When did your business achieve ISO certification? If it’s been a few months, your next ISO internal audit could be right around the corner.
Even when you’re busy, making time to complete regular internal audits is crucial. When businesses fall into the trap of “setting and forgetting” their systems, they risk losing their certified status.
Regular audits keep you on track to maintaining your ISO compliance long into the future. Internal audits should happen annually, but often there will be many audits per year depending on the size and complexity of the business. If you’re unsure how regularly you should be auditing systems, an ISO internal auditor can help you determine a suitable timeframe.
While some audits are a fairly quick assessment to check up on your compliance a more in-depth review is required in some circumstances, such as when you reapply for ISO certification.
An ISO internal audit involves three key stages; continue reading for a closer look at each of them.
Stage 1: Preparing for your first ISO internal audit after Certification
Ahead of an ISO internal audit, your business needs to decide whether it can be done internally or if you require assistance from a consultant.
If you choose to go with a consultant there are a few steps your ISO internal auditor will take before proceeding with the audit, which are:
- Become familiar with existing systems;
- Review the external audit report and take note of any areas of non-conformance, as well as opportunities for improvement;
- Review, develop and amend the ISO internal audit schedule;
- Provide recommendations for the frequency of audits;
- Determine a suitable ISO internal audit procedure;
- Gather relevant documents to meet the requirements of the standard/s;
- Provide you with details about the approach they will take.
From start to finish, this stage will usually take one to two days.
Stage 2: Determining the scope of works and investment for an ISO internal audit
Whether your audit is completed internally or by a consultant, the audit implementation process should involve a number of core steps.
The first aspect of this is assessing your business’ level of compliance with both internal requirements and the ISO standard/s guidelines. This assessment is done by conducting a series of document reviews and interviews. Questions are asked by the auditor to compare existing systems against the requirements and to look for evidence of conformance or non-conformance.
Rather than using “tick and flick” checklists, which tend to miss opportunities for improvement and more investigative findings, use a risk-based focus. This is an approach that looks at the whole process to determine where to make changes.
This information is then used to develop a detailed findings report, which should include non-conformances and opportunities for improvement. The findings also need to be communicated with management.
After the report is completed, your auditor will move on to facilitate the resolution of non-conformances, follow up on corrective and preventive actions and provide any further suggestions for improvement.
During the auditing process, businesses also need to ensure they provide suitable training and support for the implementation of procedures and forms as required. This ensures the efficient function of the system.
Stage 3: Maintaining your systems after an ISO internal audit
Many companies don’t realise that there is a significant investment of time and effort required on an ongoing basis to maintain a system once you’ve achieved ISO certification.
Between internal audits you will be expected to maintain the habits that you have implemented such as management reviews, internal audits, dealing with customer complaints and non-conformances in a formal way and so on.
An internal audit needs to be completed at least every six to 12 months, but the required frequency will vary depending on your level of risk, business complexity, the number of standards implemented and the level of compliance.
Every six to 12 months you will need to be audited by the certification body. This is called a sample or surveillance audit.
After three years, your business will need to complete a recertification audit, which is in-depth and takes longer than the check-ins every six to 12 months. If you are successful, your ISO certification can be approved for another three years and you are issued another certificate.