Internal Audit Programme: Building from the Ground Up

The Role of Internal Audits

Internal audits are a requirement of virtually every ISO management system standard, including ISO 27001, ISO 9001, ISO 22301, and ISO 42001. Beyond compliance, internal audits provide objective assurance that your management system functions as intended. They identify gaps before external auditors find them and demonstrate management's commitment to the system.

Developing the Audit Programme

An audit programme defines the overall plan for audits over a defined period, typically 12 months. When building your programme:

• Ensure all clauses of the applicable standard and all in-scope processes are covered within the programme cycle
• Consider risk-based scheduling: audit higher-risk areas and areas with a history of nonconformities more frequently
• Account for changes in the organisation, such as new processes or technologies
• Align audit timing with management review cycles so findings feed into leadership decisions
• Define resource requirements, including auditor count and time allocation

Document the programme and obtain management approval.

Audit Planning

Each individual audit requires its own plan including:

• Audit objectives, scope, and criteria
• Processes and departments to be audited
• Audit team composition, ensuring auditor independence
• Schedule with dates and estimated durations
• Documentation to be reviewed

Share the plan with auditees in advance.

Auditor Competence

The quality of your programme depends directly on auditor competence. Requirements include:

• Knowledge of the applicable standard and its requirements
• Understanding of the management system and organisational processes
• Training in audit techniques, including planning, interviewing, and reporting
• Impartiality: auditors must not audit their own work
• Interpersonal skills for constructive communication

Invest in formal auditor training, such as ISO 19011 courses. For smaller organisations, consider combining internal staff with external audit resources.

Conducting the Audit

During the audit, follow a structured approach:

• Hold an opening meeting to confirm scope and logistics
• Gather evidence through interviews, observation, and document review
• Evaluate evidence against audit criteria
• Document findings, distinguishing conformities, nonconformities, and improvement opportunities
• Hold a closing meeting to present preliminary findings

Handling Nonconformities

A nonconformity is a failure to meet a requirement. When documenting nonconformities:

• Describe the finding clearly, referencing the specific requirement not met
• Provide objective evidence supporting the finding
• Classify severity: major nonconformities indicate systemic failure, while minor ones are isolated lapses

Implementing Corrective Actions

Effective corrective actions address root causes. A robust process includes:

• Root cause analysis using techniques such as the 5 Whys or fishbone diagrams
• Defining specific, measurable actions with clear ownership and deadlines
• Implementing actions within agreed timeframes
• Verifying effectiveness to confirm the issue is resolved and recurrence prevented
• Closing the nonconformity only after verification is complete

A mature audit programme becomes a valued part of organisational culture, where auditees welcome the process as an opportunity for improvement rather than an inspection to endure.