Internal audit

If you are like most people with a quality system, you have procedures; one of which is concerned with Internal Audits. The standard states:

9.2.1 – The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1. the organization’s own requirements for its quality management system;
2. the requirements of this International Standard;
b) is effectively implemented and maintained, and,

9.2.2 – The organization shall:
a) plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
e) take appropriate correction and corrective actions without undue delay;
f) retain documented information as evidence of the implementation of the audit program and the audit results.

if you are like most people with Internal Audit procedures, you have carefully word-smithed the verbiage to address all the “shalls,” individually, just in case. And, if you are like most people who have addressed all the points, you most likely have a sentence in your procedure that addresses the requirement; “Auditors shall not audit their own work” which was passed down to us from time immemorial.

I understand what ISO was trying to communicate with this requirement and I also understand, in some cases, it is absolutely impossible for a small organization to meet the letter of the law. It is also regrettable that most Auditors looked upon this requirement as ‘Etched in Stone’ and woe unto you, poor quality guy, whose senior management wouldn’t spring for a team of trained in-house auditors or for a 3rd party audit of the processes you manage.

Yep – The MR Audit came into being for no other reason but to give you ulcers and a new line item in your annual budget! For the auditor it was just too easy to say;” Who audits you?” and wait as you stutter the name of an amorphic entity obviously made up internal-auditof Day-Glow Ectoplasm, the name of whom (if you have been really creative) may be on some sort of training record to prove competence, but whose handwriting is remarkably ‘similar’ to yours.

This is not exactly what ISO had in mind.

From the very beginning, ISO had presented us with a ‘Best in Class’ set of practices, their business model, if you will, to address the various issues organizations face, that if done so ‘properly,’ would lead to improvements in efficiency and effectiveness of performance processes.

The purpose of not auditing your own work was to prevent ‘cheating.’ Best Practices are transparent. Best Practices hold you accountable. So the point was to promote truth in disclosure.Internal Auditing is intended to be a process which honestly looks at the systems and assesses them fairly in order to make a recommendation as to the level of compliance with a particular requirement and if found to be not compliant, to make the necessary changes to bring about compliance. So, what’s a QA guy to do? You do the best you can. You audit fairly and honestly. You document weaknesses and initiate corrective actions regardless of who the process owner is. In short, you do your job!

The good news is with the advent of the revision to ISO 19011 (in 2011) and ISO 9001 (which has omitted that critical line, “Auditors shall not audit their own work”) and then provided ‘a way out’ with the inclusion of the guidance note: NOTE See ISO 19011 for guidance, all is now well with the world. Did you stay with me? Do you understand what this means? Have you read ISO 19011:2011 – Guidelines for auditing management systems?

It means we can ‘legally” audit our own work (if we have to) because *ISO 19011:2011 Section 4(e) states, “For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity.”

Audit and be happy… and I suggest that, if you are like most people who have an Internal Audit procedure which addresses ALL the requirements of the International Standard you might want to make a small change to that verbiage with something like: “The MR ensures that auditors are independent of the area audited, wherever possible*.”

*See *ISO 19011:2011 Section 4(e).

Royalty-Free Image courtesy of

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s