How to conduct an internal audit and when to use external resource

Blog index

Internal Audits are a key component in ensuring that your management system(s) are being properly followed and maintained. For many organisations this can be a daunting task, especially given that internal audits must be conducted regularly in order to maintain ISO certification. As a result, the audits often take place in run up to their surveillance audit / re-certification, sometimes with an element of panic setting in.

How often are internal audits required?

When it comes to satisfying the Internal Audit requirement, the two key questions are often, “shall we do it ourselves or contract a third party to do this?” The other is “how frequently do we need to conduct the audit: monthly/quarterly/annually?”
The answer to this question is, it will depend. It will depend upon the maturity of the organisation, the complexity of the organisation and most importantly, does the organisation have the internal resources to conduct such a task?

How to conduct an internal audit

When it comes to conducting Internal Audits then you generally have two choices:

  1. Conduct them utilising internal resources.
  2. Conduct them using a third party, such as an ISO Consultant.

Conducting an audit using internal resources

If you are conducting an internal audit using internal resources then those doing the work need to demonstrate competence in four areas:

  1. Auditor capability – how to be an auditor and conduct an audit
  2. Knowledge of your management system & processes / policies / procedures / etc.
  3. Knowledge of the requirements of the applicable standard (e.g. ISO 9001, ISO 27001…)
  4. Independence from the process – this does not mean employees cannot audit, it’s more a case of they cannot have any daily responsibility for the management of the system

But how do you ensure your internal resource is competent – and confident – enough to complete the internal audit to the required standards?

One way to achieve this is through a formal, generic recognised training course. Alternatively, it can also be achieved through Certificated Internal Auditor training delivered by a consultancy such as Equas. Indeed, many of our clients prefer this as the training is tailored to your organisation / your system and is frequently more cost-effective. It also includes a short session with the consultant, following your own audits, to review how they went and to provide feedback.

Conducting an audit using external resources

If you don’t have the internal resource or expertise to conduct internal audits you have the option to engage a third party consultancy, such as Equas. They can plan and deliver the Internal Audit and lead the Management Review on your behalf.

Using a third party to conduct your internal audits has a number of benefits over the use of internal resource, including:

  1. Independence – being completely independent means that the auditor will not have any involvement with your systems and processes and therefore will be able to approach the audit without any preconceptions.
  2. Expertise – third-party auditors will generally be certified to conduct internal audits and therefore they will know best practices.
  3. Experience – having conducted dozens, if not hundreds of internal audits, an experienced third party auditor can bring not only qualified best practices but also real-life experiences from the other businesses and industries he or she has experienced, all of which can add value to your own internal audit processes and, indeed, your business overall.
  4. Impartiality – when using an external third-party consultancy you have the added comfort of knowing that they will be impartial. They have no vested interest in one outcome or another. Their sole purpose is to conduct the audit and provide feedback. They also won’t have the potential conflict of having friends or colleagues responsible for elements that are being audited.

Which is the best choice for your business?

Ultimately, the decision rests with you. The primary objective is ensuring that the Internal Audit is completed in a way that meets the requirements of ISO Standards. Of course, we would be delighted to talk to you about your options and to provide a no-obligation quotation to support you with any or all of your requirements. Contact us today.

Download our free Internal Audit resources

To help you understand the typical requirements of an internal audit you can download our free templates – Internal Audit Agenda and Internal Audit Checklist/Report (examples are for ISO 27001) – just enter your email address below.