The Quality Hub Podcast

Listen Below. Learn More.

Spotify-The Quality Hub Podcast

ISO 9001 Certification – The Internal Audit Process

by The Quality Hub

Episode 6 – ISO 9001 – The Internal Audit Process

ISO 9001 – The Internal Audit Process

In this episode, Suzanne Strausser, VP of Consulting and Development at Core Business Solutions will discuss the ins and outs of Internal Auditing. Suzanne will delve into the key aspects of Internal Auditing including the purpose, the parties involved, findings, and the appropriate responses to them. Additionally, she will also share insights on the upcoming second management meeting and the preparatory measures for the Stage 1 audit.

Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.


Episode 6 Key Content

Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, Xavier Francis, and I’m here again with Suzanne Strasser, VP of Consulting and Development here at Core Business Solutions. So glad you could be with us again.

Thanks, Xavier. Glad to be back.

For today’s show, we’ll be talking about the internal audit process where we look at the processes of the internal audit and the steps to take afterwards. And before your stage one audit. But first off, let’s learn a little bit more about our guest, a fan favorite, Suzanne Strasser.

Well, here’s something you’re never going to hear other people say. I love auditing.

Wow. That’s awesome.

I actually remember when I worked for a previous company. We had some training in Georgia and we were going through the audit process in a mock audit. And the company president walked in and there were like 4000 people in the company. And he stood and watched me for a while and gave me, you know, gave me a thumbs up.

And our consultant pulled me aside and said, Have you ever heard the phrase competence happens in a moment? He said I think this is kind of your thing.

That’s great.

And yeah, I just love it.

That’s awesome. Well, I know many years ago we did a mock audit in here and we did a I think we were doing Core Community at that point, which was yes, for some of our customers, which are probably some listening and some of them may have actually seen some of those. And we did a mock audit and we did a how, how you should do it, and how you shouldn’t do it.

That was a lot of fun. I could sense that we were mocking the audit that you shouldn’t do.

You were still a little annoyed, like, I’ve been here, I’ve been here, I’ve done this. This is exactly what it’s like. So. But anyway, this is the internal audit, which we’re talking about that was actually a mock audit and also a mock management review.


Yes. Well, it’s great to have you here again. And like I said, we are at the internal audit stage of our quality management system implementation. At this point, businesses will either do their own internal audits or have someone outside the organization like us do it for them. Let’s not get this confused with the actual certification audit. Internal audits or something that you have to do, but you can’t audit your own process.

So a lot of companies will ask outside people who are not a registrar to do that initial internal audit. Can you go through some of those?

Sure. Yeah. It’s a requirement in the standard that you do your own internal audit prior to the external audit, you know, as part of your management system, just part of your daily yearly management system activities.

You’re auditing the things you need to audit.

Yes. But you may not be you may not have implemented those things that you said.

All right. So you said we’re going to do it. We haven’t done them yet. Okay.

You never know.

You never know. Yeah, well, this is continuous improvement. So.

So, for example, if you’re auditing and you find the company is at 50% on-time delivery and they have 30% returns and two out of five on customer satisfaction, for example, that’s not really effectively implemented. And then I think the fourth thing an audit does, and this is not really in the standard, but it’s to provide assurance to the management team.

Oh, yeah, because yes, they’re supposed to be so involved.

They’re the sponsor of this too. Yep. Yep. They want to make sure that your processes are implemented as you intended.

So it’s so those four things are looking at what you’ve done. Make sure you’re following how you said you’re going to do it. Make sure it meets the standard. Are you effectively implemented and you’re meeting your goals and you’re assuring management that you’re doing all those three?

Exactly right. Very good. Yep. So all that to say is I think auditing is not for the weak. That may be a little bit of a bold statement, but you really have to stand your ground. You can’t be wishy-washy. You have to be factual. The standard, like you said before, does say you need to select auditors that conduct audits to ensure objectivity and impartiality.

That’s why you can’t audit your own.

Yes. And in a small organization, that’s really hard to do, I bet. So a lot of companies choose to outsource the audit process not only for the objectivity but also for the sheer resources it takes.

I think Brian mentioned that before where, yeah, you say you can be objective, but when it’s your buddy that you have lunch with.

Or your boss.

Or your boss, that’s a really good point, you know, or somebody that has authority over you, how critical do you really want to be?

Plus, you have to keep people trained and it takes time away from their job. It’s really hard to do internally.

Well, at least do it well. Yes. Where you’re going to have some sort of sense that it’s really achieving what it should. Yes. Okay. So it’s very possible and probably likely, I would think, that you’re going to have some findings during this internal process. How should you review and proceed once you see what those findings are?

So let’s talk about what we mean by findings first, because that’s a term that has a lot of different meanings.

Yeah. And it kind of gives a little bit of almost like a CSI kind of thing. Like we found something. Yeah. Here’s a clue. What’s wrong? Not unlike the audit word, right?

So a finding and you hear the word non-conformance, it really should be tied back to a requirement that is not being met in the standard. In the standard. This shouldn’t be somebody’s opinion. You know, the auditor has an obligation to write the statement in a way that it’s a fact. Like in four out of five customer purchase orders sampled, there was no evidence of a review being done as per sections 8 to 3 in ISO 9001, 2015.

So it’s that’s to the letter yet a finding says nope you did not achieve this as a standard.

Yes but because this is an internal audit, you also want auditors to write up helpful improvement suggestions which could be worded like the company should consider having a backup reviewer for customer purchase orders when the primary person is out of office.

Right? And that would be something that’s another good reason why having an external auditor do your internal audit is helpful.

Exactly. People come with a lot of preconceived notions when they’re doing their own internal audit and it’s good to step away from that. Once you have identified those findings and agreed on them, there can be a little back and forth with the auditor and maybe the owner of the process to make sure they’re clarified.

Some of this is also, like you said, we’re doing what we said we were going to do. Is there a clear understanding of this is how we were planning on doing that and achieving that?

Right? So then the standard says you’re supposed to take appropriate correction and corrective action without undue delay. Wow.

What’s undue delay, you know?

Yeah, right, right way nebulous much.


To me, any findings from your internal audit should really generate a formal corrective action, and we can talk down the road maybe if that statement’s true for subsequent audits because some people think maybe you don’t have to, but I say write that corrective action. It’s good to have some in your system anyway.

Right? And I mean, that’s probably something that when you get to your certification on it, they can see you’ve done correct actions. So that’s something that’s going to be beneficial for you in the real certification and surveillance. All right. Moving forward.

And then you have to prioritize based on risk and how much of an impact they could have on your management system.

Well, this is another good reason to have some form of central location where you can document this stuff with your corrective actions and your non-conformances one reason we use the Core Compliance System here. It gives you the ability to keep these things. These records make them feel nice.

Keep everything all together and generate reports and all that. So yeah, the next step then would be to develop your action plan to address your finding, you know, including determining the root cause, which is part of the process.

How many whys and as many as needed, as.

Many as needed. Yeah, there is no magic number, about five, but sometimes you have to go there.

Even a little further than five.

Sometimes, you know, make sure you identify who’s responsible for all the steps. That’s you know, that’s a big thing. And make sure you’re realistic about your timelines. Then, you know, obviously implement what you’ve intended, which may mean you have to update some procedures, train some folks, put some other things in place.

And again, this is not a reflection on the individual employee.

Not at all.

It’s about the process and their place within the process and making sure that we all know that process and how to follow that.

Exactly right. Yep. And then once you’ve made your changes, you really have to verify that you’ve been effective and what you’ve changed. So did you really address the issue that you had initially?

Does it solve the problem?

Does it solve the problem? Yep. And you may need follow-up audits at this point if it’s that severe or other ways to review to determine whether your corrective actions are working as you intended. Okay. And there are different schools of thought about keeping the audit open during this activity. We don’t typically advise that you know, close it out, close out your reports, and then let the corrective action process drive the completion of the findings.

When would you look at the results of the steps you took in another audit?

Yes. Yes. You’d go back and look at those corrective actions in the next audit, and make sure that they’re closed out.

And management review would probably be unfortunate.

Yes, as we’re going to talk about that. Yes.

Yes, we are going to talk about that. Okay. So that would lead to okay, did this stuff work? Do we fix it? Do we not? Management steps in and we have that second management review. We’ve already talked about the first one. Yeah, for the internal audit. Now we’re looking at that second management review. We’ve already talked about a little bit of its purpose, but what are its purpose and outputs from that management.