Internal Audits and the ISO Management Standards
Published: January 8th, 2020
Author: Matt Quinn
The need to perform internal audits is greater than ever. The past few years have seen an increase in the number of ISO certifications across all Management Systems Standards (MSS).
According to the latest results, ISO 9001:2015 remains the most popular standard, with 878,664 valid certificates. Second is ISO 14001:2015 with 307,059 valid certificates. Third is ISO 22000:2005 & 2018 with 32,120 valid certificates.
The rise in the number of certified organisations has increased the demand for specially trained staff. For example, the increasing importance of ISO 27001 has highlighted the severe information security skills shortage. The arrival of ISO 27701 is sure to do the same for the data protection field.
One requirement common to all ISO-MSS, and also requiring skilled employees, is the need to perform internal audits. Mandated by Clause 9 – Performance Evaluation, certified organisations are required maintain an internal audit programme (or programmes, management system depending). It must be noted that this requirement is separate from the need to undertake certification audits!
This is a difficult requirement to satisfy. Many organisations without internal audit teams turn to third parties to provide this capability. For small organisations, using external auditors may well be the most practical course. Furthermore, the nature of this requirement often leads organisations to view it as a simple box ticking exercise.
But performed properly, internal audits can function as a vital source of information for your whole organisation and a key part of your corporate governance framework. This includes everyone, from the Chief Executive and the board of directors, down to those responsible for your internal controls.
They can help organisations identify gaps in their management system, allowing them to manage risk (including governance risk). They can also spot potential opportunities your organisation could exploit.
The purpose of this article is to provide more information about the internal audit requirements of ISO-MSS.
Why does my organisation need to conduct an Internal Audit?
As mentioned above, the requirement to perform internal audits is common to all ISO-MSS. This is because Clause 9 – Performance Evaluation, is part of ISO’s MSS High-Level Structure (HLS).
Finalised in 2015, the HLS is a set of 10 clauses that all ISO management systems are required to use. This is so that all management systems will have a familiar design. But it also enables greater integration between systems of different disciplines (e.g. Quality Control and Environmental Management).
The HLS uses the same core text for every management system. Then adds subject matter specific text depending on the focus of the ISO-MSS.
Therefore all organisations looking to achieve certification against an ISO MSS have to establish an internal audit function. They must also implement other general performance evaluation systems as outlined in Clause 9.
What are the Internal Audit Requirements?
There are two internal audit sub-clauses. It is worth quoting the requirements in full to best understand what is needed. Using ISO 9001 as an example; organisations are required to:
“conduct internal audits at planned intervals to provide information on whether the quality management system:
- a) Conforms to:
- The organisation’s own requirements for its quality management system
- The requirements of this International Standard;
- b) Is effectively implemented and maintained.
- a) Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organisation, and the results of previous audits;
- b) Define the audit criteria and scope for each audit;
- c) Select auditors and conduct audits to ensure the objectivity and the impartiality of the audit process;
- d) Ensure that the results of the audit are reported to relevant management;
- e) Take appropriate correction and corrective actions without undue delay;
- f) Retain documented information as evidence of the implementation of the audit programme and the audit results.
The purpose of 9.2.1 is simply to mandate that organisation’s establish and maintain an effective internal audit function. This is to check whether the management system conforms to the standard in question.
9.2.2 provides more detail on what exactly an internal audit programme entails. It defines the end to end process; from planning and scope definition through to reporting and corrective actions. That said, the requirements only offer a skeleton framework, with little detail on the specifics.
For example, 9.2.2 c) does not explicitly define what constitutes an impartial and objective audit process. Clause 9.2.2 a) has a similar issue, while audits must take place at a set frequency, the standards offers no guidance on how regularly audits should take place. This is something organisations will have to determine themselves, with audit cadence dependent on the nature of your organisation.
What are the advantages of performing Internal Audits?
While the HLS lays out the requirement to perform internal audits, it does not explain the advantages of doing so. As mentioned above, sometimes internal audits can be seen as nothing more than a box ticking exercise of no real value. An activity organisations are forced to do against their will, by a client or another third party. But such a negative view obscures the significant benefits that a well-run internal audit function can deliver.
Certain benefits are clear. The internal audit requirement sits within the broader Performance Evaluation clause of the HLS.
Clause nine’s primary purpose is to monitor how well the management system is functioning. An internal audit assess this. A comprehensive internal audit process can help identify when and where there are issues in the control environment.
Depending on the management system in question, spotting an issue early on can save an organisation from significant pain.
But a mature internal audit function can also confer broader benefits on an organisation. In their breakdown of Internal Audit Process Maturity, the Chartered Institute of Internal Auditors highlight how “Optimized” internal audit processes (i.e. those of the highest maturity) provide management and the board with an accurate and continuous overview of the control environment.
As discussed, establishing an internal audit process is a requirement shared by all ISO-MSS. If you want your organisation to be certified against any of ISO-MSS, then you must have an internal audit function.
But an internal audit process can also be so much more than a spreadsheet checked once or twice a year. A mature internal audit process can deliver significant value to an organistion. It can help guard against risks arising from poorly implemented controls and help to improve businesses processes more generally.