hygiene zone
quality tools
quality techniques
human issues
quality awards
quality extra
visitor tools


Stay Informed
Sign up below to receive our Occasional Newsletter.

We Respect Your Privacy!

Web SaferPak
SaferPak: Food Packaging Safety, Food Safety, Business Improvement and Quality Management
       Home     About     Contact

The Internal Audit - make the most of it!
By David Powley - DNV Certification

The internal (or first party) audit should be one of the most important opportunities for an organisation to check the effectiveness and the delivery capability of its management system. Unfortunately this opportunity is generally not appreciated according to David Powley, of DNV Certification, who offers an opinion on how to get better value from it.

The internal audit is a well established feature of all management system standards and protocols for quality, environment and safety & health (QESH). Certification bodies (or Registrars) take the internal audit seriously - they are required to. It is an obligatory feature for consideration at every certification or maintenance audit that they carry out on their certificated companies. Certification body auditors would prefer to ‘ride on the back’ of the internal audit and assess how capably the organisation can discover its own non-conformities and improvement opportunities. This is the ideal situation but too many organisations unnecessarily restrict themselves and do not fully appreciate the freedom and imagination they can exercise.

For example, internal audit programmes too often appear to be framed on clauses of the standards. This is too abstract and diffuse – organisations and their constituent processes are not (and should not be) based on clauses of standards even though they may be meeting the requirements written within them. Also, clause-based auditing tends to leave auditors without adequate focus and direction. Furthermore, there appears to be a restrictive folklore that prevents internal auditors from determining whether true customer requirements (e.g. contracts) are being fulfilled. The same type of folklore gives certain departments, within companies, a ‘no go area’ status or creates barriers to discovering whether the company is showing true compliance with regulatory stipulations such as ‘licence’ conditions for environment and quality or adherence to safety & health legally-based best practice. There must be a better view. More about this later but firstly, why is the internal audit (IA) so important?

The importance of being earnestly audited
The management system standards ISO 9001 (quality) and ISO 14001 (environment) as well as the quasi-standard OHSAS 18001 (safety & health) have a common wording for the purpose of an IA – it should determine whether the management system ‘conforms to planned arrangements’ and is effectively ‘implemented and maintained’.

Leaving aside the standard-speak, common sense presents the IA as the primary device for checking the effectiveness of delivery of performance regarding risks to QESH management. Basic risk management principles have it that significant risks (or undesired conditions) should be:

1. identified
2. effectively managed and that
3. the effectiveness of the management should be monitored.

It is within the third principle – monitoring the effectiveness of management - where the IA comes into its own. It is the main opportunity to determine whether adopted or obligatory procedures and planned arrangements are adequate and are being complied with. These being the procedures and planned arrangements used to manage and minimise the risks and undesired conditions (ref. principle number 2). The importance of the IA is self-evident but much depends on how well it is planned, administered and performed.

All things relevant and auditable
As mentioned above, there is a mysterious folkloric tendency to be ‘clausal’ and avoid getting better value when deciding on individual audit scopes. There is a need to get more from the IA and in order to do this we need to look at what matters.

In quality management, the main issue of concern is the relationship with the customers and clients together with all that is directly and indirectly related to it – this would include quality-related legal aspects. A bigger picture presents the concept of maintaining and enhancing the prosperity of the organisation.

For environmental management, the pre-occupation should be to minimise the impact on the environment together with maintenance of environmental regulatory compliance. A big picture slogan here would be ‘to manage the environmental impact of the organisation’.

Finally for safety & health, the focus of management is maintaining the safety and well-being of employees and others affected by the organisation’s activities as well as compliance with safety & health law– the maxim here is ‘to protect people’.

With these needs in mind the individual IA scopes could take on the following.

Quality matters
The contract. Why not audit against the stipulations within contracts with customers? After all these are the true agreements between the organisation and the people with whom it is doing business and they do happen to fall within the term ‘planned arrangements’ as given in the ISO 9001 standard. The more significantly-sized contracts can be quite auditable in that there are usually clear unequivocal requirements written into them such as content specifications, delivery times and terms, packaging requirements and so much more. For contracts within the service sector such as consultancies and expertise providers there may be requirements such as qualification and experience standards of personnel, the make-up of consultancy teams and requirements for regular and obligatory project meetings. There can be nothing more powerful or revealing than auditing against contracts when it comes to discovering whether or not the aim of meeting customer requirements has been achieved.
Regulatory-based specifications. The product or output of several industry sectors is substantially regulated through specifications or protocols e.g. food, pharmaceuticals, potable water, consumer products etc. The customers and regulators expect a provider to meet these so why not periodically check that this is the case by way of the internal audit?
‘Sacred Cow’ departments. It is curious that certain corporate or service functions can be absent form IA programmes. Examples that immediately come to mind are Human Resources, Finance and Marketing/Advertising but there may be others. Is it not the case that poor practices or failure to follow acceptable practices in these functions can impair relationships with customers? Poorly handled recruitment and people development can run the risk of poor product / service or at least create unnecessary internal trauma when trying to apply correction. Failure to carry out timely or adequate invoicing will almost certainly not be to the liking of customers. Misleading and inaccurate claims in company literature could lead to spending unwanted effort and energy in trying to get relationship with clients and customers back on track. There are no sacred cows where there is a detectable risk of quality (and therefore prosperity) being compromised or if experience has shown that this has actually occurred (see later).

Safety, Health & Environment (SHE) matters
‘Issue’ audits. Issues regarding the environment are many and depend on the circumstances of the organisation. They can include discharges to the aquatic environment, waste, atmospheric emissions, resource usage, nuisance, effects on habitats etc. For safety & health the term ‘issue’ can loosely translate to hazard and these can include categories such as physical (e.g. slips. trips etc.), mechanical, chemical, radiological, biological, energy and others. An issue audit would take one or more of these issues as a theme across all of the relevant units or departments of the organisation, as appropriate. Alternatively, geographical or other limitations may promote the idea of covering several issues at one unit or department at a time. The choice is to be made.
‘Licence-based’ audits. Many organisations are confronted by significant SHE risks and as such are carefully regulated by the use of documented ‘licence’ arrangements. For environmental control in the UK these licences include discharge consents issued by water companies and permits and authorisations issued by appropriate regulators according to appropriate legislation. Safety and health legislation in the UK is often underpinned by documented ‘licence’ arrangements (e.g. radio-active substances) and these too are worthy of internal audit. Other safety and health legislation (e.g. for controlling hazardous substances, noise at work etc.) is supported by Approved Codes of Practice. All of these documents are very auditable by virtue of their clear stipulations. Furthermore they are worth occasional internal auditing for compliance given that any SHE management system worthy of the term should be capable of ‘delivering regulatory compliance’.

What with existing procedures, instructions, contracts, ‘licences’, ‘issues’ and the rest, there would appear to be a mountain to audit. Not so. It is fully appreciated that internal audit resource (i.e. available audit man-hours) is precious and limited and that some things are more important than others. So priorities must be set.

Risk and Performance – nothing else really matters!

There is a piece of folklore that says that all of the management system should be internally audited. Really? What is the basis of this? Certainly the QESH standards do not say this. ISO 9001 says ‘An audit programme shall be planned, taking into consideration the status and importance of the areas to be audited, as well as the results of previous audits’. ISO 14001 states that ‘The organisation’s audit programme, including any schedule, shall be based on the environmental importance of the activity concerned and the results of previous audits’. The quasi-standard OHSAS 18001 similarly says that ‘The audit programme, including any schedule, shall be based on the results of risk assessments of the organisation’s activities, and the results of previous audits’.

Thankfully and sensibly, it would seem that internal audit priorities and therefore programmes should be based on what is important. So how is importance determined? There are two factors that matter – (1) the inherent risk and (2) the actual performance of activities, processes, business units, departments etc.

The determination of Inherent risk is an integral part of all three standards covering QESH management. ISO 14001 demands that significant environmental aspects be identified and OHSAS 18001 requires something similar for hazards and associated safety & health risks. Although the term ‘risk’ is not actually used in ISO 9001 there can be no doubt that at the ‘preventive action’ clause requiring action to ‘eliminate potential non-conformities’ the standard does require an organisation to effectively make a value judgement on inherent risk.

Performance is assessed through actual experience such as results of previous internal audits, non-conformities arising outside of internal audit, customer complaints, breaches of ‘licence’ conditions, neighbourhood complaints, accidents, incidents, near misses and other indications. The graphic in Fig 1 simplistically presents the various combinations of the risk and performance relationships. For example Zone 1 has low risk/good performance situations while Zone 2 contains those of high risk/poor performance and so on to Zone 4. This model, or a more sophisticated refinement of it, could be used to prioritise in determining audit programmes.

Fig 1. Risk and Performance - developing priority-based audit programmes.

Fig 1. Risk and Performance - developing priority-based audit programmes.

Each organisation has its own agenda to consider but based on this simplistic approach that is offered, it would be reasonable to accept that at least 50% of available audit resource would be spent in Zone 2 and 40% variably split between Zones 1 and 3 with 10% or less being spent in Zone 4. Obviously if it is felt that there is not enough to be covered within Zone 2 then the remaining available resource can be devoted to Zones 1 and 3. How much effort should be split between Zones 1 and 3 respectively depends on circumstances. Even though activities, processes and departments in Zone 1 may exhibit good performance the mere fact that they may have high risk may be enough to justify primary effort. On the other hand Zone 3 activities and departments may present low risk but the poor performance may result in more serious propagated or ‘knock on’ effects. There may be political reasons for wanting to devote 10% and more resource in Zone 4 – the areas, processes and activities concerned may not be in the QESH front-line but it may be felt that personnel in these areas ought to know that a management system exists. However this should be limited so as not to draw precious resource away from the important aspects. This is a simple depiction but it should serve to make the point that internal auditing should be directed to that which is important.

The foregoing can only be a limited attempt at putting the case that internal auditing should be taken seriously and that to underestimate its power and usefulness would be a self-disservice. For many management systems the internal audit has been the major contributor to improvement but for others better usage could be made of it. It is important for primary custodians of management systems to feel freer about what should be included and of course what is not necessary for coverage by the internal audit, based on importance. It is only in this way that an organisation can fully meet any aims regarding its management system in protecting its people, prosperity and reputation.


David Powley is a well recognised and highly experienced integrated management systems Auditor and Trainer with DNV Certification. He is the author of numerous articles on management systems for quality, environment and health and safety. DNV Certification is one of the world’s leading certification bodies/registrars offering the latest in management systems certification services. With more than 49,000 certificates issued worldwide, our name evokes a strong commitment to safety, quality, and concern for the environment. DNV recently launched Risk Based Certification™, a fresh approach to auditing. For further information on Risk Based Certification or any other service DNV offer please visit www.dnv.co.uk/certification or call 020 7716 6543.







Back to previous page














top of page

home :: about :: contact :: terms

© 2006 SaferPak Ltd.