Why do you need an internal audit for the QMS or ISMS?

An internal audit is required for compliance with the applicable standard (e.g. ISO 9001, ISO 27001). The effectiveness of the management system must be reliably guaranteed. This internal audit of individual processes and systems follows a previously established schedule and guidelines. The results must be documented in writing so that the organization can initiate improvement measures. If the reports are missing from the management system documentation, the lead auditor of the certification body can report this as a significant major deviation. Such an undesirable situation would prevent the certification authority from issuing a certificate.

What is an internal audit and what is it used for?

This “internal audit” is a type of internal examination of individual processes and systems of a company based on a previously established set of guidelines or criteria.

The specialist literature also speaks of “1st party audit” when it refers to the activities of the internal auditor. This auditor must be expert in the ISO 27001 standard, otherwise it will be difficult for him to deal with any internal aspects during the year.

What are the advantages of an internal audit?

Companies must see the need for an internal audit both because of the requirement of the ISO 27001 standard and because of internal company guidelines. Many organizations have contractually bound themselves to various rules. The compliance department must ensure that the organizational units or departments comply with the compliance rules. otherwise there is a risk of significant contractual penalties. In principle, even without this complexity, there are many good reasons for an internal audit:

  • Requirement for certification: Are we compliant with the standards? Regularly clarify to what extent your company meets the required standard criteria as part of the certification.
  • Identify weak points and potential for optimization: An internal audit of your management system can offer many advantages. The audit results help to implement targeted improvements in your company.

What does an internal audit entail?

An “internal audit” is a type of internal investigation of individual processes and systems in the organization. A set guideline is used. A catalog of criteria can also help when querying individual aspects. The management system is checked by an internal auditor to ensure that objectives are achieved. The company has set certain goals when introducing a management system (e.g. quality management, environmental management system, occupational safety).

Unlike external audits, internal audits are led by the respective company itself. The audit is carried out by qualified internal auditors of the company. Alternatively, this task can be outsourced to a specialized service provider. As a result of the internal audit, a meaningful audit report should be included in the documentation of the management system (e.g. ISMS, QMS, EMS, IMS).

The internal audit is an important part of the management system documentation

Which steps are part of the internal audit?

An internal audit has several steps that need to be observed in order to be compliant with the relevant standard. 

Audit planning (planning phase)

During audit planning, the objectives of the internal audit are determined. The scope and focal points of the audit are planned. It is important to decide which areas of the company should be audited and during which period.

Preparatory work for the audit (preparatory phase)

The audit phase is prepared on the basis of the audit planning: The audit guidelines are first created. The management system documentation must then be checked. Based on the initial findings, the work packages of the audit phase will be further specified. The lead auditor then assembles the audit team.

The lead auditor must carry out the specific organization and scheduling of the internal audits. In several individual discussions, the lead auditor explains the aim and purpose of the planned internal audit to the respective department.

Carrying out the internal audit (audit phase)

Individual processes are observed while the audit is being carried out. For this purpose, the audit team carries out individual discussions with the responsible employees. In addition, interviews are conducted with selected employees. The company documents (e.g. process descriptions, security guidelines) and management documentation are compared in detail with the standard specifications. Deviations from the desired target state are recorded in a special documentation template. These identified deviations are discussed at the final meeting with management.

Post processing

During the follow-up, the lead internal auditor must prepare a meaningful audit report. During certification, the external auditor will want to view this report in the management system documents.

Implementation of improvement measures

As a result of the internal audit, the organization should collect all nonconformities in a list and address them in a prioritized manner. This list as well as the implementation of the improvements or corrections must be documented. These are important evidence of the organization that it operates a living management system.