The company conducts internal audits at planned intervals to provide information on whether the Quality Management System: Conforms to: The company's own requirements for its Quality Management System; the requirements of this standard; is effectively implemented and maintained.
Now for the wordy bit. The company: plans, establishes, implements and maintains an audit program, including the frequency, methods, responsibilities, planning, requirements and reporting which shall take into consideration the importance of the process concerned, changes affecting the company, and the results of previous audits; defines the audit criteria and scope for each audit; selects auditors and conduct audits to ensure objectivity and the impartiality of the audit process; ensures that results of the audits are reported to the relevant management; takes appropriate correction and corrective actions without undue delay; retains documented information as evidence of the implementation of the audit program and the audit results.
Ta-da. One of the most important clauses in the entire standard and one that is gotten wrong, so often. So here are my sage words. Internal quality audits are structured and have quite specific planning and reporting requirements. There is a need for independence, so make sure it happens. There is a need for competent persons, so make them so. In fact, this is such an important element, seek and get external training and mentoring. There is a need to demonstrate effectiveness. There is only one way to do this. Verification of records, validation of process and communication. Well that’s three, but heck this is not a maths post. Just remember, the most important part of the internal audit process is communication. One more time, communication.
The 2 types of audits
Compliance auditing and continuous improvement (CI) auditing. Can I say, please start with compliance auditing. That means benchmark the documentation, the workflows and compare them to each other. If there is variation, resolve it. If there is no variation, conduct CI auditing next time. But always have some form of compliance in every audit to ensure there is no workflow drift. CI auditing is when you have verified the workflow, now you can challenge the workflow and look at best practice or at least better practice. Be careful, just because you are an auditor doesn’t make you a CI expert. It does, however, make you a communicator which is something you should focus on.
What internal audits are not
They are not management reviews. They are not operational monitoring. They are not statistical number crunching. They are not water-cooler conversations. And probably so many more.
So even though there is no requirement for a procedure, write one. Get explicit and set the expectation of the interested parties. You don’t need to bog your process down in formalities and bureaucracies unless your risk profile demands it. Be transparent and keep excellent records.