INTERNAL AUDITS
What are internal
audits good for?
The principal aim of
conducting internal
audits is to periodically verify that the internal operations
continue to comply with the requirements of the management system, and the
requirements of the standard.
Results of these audits
– in particular deviations identified – offer valuable information for
improving the organisation’s management system as well as the laboratory
activities and should be used for management reviews.
Note: The relevant
competence standards for laboratories and inspection bodies require internal
audits to be conducted regularly.
Audit programme and
auditors
First an internal audit
programme shall be established (frequency, methods, responsibilities, planning
requirements and reporting, which shall take into consideration the importance
of the laboratory activities concerned, changes affecting the laboratory, and
the results of previous audits.) which might be based on the fiscal year. The
different internal
audits could be distributed over the entire year and should cover
all elements of the management system.
The quality manager is
in general responsible for ensuring that the audits are carried out in
accordance with the established programme. Depending on the size and complexity
of an organisation the different audits may be carried out by the quality manager
or any other qualified person as lead auditor, alone or assisted by an audit
team.
The auditors should have
sufficient technical knowledge but should – wherever resources allow – not
audit their own activities. If this is impossible, the management should take
care that the activities of the auditors are also assessed and should nominate
respective persons. Auditors performing such audits should be trained for this
task.
External audits (e.g.
audits carried out by accreditation bodies) cannot substitute internal
audits.
Planning of internal
audits
Based on the audit
programme the time schedule, the location and the audit scope of an internal
audit are fixed. In preparation of an audit, the auditor should access all
relevant documents, manuals, previous audit reports and records of the
department to be audited to check whether they conform to the requirements of
the management system and to establish a list of key issues. In addition, the
following documents are basic ones or are helpful:
- Standards,
such as ISO/IEC 17025 or ISO/IEC17020 and ISO 19011
- Form
for reporting audit observations, such as permitting to enter type of
nonconformity or forms for requesting corrective actions.
Implementation of
on-site audit activities
In the opening meeting,
the audit team should be introduced, the audit criteria be confirmed, the audit
scope be reviewed, the audit procedure be explained and the timetable be confirmed.
The on-site audit
activities include asking questions, observing activities, examining
facilities, and examining records. The auditor checks the conformity of the
records with the management system. For this purpose, he uses the quality
management system documents (quality manual, system procedures, test equipment
files, operating instructions etc.) and examines how they are actually
implemented. Information should be collected as efficiently as possible,
without prejudice and without making the auditees insecure.
After all activities
have been audited, the auditor (if necessary together with the audit team)
reviews carefully which of their findings should be included in their report as
nonconformities and which should be included as recommendations or be
highlighted as particularly positive aspects.
In case serious
nonconformities have been established, the management of the audited department
must be informed who carries the responsibility for implementing the agreed
corrections and decides on measures to be taken.
In a closing meeting
with those responsible for the audited department the lead auditor should
present the audit findings and the conclusions. Nonconformities must be
recorded and a timetable for corrective actions to be completed should be
agreed
Whenever a nonconformity
is discovered that may jeopardise the result of any laboratory activity, the
corresponding action should be discontinued until the appropriate corrective
action has been taken and proved to be successful. If the validity of already
issued certificates, calibration and/or test reports may be affected by this
nonconformity, the findings must be examined accordingly and the customer be
informed, if necessary
Follow-up corrective
action and close-out
The lead auditor
presents a clear and unambiguous report of the nonconformities based on
objective audit findings. Recommendations for improvement are marked as such
and are also documented. The quality manager makes sure that all staff members
involved in the audited functions receive an audit report.
The head of the audited
department is responsible for defining, implementing and scheduling the
corrective actions. If provided for in the quality management system the
auditor may check the implementation of the corrective actions after an agreed
period of time.
All audit records shall
be kept for a certain period of time. The trends observed in the internal
audits are followed by the quality manager and the result of the
internal audit shall be considered in the next management review.
References
[1] EN ISO/IEC
17025:2017 General requirements for the competence of testing and calibration
laboratories
[2] EN ISO/IEC
17020:2012 Requirements for the operation of various types of bodies performing
inspection
[3] EN ISO 19011:2011
Guidelines for auditing management systems
[4] EN ISO 15189:2012
Medical laboratories -- Requirements for quality and competence
INTERNAL
AUDITS, THE AUDITOR
Introduction
There are
requirements to perform internal
audits in almost all quality management standards e.g. ISO 9001 [1],
ISO/IEC 17020 [2] and ISO/IEC 17025 [3]. But the requirements on the auditors
are rather limited in all these standards. In this Cook Book the role of the
internal auditor is discussed. In ISO 19011 [4] internal
audits as well as requirements on internal auditors are described in
more detail.
Mandate of
the auditor
Internal
audits shall be planned activities. It is important that audits be
ordered by the top management of the laboratory. The internal auditor should
have a clear mandate and the whole process of the internal
audits, including handling of non-compliances and the mandate of the
internal auditor, should be clear to all involved parties. Mandate for the
auditors, handling of non-compliances and other important issues concerning the
internal
audits should be described in a document in the quality management
system.
One of the
main differences between internal and external audits is the possibility for
the internal auditor to be much more helpful in the laboratory’s work with
continuous improvements compared to an external auditor whose influence is much
more restricted. And that opportunity must be taken by the internal auditor to
make the internal
audits as valuable as possible for the organisation.
The
independence of the auditor
In the
normal case, an internal auditor from another department is chosen to assure
the independence of an auditor. But if the laboratory has few employees the
requirements for independence of the auditor may be a problem. It is allowed to
use an internal auditor belonging to the department when the laboratory is
small, e.g. less than 10 employees. It is however important that an auditor
shall not audit her/his own work.
When
internal auditors who are not members of the organisation are used the question
of independence is no longer relevant. For small laboratories, a combination of
internal auditors belonging to the organisation and internal auditors not
belonging to the organisation (consultants) may be a good solution. E.g. use a
consultant for a least one of the internal
audits during an accreditation cycle.
Confidence
in the auditor
Even
though the auditor is acting upon a mandate from the top management of the
laboratory the auditor should, if possible, try to avoid identifying co-workers
interviewed during the audit when reporting especially if the information
provided by the co-worker is negative. Otherwise the auditor could have
problems to perform the audit in a way leading to real improvements of the
activities of the laboratory.
The
competence, training and qualification of the auditor
The top
management of the laboratory can order the internal
audits and might also preferably point to what the internal
audits has to focus on. The needed competence of the internal
auditor is decided by the management ordering the audits. In other words, it is
possible that an auditor may be competent for some type of audits but not for
others.
Even
though the specific audit is deciding the needed competence of the auditor, it
is reasonable to ask for some basic requirements on the auditor:
-
knowledge about the requirement documents, normally ISO/IEC 17025,
accreditation guidelines and in some cases ISO 9001. There may also be a need
to be aware of documents including requirements from voluntary and regulatory
schemes;
-
knowledge about the audited activities, even though a different background may
lead to interesting and good findings during an audit, in the normal situation
an auditor with good knowledge about the technical area she/he is auditing is
to be preferred in most of the internal
audits during an accreditation cycle; and
- training
in auditing technique, e.g. by participation in training courses but it also
possible to be trained in auditing by following an experienced internal auditor
during some audits.
Personal
skills and attitude of the auditor
The
internal auditor may:
- not act
as a policeman,
- not act
as a buddy,
- be
discussion partner,
- be aware
that the personnel that are audited usually are nervous and uncomfortable about
the situation, and
- try to
help and improve and at the same time keep a reasonable level of independence.
Advice to
the auditor
- remember
to introduce yourself to all personnel you are interviewing,
- do not
ask for the impossible, the normal activities of the organisation must go on,
- be aware
that not all people can answer all questions,
- be
active, do not let interviewed persons lead the audit, but on the other hand
you have to listen to and let the interviewed persons finish,
- do not
get stuck in papers and documents but audit the real activities of the
organisation,
- keep the
focus on important issues and do not get lost in details,
-
interview many persons,
- take
clear notes all the time; it is hard to remember what was discussed in the
early morning when you are writing the report in the evening,
- “sell”
non-compliances, it is important that the non-compliances are understood and
accepted by the audited organisation and the personnel,
- pick
random samples, do not check everything,
- try to
verify and search for evidence, do not search for faults,
- give
advice and search for improvements,
- keep the
time schedule, if you are getting late, inform the persons waiting,
- think
about secrecy and independence, the personnel interviewed must be sure that the
auditor, if it is possible, is not revealing the source of criticism, on the
other hand the internal auditor is acting on the mandate and order of the
management, and
- do not
follow checklists too strictly, it is important to be able to improvise
Mandate
and handling of non-compliances
It is very
important to decide the mandate of the auditor before the audit starts. This is
the responsibility of the top management. It is also important to stress that
the internal auditor is not responsible for handling non-compliances. That is
the responsibility of the management of the audited organisation.
References
[1] ISO
9001:2015. “Quality Management Systems – Requirements”
[2]
ISO/IEC 17020:2012. “Requirements for the operation of various types of bodies
performing inspection”
[3] ISO/IEC
17025:2017, “General requirements for the competence of testing and calibration
laboratories”
[4] ISO
19011:2002. “Guidelines for quality and/or environmental management systems
auditing”
