Clause 9.2 of ISO 9001, ISO 14001, ISO 45001 & ISO 27001: Why do Internal Audits?
Are you unsure why you should conduct regular Management Systems internal audits in your business?
Have you achieved one or more ISO Certifications, and don’t understand the value of these internal audits?
First and foremost, internal audits are a prerequisite for maintaining ISO Certification. But there’s more – internal audits are an excellent way to improve efficiency, identify operational gaps, and minimise risks within your business operations.
Internal audits are conducted not only to identify human errors but also to highlight areas of improvement that can enhance business performance. Internal audits check and ensure that the business policies and procedures are followed, and alert top management to any gaps in policy implementation. They also reveal if the business is conforming to its own management systems, the requirements of ISO standards, and if the management system has been effectively implemented and maintained.
Why are internal audits important?
Internal audits will continue to be a vital risk-based tool for providing assurance as risks within the business change, ensuring controls are in place and areas of improvement are identified.
Let’s look at the main reasons why we should conduct internal audits:
1. Improve Operational Efficiency and Performance
Internal audits validate whether your business processes reflect your documented policies and procedures, so you can be certain that the systems in place are appropriate for minimising or eliminating the risks. Furthermore, if these processes are routinely monitored, inefficiencies or time lost on unnecessary paperwork and other organisational defects can be easily detected, resulting in improved performance.
2. Assessment of Organisation Controls
This is one of the most important reasons to conduct internal audits. It allows you to evaluate the internal controls for performance and organisational effectiveness, while at the same time enhancing the control environment in your organisation. The main evaluation conducted is to see if the controls are serving their function and are appropriate for risk reduction.
3. Meet Legal Compliance Requirements
Internal audits not only offer peace of mind but ensure that your business is in compliance with applicable industry requirements, legislation and standards.
Non-compliance to government regulations or industry requirements could result in fines and other legal actions.
4. Ensure Objectivity
An internal audit provides an impartial view of how effective the internal controls are, whether it’s for the entire business or just a few departments within the business. If your business doesn’t want to hire an independent audit team, cross-train employees to audit each other’s departments. It’s important that a system or department be audited by an independent and competent person – this should be someone who is not involved in the implementation of the management system or running of the department.
5. Risk Mitigation & Asset Protection
Internal audits will assist your management team to identify and prioritise risks, and formulate ways of eliminating or minimising them. Most of these resolutions also protect the business assets.
6. ISO Management Standards Requirement – Clause 9.2 – Internal Audit
It’s a requirement of Clause 9.2 of the ISO management standards (e.g. ISO 9001:2015 for Quality Management, ISO 45001:2018 for Safety Management, ISO 14001:2015 for Environmental Management and ISO 27001:2013 for Information Security Management) to conduct regular internal audits, and at least one internal audit before having a third party/external ISO Certification audit conducted.
Once an internal audit has been conducted, it should be documented in an internal audit report and kept for future reference purposes.
Please note that internal audits do not result in issue of certifications, as ISO Certifications are only issued by Conformity Assessment Bodies (CABs), the organisations authorised to conduct the External Audits (also known as third party or ISO Certification Audits).
Conducting the internal audit
Now that you have an idea of why we conduct internal audits, it’s important to understand the process of conducting internal audits.
Internal audits can be conducted by external consultants, like ISO Certification Experts, or by the business employees trained to conduct internal audits.
As required by the ISO 19011:2018 Guidelines for auditing management systems standard, an internal auditor should be competent to conduct internal audits, which means they should have the following:
ISO 19011 also talks about the Personal traits of a good auditor including being:
- Ethical, i.e. fair, truthful, honest and discreet.
- Open-minded, i.e. willing to consider alternative ideas or points of view.
- Observant, i.e. actively observing physical surroundings and activities.
- Perceptive, i.e. aware of and able to understand situations.
- Versatile, i.e. able to readily adapt to different situations.
- A good communicator.
Internal Auditors should also adhere to the following auditing principles from ISO 19011:
Here are the main steps for conducting internal audits:
Where to from here?
Hopefully this article has shed some light on the importance of conducting internal audits for any business. Please don’t hesitate to contact us if you have any further questions.
We are aware that planning and conducting internal audits periodically can be challenging, especially if the business doesn’t have a committed or competent team of auditors. At ISO Certification Experts, we are qualified and experienced consultants, and can help you conduct your internal audits on your behalf to guarantee it will be effective and cover all the requirements.
About the author
Aqueline is a Consultant with a background in process engineering and food safety management. She develops customised management systems for our clients, to meet the certification-readiness requirements of ISO 9001, ISO 14001, ISO 45001 and ISO 27001.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.