Internal Audits Made Easy – And Practical



If your company is registered to one of the ISO Quality Management Systems (ISO 9001, AS9100, ISO 13485, IATF 16949), then you are required to perform internal audits at planned intervals to verify the conformance of your system. Since these ISO standards are process-based, these audits should be developed and scheduled around the company’s current processes to assure the organization can meet the intended results and satisfy its customers.

What does this look like in practice? For example, prior to committing to a customer’s order, you must review their contract (or quote) for requirements to confirm your organization can meet their demands. These “demands” typically include things like quality, cost and timing.  The established process for contract review in your organization should be clear and, in many cases, documented, identifying the inputs needed, the activity to be performed and the expected output. Records of the review then need to be retained.

When auditing this process, the inputs, activity and outputs are reviewed and verified based on the requirements of the standard, your customer and your own organization, along with your implementation and practice.

A Practical Approach to Auditing
Internal ISO audits typically have three principles to consider regardless of the scope:  intent, implementation and practice. Each of these principles form a portion of each audit and the auditor must understand how they are satisfied within the scope of their audit.

One might wonder, “What do I need to check for each of these principles?” To answer this question, let’s look at samples for each in the context of completing a Contract Review (Figure 1 below).  Note that in some organizations, ‘Contract Review’ may fall under other names such as Quoting or Sales and Quoting, etc.

FIGURE 1 - Contract Review Process

For the first principle – intent – the internal auditor needs to verify that the company’s process for Contract Review meets the requirements of the applicable ISO standard and other referenced documents. This typically is done as part of the audit preparation, where the auditor compares the ISO Standard (external standard) to the organization’s current procedures and processes to guarantee that all pertinent requirements have been addressed. This also may include any applicable customer-specific requirements mentioned in the contract. 
Looking at Figure 1, the procedures for ‘Feasibility Reviews’ and ‘Contract Reviews,’ or P1.2 and P1.3, would be reviewed and compared to the input documents to assure all relevant requirements are being addressed. This process is typically called a desk audit, and it provides the auditor with an understanding of the requirements that must be addressed, and ensures the organization has addressed them.
The next principle, implementation effectiveness, has two parts: awareness and availability.  For procedures P1.2 and P1.3 mentioned above, the auditor would want to verify that the personnel who need to use these documents are familiar with them (reviewed, trained, etc.), and the procedures are readily available to them in their day-to-day activities when and where they are needed. The documents may be available via electronic media or hardcopy, whichever the organization prefers.
The third part is practice effectiveness. Several things can come into play when determining the effectiveness of an organization’s practices. The customer’s requirements may specify certain metrics that need to be verified. The company may have timing, cost or quality metrics in place for the process being audited. There may be departmental goals or metrics established. This is where a process flow or map is helpful, which lists the inputs, process activity, expected outputs and any measures associated with the process.  
In Figure 1 above, Performance Indicators are listed for Contract Review. Timing and Quotes In Process reports are monitored by management. While these are the main metrics of the process, others may be identified in the procedures or other documents as well.
For Contract Review, there may be a checklist of items to consider related to product requirements, process capability, capacity, timing, changes, cost, materials, etc. Key personnel may be identified as to who must review and approve the contract. The resulting output should be clear and record retention identified. The auditor could look at Contracts in various stages of review – newly initiated, work in process and completed reviews – then compare production jobs on the floor to the contract requirements to ensure they are being met. In Figure 1 above, procedures P1.2 and P1.3 would identify most, if not all, of these items.
Any internal audit of a quality management system element should consider intent, implementation and practice to determine conformance.  If an auditor keeps these three principles in mind, they will find the auditing process to be more comprehensive and more practical than ever before.
Dale WickerQuality Program Manager
Dale Wicker is a member of The Center's Quality Team. He manages and delivers training and assistance to organizations in the areas of quality improvements and environmental management systems. Some of his projects involve support with the implementation of a Quality Management System including: ISO 9001, ISO/TS 16949, AS 9100 and ISO 14001. Dale also conducts training and provides consulting on the supporting tools of Quality Systems.

Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at

Categories: Quality Management