The need to perform internal audits is greater than ever. The past few years have seen an increase in the number of ISO certifications across all Management Systems Standards (MSS). According to The ISO Survey of Management System Standard Certifications – 2018, ISO 9001:2015 remains the most popular standard, with 878,664 valid certificates, followed by ISO 14001:2015 (307,059 valid certificates) and ISO 22000:2005 & 2018 (32,120 valid certificates).
The rise in the number of certified organisations has increased the demand for specially trained staff needed to meet the requirements of ISO-MSS. For example, the increasing importance of ISO 27001 has highlighted the severe information security skills shortage, while the advent of ISO 27701 is sure to do the same for the data protection field.
One requirement common to all ISO-MSS, and also requiring skilled employees, is the need to perform internal audits. Mandated by Clause 9 – Performance Evaluation, certified organisations are required maintain an internal audit programme (or programmes, management system depending). It must be noted that this requirement is separate from the need to undertake certification audits and continuing assessment visits!
Needless to say, because the subject of your organisation’s internal audit programme is the breadth of the management system itself, this is no easy requirement to satisfy. Many organisations without internal audit teams turn to third parties to provide this capability (and for small organisations, this may well be the most practical course). Furthermore, the nature of this requirement often leads organisations to view it as a simple box ticking exercise of little wider utility.
This is not the case! Performed properly, internal audits can function as a vital source of information, helping organisations identify gaps in their management system, as well as potential opportunities they could exploit. The purpose of this article is to provide more information about the internal audit requirements of ISO-MSS.
Why does my organisation need to conduct an Internal Audit?
As mentioned above, the requirement to perform internal audits is common to all ISO-MSS. This is because Clause 9 – Performance Evaluation, which contains the internal audit provision, is part of ISO’s MSS High-Level Structure (HLS).
Finalised in 2015, the HLS is a set of 10 clauses that all ISO management systems are required to use. This is so that all management systems will have a familiar design, and will also enable greater integration between systems of different disciplines (e.g. Quality Control and Environmental Management). The HLS will use the same core text for every management system, plus subject matter specific text that will be added depending on the focus of the management system.
Therefore all organisations looking to achieve certification against an ISO MSS have no choice but to establish an internal audit function, along with other general performance evaluation systems as outlined in Clause 9 (plus domain specific requirements such as the need to monitor customer satisfaction in ISO 9001).
What are the Internal Audit Requirements?
There are two internal audit sub-clauses. It is worth quoting the requirements in full to best understand what is needed. Using ISO 9001 as an example; organisations are required to:
“conduct internal audits at planned intervals to provide information on whether the quality management system:
a) Conforms to:
- The organisation’s own requirements for its quality management system
- The requirements of this International Standard;
b) Is effectively implemented and maintained.
a) Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organisation, and the results of previous audits;
b) Define the audit criteria and scope for each audit;
c) Select auditors and conduct audits to ensure the objectivity and the impartiality of the audit process;
d) Ensure that the results of the audit are reported to relevant management;
e) Take appropriate correction and corrective actions without undue delay;
f) Retain documented information as evidence of the implementation of the audit programme and the audit results.
The purpose of 9.2.1 is simply to mandate that organisation’s establish and maintain an effective internal audit function to check whether the management system conforms to the standard in question.
9.2.2 provides more detail on what exactly an internal audit programme entails – defining the end to end process; from planning and scope definition through to reporting and corrective actions. That said, the requirements only offer a skeleton framework, with little detail on the specifics. For example, 9.2.2 c) does not explicitly define what constitutes an impartial and objective audit process. A similar point could be made about 9.2.2 a) – while audits must take place at a set frequency, the standards offers no guidance on how regularly audits should take place. This is something organisations will have to determine themselves, with audit cadence dependent on the nature of your organisation.
What are the advantages of performing Internal Audits?
While the HLS lays out the requirement to perform internal audits, it does not explain the advantages of doing so. As mentioned above, sometimes internal audits can be seen as nothing more than a box ticking exercise of no real value. An activity organisations are forced to do against their will, by a client or another third party. But such a negative view obscures the significant benefits that a well-run internal audit function can deliver.
Certain benefits are clear. The internal audit requirement sits within the broader Performance Evaluation clause of the HLS, whose primary purpose is to monitor how well the management system is functioning. A comprehensive internal audit process can help identify when and where there are issues in the control environment. Depending on the management system in question, spotting an issue early on (perhaps a policy not being followed correctly) can save an organisation from significant pain. For instance, in the case of ISO 27001, a failure to implement certain controls effectively could leave your organisation at risk of being hacked.
But a mature internal audit function can also confer broader benefits on an organisation. In their breakdown of Internal Audit Process Maturity, the Institute of Internal Auditors highlight how “Optimized” internal audit processes (i.e. those of the highest maturity) provide senior management with an accurate and continuous overview of the control environment. This allows the organisation to meet KPIs and rapidly respond to relevant internal and external changes. It also makes the organisation as a whole more resilient – more process-dependent and less people-dependent.
As discussed, establishing an internal audit process is a requirement shared by all ISO-MSS. In short, if you want your organisation to be certified against any of ISO 9001, ISO 14001, ISO 27001, ISO 45001 and others, then you must have an internal audit function (whether in house or provided by a third party). But an internal audit process can also be so much more than a spreadsheet checked once or twice a year. A mature internal audit process can deliver significant value to an organistion, helping guard against risks arising from poorly implemented controls and helping to improve businesses processes more generally.
If you would like to assess your company’s GDPR risk in a matter of minutes, please click here to start a trial.Get started