The ISO standards require the business to conduct internal audits at planned intervals to provide information on whether the management system is effectively implemented and maintained and conforms to

+ The business’ own requirements – Process Audits

+ The requirements of the relevant standard – System Audit

So what’s the difference between a system and process audit?

A system audit is conducted to ensure the management system meets the requirements of the relevant ISO standard.  It is usually completed using a checklist that list the standard requirements and identifies the elements of the business’ management system that meets the ISO Standard.  Considering that the standards or business’ management system framework probably doesn’t change often, the business should consider how often they need to conduct such an audit – maybe a triennial audit, in preparation for your recertification audit or with a change in the standard.

A process audit is about checking the “processes” that the business has determine to be necessary to implement the management system and ensure they are performing and producing in accordance with desired outcomes.  These audits allow the business to also challenge “what is done” in the name of the management system and determine relevance and accuracy against what is “being done” in operations.  These audits should take the auditor to the pointy end of the business to ensure the management system supports the business outcomes.  The audits may analyse the linkages between processes to ensure cohesion of the management system and may consider

+ The defined process (operations, training and HR, continuous improvement etc)

+ The inputs and outputs from the process

+ Who is involved

+ Equipment and resources

+ Compliance requirements

+ Key performance indicators

Audit Programme

The business needs to establish an audit programme (schedule) that details

+ Methods – how the audit will be conducted – desktop, during work hours

+ Resources – Audit tools

+ Frequency – how often the specific audit will be conducted – monthly, quarterly etc – risk based – which processes are more critical?

Conducting the audit

An auditor should be selected who has

+ The required skills and knowledge to conduct the audit

+ Independence from the process being audited to ensure objectivity and impartiality (you shouldn’t be auditing your own work)

+ Responsibility – who will conduct and partake in the audit

Audit close out

Following the completion of the audit, the final 2 steps need to be completed

+ Ensure that the results of the audit are reported to relevant management

+ Take appropriate corrective actions as required