An audit is simply another form of inspection and testing except that in this case the product being inspected

d is the
management system itself.
Like a product inspection, an audit simply compares how things actually are, to how we think they are and how they
ought to be.
Audits help uncover areas that are in need of attention and they can be an opportunity to draw back from the day-to-
day details and to take look at the whole process with fresh eyes. Despite being such a (potentially) positive tool in
the management system toolkit, audits often induce the same kind of stress as end of year exams!
Obviously a great deal rides on a successful external audit so some anxiety is expected. However, a good Internal
Audit process can reduce the stress, since you can uncover the problems yourself and resolve them before the
external auditor begins.
We suggest you enrol in a professional development course before jumping into the role of Auditor. An alternative is
to use an external consultant to perform your internal audits for you.
Quality, safety and environmental management standards all require audits to monitor and report on the effectiveness
of the management system. This process is also one of the six documented procedures required byISO 9001:2008.
A documented procedure shall be established to define the responsibilities and
requirements for planning and conducting audits, establishing records and reporting
results.
You are also required to keep records.

Each company will have their own particular method, but it will generally follow the same process.
Internal Audits need to be scheduled at planned intervals to check that the quality system conforms to requirements
and that the system is effective. Requirements include the standard itself, as well as the companys own
requirements (i.e., its own procedures and policies).
You dont need to audit every process all at one time. The External Audit may be like this, but internal audits can be
spread out with different processes audited at different times a series of mini-audits.
The standard does not set out a required audit frequency. Instead, it recommends that you consider how important
the processes are, their risks, their prior history of problems, and also your quality objectives. With a series of mini-
audits you can set different audit frequencies for different processes.
If you are implementing a new management system, we recommend that you should have audited all the processes
identified in your management system at least once prior to the initial Certification Audit.
An auditor should be objective and impartial. You cannot audit processes that you manage / control yourself. This
means you will need to have at least two internal auditors trained and available. However, due to lack of resources, or
sometimes with the crossover of responsibilities that is common in small businesses, having two impartial auditors
may not be possible. In this case, you may need to consider using an external resource.
Large organisations may use a team of auditors.
The plan already identifies the area you will audit, now you need to define what criteria you will audit against.
Sometimes this takes the form of a formal checklist with a pre-determined list of questions. You can also use a copy
of the procedure being audited and mark this up with questions and points to verify. Youll need to identify what
records should be checked to verify the process.
Any previous findings or issues related to the audit area should also be checked.
Even with pre-defined questions, an auditor will still need to follow their nose if something is not quite right.
You can define the criteria for the audit prior to each audit rather than having to set this up at the planning stage.
These requirements (checklists, documents, records, etc) should be communicated to the auditee some time prior to
the actual audit taking place. (Specify the time in your audit procedure a week is reasonable)
An audit usually starts with an opening meeting where the auditor meets the auditee(s), sets the expected timetable
and out how the audit will be conducted.
During the audit, the auditor will work systematically through the checklist or procedure, examining evidence that the
process meets the criteria. Its common to markup the checklist with notes and a quick finding result, e.g.,
C = compliant,
NI needs improvement,
NC non-conformance,

When recording the audit, it is important to write down exactly what evidence was examined to establish the finding
regardless of the finding. e.g. auditing employee training records the auditor writes:

(Note that the date is an important part of the evidence).
Usually the auditor will discuss the finding with the auditee before recording it. This is to ensure the finding is
understood and to confirm there is actually a problem, e.g. the auditee above may reveal that Joe Bloggs personnel
folder includes a separate safety briefing record with the required signature. This can sometimes negate the finding,
or just change it i.e. the signature is there, but it is not following the procedure. In this example, the consequences
of not following the procedure are minor and the audit finding should reflect that.
The audit will finish with a closing meeting where the lead auditor gives an overall summary of the audit and
discusses each audit finding to ensure they are understood.
An external certification auditor will submit a formal written report on the audit to management several days later and
its common for an internal auditor to do the same. However, theres no requirement in the standard for a formal audit
report. You simply need to ensure the findings are recorded and communicated to management. You could just
record the findings and their details in your non-conformance form & register (or as an Issue in QSToolbox).
You will need to retain records of the audit which will typically include:
Completed Audit Checklists and/or marked up procedures
Notes on objective evidence examined, and personnel interviewed
Audit Findings (cross referenced to your Nonconformance Register)
Audit Report
Findings raised at both Internal and External Audits need to be addressed with corrective actions. If the audit reveals
that we dont do as we say, then we either change what we do, or change what we say
At the next audit, the auditor will verify that the corrective actions taken were effective in bringing the management
system into compliance.
Have a look at the auditing process using QSToolbox.
The ISO Standard ISO 19011 has guidance on auditing. It sets out requirements on training and experience for
auditors, and requirements for how audits should planned, conducted and recorded.