13 Essential Internal Audit Rules for Internal Auditors

How can an enterprise quality management system operate according to planning and make the company's system more effective? This is a question many quality professionals have pondered. Internal audits, as an important part of the supervision process, play a very significant role in the system. Today, we share the experience summary of a senior expert, who proposed 13 methods that are very valuable for reference.

Understanding of management system internal audit

If we consider the factory as a person, then the internal audit is a process of self-criticism and self-reflection on the company's management system—finding its shortcomings and further improving them. Combined with external audits, it becomes a process of criticism and self-criticism. If we treat the company's management system as a product, it will also experience defects and abnormalities during operation because external and internal factors are constantly changing, causing mutual influence and interaction, which can lead to variations in system operation.

The internal audit of the system is to find the defects and causes of defects in the system, then correct and improve them, and implement corrective and preventive measures to achieve the ultimate goal of continuous improvement.

Common mistakes in conducting internal audits

An annual internal audit is like a tornado sweeping through the entire factory all at once. The whole company, all departments, and the entire system undergo a big cleanup. It is often just a formality, making it difficult to find problems. It's like overeating causing indigestion. Many companies conduct internal audits mainly to cope with external audits out of necessity. Many factories also do internal audits perfunctorily, unable to find the real problems in the management system. Sometimes even when problems are found, few follow up, and everything remains at the problem discovery stage.

Traditional internal audit process

Develop audit plan (content includes: audit purpose, audit scope, audit basis, date, internal auditors, schedule)

Develop audit checklist (many companies do not update the audit checklist and still use the old one)

Conduct audit as planned (perform internal audit by checking, observing, questioning, and recording)

Audit result summary (hold closing meeting to summarize results)

Management review (evaluate audit results and propose improvement suggestions)

Meeting decisions (finalize, decide improvement measures, corrective and preventive actions, responsible persons, improvement plans, etc.)

Result follow-up (follow up on the effectiveness of improvement measures and close the case)

13 rules of internal audit

1. Determine the purpose of the internal audit

The three elements of audit (purpose, scope, and basis). Let's first talk about the purpose: why conduct this internal audit?

The purposes of internal audit can be the following:

Preparation for second-party or third-party audits

Obtain third-party certification

Confirm the effectiveness of the system in achieving quality objectives

Confirm the conformity or completeness of the existing system

Maintain and continuously improve the quality management system

Of course, it can also be an additional audit caused by some temporary events, for example: if the assembly workshop's recent pass rate has sharply declined, we can find the reason for the decline through internal audit. If some processes are not running smoothly or efficiency is poor, we can also conduct internal investigations, tests, and audits to find the causes of the issues.

Besides, it is important to let relevant personnel know that internal audit is not about blaming anyone, but about finding deficiencies in the management system and correcting them, which benefits everyone.

2. Audit scope

It can be the entire company, the whole system, a department, a process, or even the quality control process of a product. These can be determined according to the purpose of the internal audit.

The audit scope can include: clause elements, involved product processes, physical areas, special customer requirements, etc.

3. Audit basis

In addition to traditional system requirements, we can add some targeted requirements, such as those from top management, management representatives, and department heads, which align with the purpose of the internal audit.

Common bases include: IATF16949/ISO9001 standard requirements, special customer requirements, regulatory requirements, five core tools (other related tools and quality management methods), company internal standards/documents, etc.

4. Pre-audit investigation

Before the audit starts, the person leading the internal audit should conduct some investigation and information collection based on the audit purpose and requirements. This is not present in traditional internal audits. The collected content includes: department internal performance, personnel surveys, self-assessments by responsible persons, self-assessments by internal personnel, mutual evaluations between departments, and daily operation status. The main purpose is to preliminarily present internal system issues and understand the feelings and evaluations of relevant personnel about system operation. This makes the later internal audit more targeted and purposeful, resulting in better effects. This can be accumulated and collected during daily management before the audit or collected collectively.

5. Develop internal audit plan

Content includes: audit purpose, audit scope, audit basis, date, internal auditors, task assignments, schedule. This makes the audit work concretely presented in writing.

6. Determine internal auditors

Based on investigation results and audit purpose requirements, determine the internal audit team members. It can include qualified internal auditors accompanied by professionals related to the processes, products, or departments to be audited, breaking the traditional mode where only internal auditors participate. The benefit is combining people who understand the system with those who understand the product/process, achieving complementarity. Note that personnel from the audited department should consider avoiding conflicts of interest, and the audit team leader can assess pros and cons.

7. Prepare internal audit checklist

Audit team members prepare the audit checklist targeted to the audit purpose, scope, and basis, highlighting whether the audit aims at system improvement, department and process improvement, or comprehensive rectification and sorting.

8. Re-examination and discussion of internal audit items

After the checklist is prepared, the internal audit team reviews the checklist content again, removing redundant and duplicate audit items, supplementing deficiencies, annotating key points, etc.

9. Conduct internal audit

Execute according to the audit plan. The audit date can be random or planned, but it must try to find as many problems as possible.

10. Internal audit result summary

The results are summarized and submitted to the audit team leader, followed by a meeting to discuss and analyze the issues found during this audit. A written audit summary report is compiled and handed over to the management representative or top management to prepare for the next management review. If it is an internal audit within a single department or process, the summary meeting can be used to discuss and formulate relevant corrective and preventive actions, which can be flexibly applied depending on the severity of the issues.

11. Management Review

Hold a management review meeting to develop corresponding corrective and preventive actions for the issues found in the audit, commend the good, and improve the bad.

12. Follow-up on Internal Audit Results

Ensure that all measures are implemented and produce performance.

13. Closure

Follow up on the results of all measures and evaluate their effectiveness to form standards.