A Guide to Effective Internal Management System Audits

A Guide to Effective Internal Management System Audits: Implementing internal audits as a risk management tool

ANDREW W. NICHOLS
Copyright Date: 2014
Published by: IT Governance Publishing
Pages: 122
https://www.jstor.org/stable/j.ctt7zsxp7
  • Cite this Item
  • Book Info
    A Guide to Effective Internal Management System Audits
    Book Description:

    Are your internal audits adding value?Organizations hoping to comply with any of the International Standards for management systems (e.g. ISO9001, ISO27001) must carry out internal audits. However, the requirements set down by accreditation bodies for auditor courses make little distinction between internal and external audit programs. As a result, many organizations instruct their internal auditors using resources designed for external auditors. Such internal audit programs often fail to develop beyond simple compliance monitoring, and risk becoming 'box-ticking' exercises, adding little value to the organization.

    Transform your internal audits and improve your systemsA Guide to Effective Internal Management System Auditsprovides a model for the management and implementation of internal audits that moves beyond simple compliance to ISO requirements and turns the internal audit into a transformational tool that the organization can use to assist with the management of risk, and implement improvements to management systems.

    This book shows you how you can transform your internal auditing process to become a tool for development and continual improvement in your management systems.

    Start adding value to your internal auditing program.

    eISBN: 978-1-84928-560-5
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. FOREWORD
    (pp. 5-8)

    The word “audit ” comes from the Latin audītus meaning the act of hearing. A benign definition, so it ’s strange then, that the idea of an audit is often viewed negatively by people. Typically, this comes from the spectre of an income tax audit or those performed by a regulatory agency, which is common in the food, pharmaceutical, and health and safety industries.

    Since the early 1960s, it has become more and more common for purchasers to audit their supply chain, sometimes with terrible results! For example, the UK’s Ministry of Defence had ordered a maritime attack and patrol...

  3. PREFACE
    (pp. 9-11)
  4. ABOUT THE AUTHOR
    (pp. 12-13)
  5. ACKNOWLEDGEMENTS
    (pp. 14-15)
  6. Table of Contents
    (pp. 16-16)
  7. INTRODUCTION
    (pp. 17-18)

    Internal audits are required to be performed by any organization wishing to comply with any of the international standards for management systems, for example ISO9001, ISO14001, ISO13485, ISO27001 and so on. Although certification of organizations to these management systems standards has been available for nearly 25 years, the requirements were written to be implemented without the need for external certification audits. If internal audits are not used to “prepare” an organization for the audits of a Certification Body, why are they (universally) required by these standards?

    Today, most organizations wishing to implement an ISO standards-based management system often utilize available...

  8. CHAPTER 1: MANAGEMENT SYSTEMS AUDITS – A BACKGROUND
    (pp. 19-26)

    Auditing of organizations has been a regular occurrence in various industries for many years. Before the advent of the most commonly known international standards for management systems, major procurement organizations and regulatory agencies were auditing throughout the supply chain as a means to evaluate those suppliers involved.

    For the purposes of this guide, it is worth beginning by defining what an audit is, in the context of a management system requirement such as ISO9001, ISO14001 and so on. In some industries, the term audit and inspection (Quality control activities) are used interchangeably.

    In the context of a management system internal...

  9. CHAPTER 2: THE ROLE OF ISO19011
    (pp. 27-29)

    In 1991, three years after ISO9001 was published, a guidance document was released by the International Standards Organization on the subject of quality management systems auditing, ISO10011. This was subsequently withdrawn and replaced, in 2002, by ISO19011, “Guidelines for quality and/or environmental management systems auditing.”

    The current version of ISO19011 has been tailored to be more suitable for internal audits of management systems since the arrival of ISO/IEC 17021 – “Conformity assessment – Requirements for bodies providing audit and certification of management systems” – has reduced the need for all three basic types of audit (internal, supply chain, and certification body) to be...

  10. CHAPTER 3: THE INTERNAL AUDIT PROCESS
    (pp. 30-66)

    The requirements for internal management systems audits specified in a number of ISO standards are based heavily on those originally contained in ISO9001. A review of standards as diverse as ISO13485 for medical device manufacturers Quality Management System, and ISO/IEC 17025 for testing/calibration laboratories, to ISO22301 for Business Continuity Management, shows that the requirements for internal audits are substantially similar to the basics in ISO9001, 8.2.2.

    Internal audits may be effectively managed as a process according to Dr. Shewhart’s “Plan, Do, Check, Act” cycle. A diagram of the process might look like this: In the early period of the implementation...

  11. CHAPTER 4: THIRD-PARTY CERTIFICATION OF MANAGEMENT SYSTEMS
    (pp. 67-91)

    Although the primary focus of this book is that of internal management systems audits, many organizations that implement the requirements of one or more of the international ISO standards often also choose to be certified by a so-called “third party.” To enable some comparison and, therefore, to be able to contrast audit styles, this chapter is included and describes the background to the development of “third-party certification of management systems,” or what’s more commonly known as “ISO certification.” This term is, in fact, somewhat misleading since the ISO organization doesn’t involve itself in any aspect of the certification process.

    Although...

  12. CHAPTER 5: INTERNAL AUDITOR COMPETENCIES
    (pp. 92-93)

    For any internal management system audit program to be effective, it is of vital importance to have competent people managing, performing, and reporting them. ISO19011 goes into some depth of detail to list a number of attributes of auditors, which may, indeed, be desirable; however, in many internal audit programs, a number of key requirements for auditors are often overlooked.

    This famous saying, often attributed as coming from the military forces, should be taken at face value when considering who should perform internal management systems audits. There are many reasons why anyone who would volunteer, often when they have no...

  13. CHAPTER 6: USING THE RESULTS OF INTERNAL AUDITS
    (pp. 94-95)

    If we are to consider much of the management process (required by the various ISO management system standards) as a network of interacting processes, it follows that the output of the internal audit process becomes an input to the management review of the system.

    Since a management system internal audit is, by its nature, performed on the organization by its own personnel, there are four likely situations to report to management, within the associated requirement for the “management review.” In the following scenarios, the internal audits are used as an independent “validation” for management, who are each reporting on the...

  14. CHAPTER 7: RISK BASED INTERNAL AUDIT CASE STUDIES
    (pp. 96-100)

    The following case studies give examples where an internal audit was focused on ensuring resolution of a situation that put the organization at risk, by focusing not simply on compliance to documents, but by looking to process performance, cause/effect, and the “sequence and interactions” of the processes of a management system.

    An internal audit was conducted in a large and well-established manufacturer of industrial machinery. The organization had been certified to ISO9001 since the early 1990s. The focus of the audit was the processing of product non-conformity reports in the metal parts fabrication department. This department made sheet metal parts,...

  15. ANNEX 1: COMPARISON OF REQUIREMENTS FOR INTERNAL AUDITS
    (pp. 101-115)
  16. APPENDIX 1: THE FOOTBALL© PLANNING TOOL
    (pp. 116-118)
  17. ITG RESOURCES
    (pp. 119-122)