the records.

Audit Reporting and Follow-Up

The outcome of the audit needs to be documented. The contents of the report need to include a factual description of the audit activities it covers and provide a fair and accurate picture of the quality system audited. Jonathan also recommends including a discussion about the planning and sampling methodology.

The audit report summary should contain:

1. Title/Report Number/Traceable,
2. Observations and recommendations (though make sure they are identified as such),
3. Deviations and non-conformances (make sure you’re clear here so they can complete a root cause analysis),
4. Auditor activity commends/concerns,
5. Next steps

Closing Meeting

This is where you’re going to establish next steps and present the outcome of the audit. Jonathan recommends to avoid delivering surprises during a closing meeting. You should try to communicate any potential issues early on so no one is surprised. Set the expectations as you go.

Next Steps

You need to address the corrective actions that are required. This involves:

• Root Cause analysis,
• Determine a range of suitable solutions,
• Implement and record it,
• Monitor it for effectiveness.

Audit Follow-Up

Once the audit report has been approved, the audit team’s responsibilities are completed. From there, corrective actions are initiated for all non-conformances (deficiencies) identified in the intern audit report. The follow=up activities and effectiveness of corrective action is later verified at the direction of the Quality manager.

In preparation for the company’s next internal audit, the following should be considered for placement on the audit schedule for the next internal audit:

• Any area with questions arising from the last audit,
• Any area that had deficiencies identified,
• And any areas not fully evaluated.

Summary

Internal audits are compliance based and all deficiencies must directly relate to the relevant standard, method, etc and they must be supported by objective evidence.

Be sure to plan and prepare for the internal audit and use the right people for the job.

You also need to record audit finding and follow up on issues.

Like I said before, this blog was only meant to serve as a general overview of the webinar but to get all the great information Jonathan shared with us, you need to watch the full webinar here! In the webinar, you will have access to Jonathan’s presentation, a brief demo of Qualtrax, and an in-depth Q&A session with your industry peers. If you’re interested in A2LA’s training information, you can visit their website here.

Categories: Audits, Compliance Management, Quality Managers

Back to Blog