They Just Told Me I’m Going to Be the New Internal Auditor – YIKES!
You have worked for your company for just over a year, and you arrive on a Wednesday morning to an email from the Director of Quality advising you that you will become the company’s internal auditor, and that you will be taking an online internal auditing course in a week or two.
You look around your office and you can’t imagine how you’re going to free up any additional time beyond your current job responsibilities. You ask yourself: What is an internal auditor, exactly? How much time will this take on top of my already overloaded schedule? How important is this role, and will it cause conflict in my daily work life?
If this story sounds familiar, then this article is for you. I will try to outline the role of an internal auditor, share some helpful definitions, and offer practical hints from my own experience.
Why Do We Perform Internal Audits?
The first question most people ask is: How much time will I have to spend on internal auditing? That really depends on the size of your organization, the number of processes involved, and how many internal auditors are on your team. Internal audits are typically performed periodically based on a yearly schedule. However, in my opinion, many companies perform internal audits solely to satisfy their ISO 9001:2015 or AS9100 requirements, and in doing so, they often miss the whole point of what internal audits are meant to accomplish.
So why do we perform internal audits in the first place, beyond the fact that ISO 9001:2015 requires them? Internal audits are a valuable source of information on:
- The effectiveness of the management system
- The effectiveness of training
- Whether personnel are following established procedures
- Opportunities to improve processes and/or the quality system
- Whether quality policies are understood throughout the organization
- The effectiveness of the quality system in meeting organizational objectives
- The relationship between quality and cost. In other words, whether the cost of quality is effectively delivering a product or service in accordance with quality objectives
To put it in a single sentence: a quality audit, or internal audit, is a systematic and independent examination to determine whether quality and operational activities, and their results, comply with planned arrangements, and whether those arrangements are effectively implemented and suitable to achieve objectives.
That certainly sounds like a mouthful, even to me. So let’s start at the beginning with some key definitions.
Key Definitions
- Auditor: A person who has the qualifications to perform audits.
- Auditee: An organization or part of an organization, such as a process or department, that is being audited.
- Client: A person or organization requesting the audit. If your company is requesting the internal audit, then your company is both the client and the auditee. If your customer sends someone in to audit your company, then the customer is the client. If an independent agency requests an audit, they are the client. In other words, an internal audit involves a first-party client, a customer audit involves a second-party client, and an ISO registrar audit involves a third-party client.
- Quality Evidence: Qualitative or quantitative information or records pertaining to the quality of an item or service, or to the existence and implementation of a quality system element, based on observation, measurement, or tests that can be verified.
- Observation: A statement of fact, made during an audit and substantiated by objective evidence.
Audit Team Structure
An internal audit team normally consists of a lead auditor and, in larger organizations, a group of auditors. In smaller organizations, there is often only one auditor, who serves as both the lead auditor and the sole auditor. Regardless of team size, the lead auditor is placed in overall charge of the audit.
The audit team may be made up of internal auditors, but it can also include personnel with specialized backgrounds or even observers. One practice that is not discussed often enough is bringing in external expertise to support your internal audit team when auditing specific processes. For example, if I were auditing the heat treating process in my organization, I could contact the manufacturer of my heating furnace and ask if they could send a representative to participate in our internal audit of that process. By doing so, we would be bringing external expertise directly into the audit with the intention of discovering opportunities for improvement. I cannot stress this enough: although we often think of an internal audit as a pass/fail scenario, discovering opportunities for improvement is equally, if not more, important.
Understanding Auditor Independence
An auditor should be independent, and that independence should be respected by the auditee.
Auditor independence does not mean that an auditor cannot audit their own department or the processes they oversee. In fact, having the operations manager as part of your audit team when auditing operational processes is invaluable, since the operations manager is likely the most qualified person to understand those processes. So what does independence actually mean? It means that you cannot audit a job function that you personally perform. Therefore, if the operations manager is responsible for reviewing inventory reports and approving purchases, that particular process could not be audited by the operations manager. However, all other aspects of operations that the manager does not personally perform could be audited by them, and they would be a valuable team member in such an audit.
Knowing Your Standards and Procedures
As an internal auditor, you will be expected to understand the standards and procedures you are auditing against. If you are not yet an expert in ISO 9001:2015 or AS9100D, your organization will almost certainly provide training on those subjects. It is important to read the standards, and equally important to read your own organization’s procedures and work instructions, as these will show you how your company complies with the requirements. If you have taken an ISO 9001:2015 course at a previous employer, keep in mind that your new company is not required to follow the same procedures to achieve compliance. Every organization implements the standard in its own way.
Auditor Responsibilities
As an auditor, your responsibilities include:
- Communicating and clarifying audit requirements
- Planning and carrying out assigned responsibilities
- Documenting observations
- Reporting audit results
- Verifying the effectiveness of corrective actions taken as a result of the audit
- Retaining and safeguarding audit-related documents
- Treating privileged information with discretion
Documenting observations is the most important part, and the tone and wording of your observations can either make the internal audit received positively or negatively by the organization. You can be perceived as a team player trying to help, or as an inspector trying to reject.
The lead auditor has the following additional responsibilities:
- Overall responsibility for all phases of the audit
- Assisting with the selection of other audit team members
- Preparation of the audit plan
- Representing the audit team with the auditee’s management
- Submitting the audit report
I have two favourites here. I love choosing the internal audit team, and I would often go out of my way to bring in experts. Let’s face it, the suppliers of products and services have many resources, and all it takes is an email requesting help for them to be at your doorstep, ready and willing. Why not use that expertise? My second favourite was representing the audit results to the management team. This was the most challenging part, and it was an opportunity to present the results of the audit in a positive manner while acquiring the resources necessary to make improvements throughout.
Maintaining Objectivity: Changing Your Hat
As an internal auditor, there are some things you should always keep in mind. First, it is important to remain within the scope of the audit. If the audit plan is to audit the receiving department, resist the temptation to wander into other processes, even if observations in receiving seem to point elsewhere. If that happens, it is better to plan a separate audit of those other departments at a future date.
It is also important to exercise objectivity. This can be difficult because of personal relationships and company dynamics. Here is a technique I use personally: before I begin an internal audit, I step outside the building, into the parking lot or the front entrance, take a deep breath, and mentally remove my “worker” hat. I replace it with my “internal auditor” hat. When I walk back in, I am walking in as an independent internal auditor, free from company gossip and personal feelings about people or processes.
The auditor must also collect and analyze evidence that is relevant and sufficient to support their observations and conclusions. We will discuss the methods for achieving this later in the article.
Finally, I feel I should not have to mention this, but the internal auditor should at all times act in an ethical manner.
Auditee Responsibilities
While we often focus on the auditor’s role, the auditee and their management also have responsibilities during an internal audit. These include:
- Informing all relevant employees about the objectives and scope of the audit
- Appointing responsible staff members to accompany the audit team
- Providing all resources needed by the audit team
- Providing proper access to facilities and processes
- Cooperating with the auditors
- Helping to determine initial corrective actions based on audit observations
No one really teaches auditees about their responsibilities, yet they are genuinely accountable for the above. For example, how many times have I planned an audit for a process, only to be told upon arriving that this particular process is only performed on Tuesdays, and we are there on a Thursday. It would have been nice to know this when we scheduled the audit with the auditee.
Internal Auditors Are Not the Quality Police
Many people think of internal auditors as the “quality police” working for management. Nothing could be further from the truth. Let me share a story from when I was implementing an ISO 9001 system at one of my clients.
There was a gentleman nearing retirement who was responsible for one of the organization’s processes. Despite multiple training sessions and being provided with the relevant procedures and work instructions, he was still very confused. He told me candidly that he genuinely wanted to participate in the ISO 9001 project but did not know what he needed to do within his department to comply with all of the requirements.
I told him: “Invite your internal auditor and ask them to perform an audit of your department.” He looked at me in shock and said, “Why would I do that? I haven’t really done anything yet!” I looked at him and said, “Exactly, that’s the point. Your internal auditors are on your team. If they come in and audit your department, they will outline everything that needs to be done to comply with the procedures and work instructions. At the end of the audit, it will essentially be a to-do list for you, clear and actionable, so you can address the issues one by one. You will also have the opportunity to ask questions about any findings you do not fully understand, and during that discussion, other opportunities for improvement may arise.”
Understanding that internal auditors are part of the team and are there to help is the best approach anyone can take.
The Audit Plan
The lead auditor is responsible for creating the audit plan. The audit plan should include:
- The audit scope and objectives
- Identification of who is responsible for the area being audited
- Reference documentation
- Audit team members
- The planned date and location of the internal audit
- The expected time and duration of each process audit
- The schedule of opening and closing meetings
- The audit report distribution list
- Any logistical considerations, such as required safety equipment
- All organizational units to be audited
The audit plan can change. In fact, it can change from the time it was issued right up to a few days before the audit. Why would it change? Consider a major failure or problem addressed in a corrective action or customer complaint that relates to the processes you are about to audit. In that case, you may want to add those issues to your audit plan and ensure they were addressed effectively.
Audit Scheduling: A Risk-Based Approach
I am a strong advocate for auditing by process rather than by quality element. Auditing by process means staying within one process, auditing it from beginning to end, and incorporating all applicable quality elements within it, rather than jumping from department to department examining one quality element at a time.
Typically, you would plan to audit each process in your organization at least once per year. However, the audit schedule should evolve based on findings. For example, if a process yields many opportunities for improvement, corrective actions, or training issues, you may want to increase that process’s audit frequency to twice per year. Conversely, if a simple process has been performed by the same experienced person for years and everything is consistently in order, you might reasonably schedule it once every two years.
Most organizations schedule audits once per year to satisfy their ISO 9001:2015 requirements. In my opinion, that is not the best approach. Adjusting the audit schedule based on findings is far more effective in achieving the true objectives of internal auditing.
Furthermore, ISO 9001:2015 places considerable emphasis on risk-based thinking and planning, which aligns well with moving away from a fixed yearly audit schedule and toward one based on risk factors. If your organization has a risk management program, the outputs of that program should inform how you schedule your internal audits. If you do not have a formal risk management system, then your internal audits and audit schedules can serve as one of your primary methods of identifying and addressing risk. In that case, pay special attention to the risk-related sections of each process questionnaire when determining your audit frequency.
The Audit Questionnaire: Auditing by Process
Today, many auditors use software to conduct audits, while others prefer paper. In either case, an audit plan or questionnaire typically lists the items to be verified. The traditional approach is to list all procedure requirements with a yes/no conformance checkbox beside each item. However, I believe auditing by process yields far greater insight and a much better opportunity to identify improvement opportunities.
When auditing by process, our questions are more open-ended and follow the flow of the process. Here are examples of the types of questions I use:
- Are there procedures, work instructions, or flowcharts that define this process? If yes, how do you access them, and how do you know if they are current?
- What are the inputs to your process? What exactly do you need in order to start your job?
- Show me how this process is performed.
- What are the outputs of the process? Are records maintained and legible? Is data collected to measure process performance?
- How is the performance of this process measured? How do you know when it is performing well or poorly?
- What are the risks associated with this process, and how do you mitigate them?
- How do other departments affect this process?
- If something goes wrong in the process, what actions are taken? If there is a nonconformance, is it clearly identified and is data collected?
- Are there tools or equipment used in this process? Do they require calibration or preventive maintenance? Are those records current and readily available?
- Interview employees performing the process to gain their perspective on improvement opportunities, preventive actions, or potential risks they are aware of.
- Are employees performing this process trained and competent? Are training records available and current?
You will notice that these questions require the auditor to first read about the process before performing the audit. They allow the auditor to cover all applicable quality elements within a single process from beginning to end, without artificially separating them by department. Personally, my favourite is number six, because ISO talks about risk and this is a real opportunity to evaluate the risk within the process you are auditing.
Opening and Closing Meetings
Many auditors hold an opening meeting when they audit a process or department. Depending on the size of the organization and the formality of management, this meeting can be as brief as a minute or two, or it can be a formal sit-down session prior to the audit. The purpose of the opening meeting is to:
- Introduce the members of the audit team
- Review the scope and objectives of the audit
- Provide a summary of the auditing methods to be used
- Establish communication between the audit team and the auditee
- Confirm that all necessary resources and facilities are available
- Confirm the date and time of the closing meeting and any interim check-ins during the audit
- Answer any questions the auditee may have
If there is an opening meeting, there should also be a closing meeting. The closing meeting should:
- Be held at the end of the audit, prior to preparation of the audit report
- Include the audit team, the auditee’s management, and the responsible functions that were audited
- Present audit observations to auditee management clearly so that they fully understand the results
- Be documented, with records maintained
When using QMS software, it is often possible to review findings and agree on corrective actions in real time during the audit itself. In that case, the closing meeting simply serves as a summary review of everything agreed upon during the audit.
Audit Observations and Follow-Up Actions
Observations or findings from an audit must be addressed and followed up with actions and verification. Most standards require timely action to address findings. Opportunities for improvement, of course, are items that management can decide to act on immediately or defer to a later date.
When I refer to “actions,” I do not necessarily mean you must issue a formal nonconformity report followed by a corrective action. If you have another system for ensuring that actions are issued, tracked, and followed up upon, that is perfectly acceptable. QMS software often handles this directly within the audit process. Alternatively, a simple spreadsheet reviewed at the closing meeting with all parties present can serve the same purpose. There is no requirement in ISO 9001:2015 that audit findings must be processed through your NCR or corrective action process. You may establish a separate action system if you choose.
Whichever system you use, actions must be completed within an agreed timeframe and must be verified to confirm they are effective at eliminating the observation or finding.
I like to work with three or four types of audit observations, each with different action requirements:
- Corrective Action: Requires root cause analysis, containment, and corrective and preventive actions.
- Simple Action: The action is executed and verified. No full root cause process required.
- Opportunity for Improvement: Typically discussed at a management review meeting and may or may not be implemented.
- Industry-Specific Finding: Depending on your industry, you may define a fourth category suited to your context.
Traits of an Effective Auditor
The audit should always result in improvement. Organizations that perform internal audits simply by checking boxes once a year to maintain their ISO 9001:2015 certification are genuinely missing the point, and missing an opportunity for continual improvement. If that is all you are doing, it is costing your company money with no return on the investment.
An effective auditor should embody the following traits, all of which relate to putting on that internal auditor hat:
- Diplomatic
- Professional
- Articulate
- Judicious
- Communicative
- Honest
- Unbiased
- Understanding
- Observant
- Impartial
- Thick-skinned (yes, this is often a very necessary trait to have)
My favourites are Understanding and Honest. Being honest with no ulterior motives, answering all concerns of the auditee, and understanding the challenges they face while performing their process is key, in my experience.
An auditor should always act and react thoughtfully. Some practical behaviours that support this include:
- Remain open-minded and set aside company gossip. This is really important and often difficult to do. Remember: go outside and change your hat.
- Use the “show me” approach. Rather than taking someone’s word for it, ask to see the evidence.
- Be realistic. Try to walk in the other person’s shoes. Imagine doing that job with their current workload, stresses, and demands. Understanding the auditee’s role within the organization is critical.
- Remain mature and do not react to pressure.
- Be a good listener. Quietness and attentive listening often encourage the auditee to expand on their answers. If you jump in with the next question immediately after they give a short answer, you will only ever get short answers.
- Do not yield to influence. Avoid the temptation to shape your report to meet management’s expectations rather than reporting objective evidence.
- Avoid distractions during the audit.
Communication Skills for Auditors
An auditor should have communication skills that allow them to convert an idea, instruction, or question into words that the auditee will actually understand. For example, instead of asking someone in the receiving department, “What is the input to your process?” consider asking, “How do you start your job, and how do you know when to start it?”
It is also important to avoid communication barriers, which can be created by a poor choice of words, personal bias, outside distractions, a lack of interest, and more. When communicating during the audit, always keep in mind who you are speaking with and tailor your message accordingly.
Common Auditee Responses to Watch For
Over the course of my auditing career, I have heard the same responses repeatedly from auditees. In fact, many of these responses are signals that you should spend more time in that department and look more carefully for opportunities for improvement. Here are my favourite auditee responses:
- “Oh yes, we tried that before, but…”
- “You know, our place is different…”
- “That’s a great suggestion, but it would definitely cost too much…”
- “Oh, that’s beyond my responsibility…”
- “That’s not my job…”
- “We don’t have time for that…”
- “We’ve never done it before…”
- “You’re right… But…”
- “Not that again…”
- “Do you know how much trouble it would be to change that?”
My favourite is “Oh yes, we tried that before, but…” I am sure the list could be much longer, but these are the ones that come to mind most readily.
Interviewing Techniques During the Audit
When performing the audit, there are several interviewing techniques I find particularly effective:
- The Basic: “Show me how…”, “What is…”, “Where is…”
- Systemic Questioning: Ask questions that follow the natural sequence of the work. Be logical and avoid jumping back and forth through the process.
- Hypothesis / What If: For example: “What if a glass ceiling light broke and fell into the product? What would you do?”
- Silence: This is a powerful technique. If you ask a question and receive a short answer, resist the urge to immediately ask another question. Stay silent. Auditees often feel obligated to fill the silence and will expand on their answer significantly.
- Always ask the obvious question. Do not assume the answer is known.
Maintaining Notes and Objective Evidence
During the audit, you must maintain notes and collect objective evidence. If you are using a QMS auditing system, you will typically have the ability to capture speech-to-text notes and photograph objective evidence directly with your tablet or phone. If you are not using QMS software, you need to keep written documentation to support your observations. Record the names of the people you spoke with, the document numbers of any documents you reviewed, and photographs of any equipment found to be inadequate or in need of repair.
Virtual Audits
Generally, if you work for a smaller company operating from a single location, virtual internal audits are not applicable. However, if you are part of a larger organization with multiple locations, some organizations choose to save travel time and expense by performing audits virtually using Microsoft Teams, Zoom, or similar video conferencing platforms.
The audit requirements and overall process remain very similar when conducting virtual audits. The key difference is that the auditee will have more work to do in supplying objective evidence, such as documents, log reports, forms, and photographs or screen-shared views of a process, since the auditor cannot physically walk through the facility.
Having lived through COVID, I performed my share of virtual audits, and I have to say I am not really a fan. Without walking through a process, observing it firsthand, and speaking directly with the team members performing the work in real time, it becomes very difficult to identify opportunities for improvement.
The Audit Report
The internal audit report is normally a formal document that contains the questionnaire and records all objective evidence captured for each question. For example, when documenting the section where we examine the inputs to a process, we would want to record objective evidence such as: “After speaking with Johnny, it was confirmed that he initiates the receiving process when the truck driver arrives with a delivery, an approved bill of lading stamped by our customer service department, and a security badge issued at the security gate. He explained clearly that if the bill of lading is not stamped by customer service, or if the driver does not have a security badge, the driver is directed to report to customer service immediately.”
When reviewing documentation, and depending on how critical the process is, you may want to take photocopies or photographs of relevant documents. However, be certain that it is acceptable to photograph company documents with your personal device, since your camera leaves the building with you. Other objective evidence that could form part of your report includes photographs of equipment or facility conditions observed during the audit.
The audit report is typically a single document, and it is often stored online, on a shared server, or within your QMS software. In most cases, the report is distributed to all interested parties, including the auditee and all participants in the management review meeting.
I always prefer to open an audit report on a positive note. For example: “I reviewed the receiving department and found it to be well organized and very clean. However, we did identify some opportunities for improvement during the audit, which have been documented and assigned to Johnny for follow-up within the next one to two weeks.” The observations can then be listed in order of priority, clearly and concisely.
Conclusion: Reporting to Executive Management
Once you have completed the internal audit and defined all actions, corrective actions, and opportunities for improvement, these should be compiled into an internal audit report and summarized for the management review meeting.
This is the most important part of the entire process. It is our responsibility as internal auditors, and especially as the lead auditor, to clearly communicate the results of the internal audit to executive management so that they can make informed decisions on how to proceed. Audit results often require decisions involving budget, personnel changes, document revisions, or equipment purchases and repairs, all of which require executive input and approval.
Internal auditing, done well, is one of the most powerful tools an organization has for achieving continual improvement. The goal is not to check boxes. It is to help the organization grow.
So I will leave you with this: it’s not YIKES. It’s more of a slow, calm, systematic approach to becoming part of an Improvement Team for your organization. I always enjoyed being an internal auditor because it gave me the opportunity to learn more about the processes within the organization, and it was always a personal challenge, and very rewarding, to find real opportunities for improvement. I mostly looked for the elephants in the room.
About the Author
Peter Sanderson is the founder of TQMS Inc. and creator of CIS Software. With over 30 years of experience in ISO 9001 and quality management systems, he specializes in helping organizations implement practical, results-driven continuous improvement processes. His work has been featured in Quality Magazine, Quality Digest, Quality Digest, and IWLA publications.
