Internal audit programs

Q: How do I start an internal audit program?

A: The best place to start is to first understand what an audit program is and what is required to have one. A common misconception is that an audit program is the same as simply completing internal audits. It is not.

An audit program consists of the arrangements made to complete all of the individual audits needed to achieve a specific purpose.1 This means there are three important components needed for an audit program:

  1. An understanding of the specific purpose to be achieved (the audit program objectives).
  2. Making the appropriate arrangements for achieving the defined audit objectives.
  3. Completing one or more audits to achieve the desired results.

Defining program objectives

The first step in setting up an audit program is ensuring you clearly understand the specific objectives you want to achieve.

For example, if the purpose of your internal audit is to meet the requirements set out in ISO 9001:2008, one purpose of your audit program is to determine whether the quality management system (QMS) conforms to the requirements set out in the standard, as well as the requirements established by the organization for the QMS. Another purpose of the audit program is to determine whether the QMS is effectively implemented and maintained. This is information that must be considered by top management during management review.

Many internal audit programs have a number of different objectives. This is particularly true when the audit program is established to assess conformance to a range of requirements across several disciplines, such as quality, environmental, occupational health and safety, IT security, food safety and asset management. The expectations for all of these various audits must be identified up front and should be documented as agreed-upon audit program objectives.

It is important to assess whether sufficient resources have been allocated for accomplishing the agreed-upon objectives. This includes availability of competent and independent auditors, ready access to the information and personnel needed to collect the necessary audit evidence, as well as the financial resources required to complete the audits.

It is important to be realistic and to assess early on whether it is feasible to achieve the results expected with the available resources. If not, this must be communicated to top management so either the resources can be provided or expectations can be adjusted appropriately.

Making audit arrangements

After the audit program objectives are clear, arrangements must be made for completing the necessary audits. These arrangements should include:

  • Assigning roles and responsibilities, including the designation of an audit program manager.
  • Defining the number, scope, location and duration of the audits to be performed.
  • Determining the audit criteria and methods to be used for each audit, including specifying the use of appropriate audit protocols or checklists, as well as sampling strategies.
  • Establishing procedures for reviewing and reporting on audit results, including addressing confidentiality and data integrity issues.
  • More information on establishing and implementing an audit program can be found in ISO 19011:2011—Guidelines for auditing management systems.
  • Completing the audits needed.
  • The third component of an audit program is actually completing the audits that are needed. Meeting the established audit program objectives will likely require several separate audits. These individual audits are often conducted on a periodic basis based on an annual schedule. One of the key responsibilities of an audit manager is ensuring that the audits are completed.
  • There are several steps that must be taken when performing internal audits, including:
  • Performing audit planning and initial document review, and confirming the arrangements that have been made for that particular audit and the feasibility of the audit (including the availability of critical personnel).
  • Collecting, verifying and assessing the audit evidence needed to determine conformance to the agreed-upon audit criteria.
  • Generating audit findings and preparing audit reports.
  • Communicating audit findings and other related information to top management and others, as specified in the audit program procedures or audit plan.

Increasingly, organizations are using a combination of remote and in-person audit methods to optimize the value obtained from their audit program expenditures. The key to success is selecting the most effective approach for achieving the desired results.

More information on conducting audits can be found in ISO 19011:2011. Be sure to check Annex B, which provides additional guidance for auditors, including information on remote auditing methods and conducting audit sampling.

Thea Dunmire
President, ENLAR Compliance Services
Largo, FL


1. Clause 3.13 of ISO 19011:2011 defines an audit program as "arrangements for a set of one or more audits planned for a specific time frame and directed toward a specific purpose."

To buy or not to buy

Q: Can an organization be certified to ISO 9001 without buying the standard?

A: Theoretically, yes. There is no requirement to buy a copy of ISO 9001:2008 to demonstrate compliance with the requirements of ISO 9001:2008 to an auditor of an Accredited Registrar.

From a practical viewpoint, it would be difficult for an organization to ensure compliance with all requirements of ISO 9001 if it does not have, or have access to, a legitimate copy of the standard.

Further, the ISO 9001 standard is copyrighted by the International Organization for Standardization, which means that copies cannot be legally made without prior written permission, and many organizations have ethical standards that preclude unauthorized use of copyright-protected material.

So, can an organization be certified without buying the standard? Theoretically, yes, but the difficulties and inefficiencies related to getting all the required information, and achieving and demonstrating compliance without violating the ISO copyright or organizational ethics policies would probably outweigh the cost savings resulting from avoiding the purchase of a legitimate copy of the standard.

Charles A. Cianfrani
Principal consultant,
Green Lane Quality
Management Services

Green Lane, PA

Average Rating


Out of 0 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers