Auditing – in its simplest of definitions – is a method to verify a process, product, or service is operating in compliance with a set of requirements. These requirements are defined internally in procedures, by customers as flowed down in a contract or purchase order, and/or by some type of regulatory agency or statute/law. If your organization has a certified quality management system (ex ISO9001, AS9100, IS13485, IATF 19494, etc.) you are required to perform internal audits. 

Audits are integral to a quality management system (QMS) as they provide feedback to management on the compliance of products and processes as well as improvements to the QMS itself. Audits are a way to verify compliance with requirements, and they can also be used to identify opportunities for improvement within the process itself. In addition, audits can and should be used to verify the effectiveness of corrective actions that have been implemented; whether those corrective actions are product, process, or service related or whether the corrective actions were initiated internally or requested by an external entity (customer, third party auditor, etc.).  

So, you’ve been assigned to perform an audit by your manager as part of the internal audit process within your organization.  How do you start?  

Before we start the audit process, let’s feel comfortable that you have some understanding of the audit process. Review your organization’s procedure related to audits and look for any information on auditor qualifications. Being a qualified auditor could include some type of training (OJT, shadowing a qualified auditor, external training). There are many books available and training from many organizations on how to audit. Consider acquiring ISO19011, Guidelines for auditing management systems. This is an international standard that provides guidance for auditing a quality management system. This standard provides information for developing an audit program, qualifying auditors, and conducting audits. Once you feel you understand the audit process and methods, let’s start! 

The audit process has three phases: preparation, performing, reporting.  

Each phase is important to ensure your audit efforts are effective in determining compliance of a product, process or service to specified requirements and the audit itself is compliant with internal procedures. 

Preparation 

Preparing for an audit includes more than just arranging a time with the auditee. It involves some research; here are a few items to research and review as you prepare for an audit:  

• Procedures related to the function/process/department you will be auditing 
  • Note the timing of any major changes to the procedures within the last year as this will help you in the performance part of the audit 
• Previous year internal audit reports and the audit plan 
• External audit reports received within the last year related to the function/process/department you will be auditing  
• Any corrective actions issued during the last year from internal and external sources (customers, external agencies, certification audits) 

Once you’ve reviewed the related documents, you can start to develop the audit plan. An audit plan should include an audit scope. The audit scope defines the focus of the audit and the requirements to be verified during the audit. Defining the audit’s scope helps you and the auditee stay on track and focused to ensure the identified process requirements are assessed. 

 The audit plan should: 

• Include an opening meeting to review the audit plan with the area management 
• Identify what personnel in what areas you would need to interview during this audit. 
• Integrate the applicable requirements into the audit plan so both you and the auditee are aware of the requirements to be assessed in that portion of the audit.  
• A verification of effectiveness for corrective actions issued in the previous audits (internal and external). This is particularly relevant to an organization that has a certified QMS. 
• Include a closing meeting that reviews the results of the audit with the auditee/process owner including potential noncompliances identified along with any opportunities for improvement. 

Next in the preparation phase is the assembly of some type of checklist to be used to capture the information gathered and note whether the process reviewed is in compliance with the noted requirements or not (potential noncompliance). A checklist can include questions relevant to both the process and the process requirements. Having a checklist is a good way to ensure you cover all the requirements relevant to that process.  

With the audit plan and checklist in hand, let’s start this audit. 

Performing 

Performing the audit is not intended to be just a review of the procedures for compliance. This is the opportunity to connect with those that perform the actions defined in those procedures to assess their understanding of the process as well as any consequences when issues arise. Interviews and observations are key tools in an auditor’s toolbox.  

During the audit the goal is to collect evidence to demonstrate compliance or noncompliance. Evidence can be records, databases, demonstrations, interviews, etc. Using the checklist you assembled in the preparation phase, you can record the evidence gathered during the audit. It is highly recommended to document what evidence was reviewed (procedure/document #s and revisions, completed forms, sale orders, purchase orders, etc.). The audit report and the associated checklists are the evidence the audit was conducted, and the evidence supports potential noncompliance and audit conclusions.  

There is a saying that ‘three data points are a trend.’ When performing an audit, it is recommended to collect a minimum of three items of evidence for each requirement being assessed. Consider gathering evidence from the current activities as well as from a few months ago. This provides insight into the consistency and compliance of the process over time. Be aware, if there was any substantial change in the process or procedure since the last audit, collect evidence after the change was implemented; evidence prior to the change would be considered obsolete as the process change may no longer produce the same type of evidence. 

In the event you note a potential noncompliance during the audit, it is best to confer with the process owner to ensure you haven’t misinterpreted the process or procedure. There may be evidence of compliance that you may not have seen or been aware of during your reviews. It is important to connect any potential nonconformity to a specific requirement defined in the scope of the audit: procedure, customer requirements, other external requirements. Without a direct connection to a requirement that is not being met, there is no noncompliance, and it could be an opportunity for improvement. 

Reporting 

You’ve completed the audit: observations made, interviews completed, records reviewed, etc. Congrats! Now it’s time for the ‘paperwork’ – the audit report – can’t complete an audit without it. Most organizations have an audit report template. If there isn’t one defined, do an internet search to get some inspiration. The goal is to find a format to convey the audit results, including noncompliances, opportunities for improvement and a general summary of the audit as it’s presently performing. Audit reports typically include an overall summary of process compliance, noting identified noncompliances and the associated corrective action numbers. Strengths or positive practices can be noted in the audit report. Auditees are very interested in any positive feedback.