Internal Audit Checklist

by

An internal audit is a common business activity used to perform several tasks:

  • Evaluate the effectiveness of your business’s quality management system (QMS)
  • Evaluate compliance against a certification standard or set criteria
  • Evaluate how processes are reviewed and maintained
  • Evaluate your business’s performance. 

As such, Internal Audits are an essential facet of your organization’s approach to Quality.  

An Internal Audit Checklist is a tool that is used during the audit to help facilitate the audit and guide the auditor through the assessment, ensuring all criteria are evaluated, and information pertaining to the audit is captured.

In today’s article, we’ll be looking at the Internal Audit Checklist and how it can be utilized to get the best performance from your internal audit process.

We’ll be looking at:

Internal Audit Basics

In numerous organizations, many individuals’ first-hand experience of their business’s quality organization is through the audit process, so what is it, and what is its purpose?

Firstly, there are several types of audits; we have numerous articles on them, so be sure to check out our related content.

Internal auditing has several characteristics:

  • It’s independent (i.e. it doesn’t look to hide things to make the business look good)
  • It evaluates against set criteria.
  • It captures areas of frailty in the management system or non-compliance and areas of risk.
  • Its primary purpose is not to discipline staff but to highlight areas of weakness around processes and management systems.
  • Depending on the size and/or complexity of the business, the audit may be conducted by an individual or team – these may be part of the organization or a 3rd party.
  • Audits are a principal element of the ISO 9001 quality system.
  • They are executed against an audit schedule. 
  • An organization requires a clearly defined system for quality monitoring.

What are the 7 steps of the audit process?

Now we’ve covered the principles of internal audits, let’s take a brief look at the established 7 steps of the audit process. (Note these vary depending on who you read, so these are our suggestions)

STEP 1 – PLAN

An established internal audit schedule provides a clear and defined set of actions over time. Many businesses plan against the ISO 9001 standard and audit against it. While this will produce a result, this method can present something of a scattergun approach. You may find greater benefit in determining your plan based on relevance and risk (i.e. which areas present problems or have a significant impact on your customers).

STEP 2 – AUDIT APPROACH

Auditboard, in their excellent post, presents five approaches to an internal audit that I would suggest you take a peek at when building your own. They briefly discuss “audit fatigue”, which is a real problem when faced with a mountain of work in covering the 9001 standard. Taking this into account when developing your approach will pay dividends.

They all have their benefits, but I very much like Facilitated Self-Assessment: Helping Management Solve Problems finding facilitated self-audit delivering the best results.

STEP 3 – EXPECTATIONS

Perhaps stating the obvious, be sure to set expectations with the business around the audit process. Talk about what will happen before, during and after the audit. What do the results mean, what’s likely to happen with the results and what is the role of leadership in the process?

STEP 4 – RESOURCES

When establishing your audit process, of primary importance is to ensure you have effective resources (both in terms of quantity and capability) to undertake the process. Do not embark on an audit process if you are not equipped to do so.

STEP 5 – CONDUCT THE AUDIT

Carry out the audit in the areas that you have selected using the appropriate tools and methods.

STEP 6 – REPORTING

Report on the results that you found during the audit. Be sure to utilize best practices in a proven format that can be used to communicate the results.

STEP 7 – REMEDIATION

Carry out any actions/remediation work that might be required as a result of actions taken during the audit. Note: I don’t expect the auditor to do this, but they will want to be around the process and to have results demonstrated/evidenced to them in order to close actions down.

What is an internal audit checklist?

So now we’ve described the audit process, you can hopefully see the context of why appropriate tools, such as an internal audit checklist, are so important to aid you in generating the right results.

An internal audit checklist, when designed appropriately, contains everything an auditor requires to conclude an internal audit successfully.

An audit checklist is a document (hardcopy or electronic) generated during audit planning.

It contains a list of the tasks that are required to be undertaken during the audit.

They will typically consist of content/criteria to guide the auditor in what to assess and areas to capture observations taken during the audit.

Why use an Internal Audit Checklist?

Internal audit checklists should be seen as a necessary tool to ensure that the audit has been carried out successfully; they have several benefits.

  • They provide a list of everything to be assessed as part of the audit.
  • They remove ambiguity for the auditor (and ensure things don’t get missed)
  • They provide clear assessment criteria against what is being audited.
  • They provide a clear mechanism to capture compliance status against assessment criteria (and can, in so doing, relate this criteria back to certification requirements).
  • They allow for information to be captured during the audit providing record keeping.
  • They provide a mechanism of providing guidance notes to auditors providing detailed information pertaining to specific audit sections.
  • It prevents areas from being forgotten during the process.

Contents of an Internal Audit Checklist

The audit checklist itself usually contains several elements pertaining to its execution

  • Information around the audit itself (who, what, where and when)
  • Specific audit points (aspects being assessed)
  • An area to capture compliance status
  • An area to capture evidence that was reviewed
  • An area to capture observations (which could include remediation required)
  • They also provide reference back to a standard (e.g. clauses from 9001) that the audit is assessing against.

Example Internal Audit Checklist

Now we’ve established what goes in a checklist, let’s take a look at at an example page from our internal audit checklist?

How to use an Internal Audit Checklist

An audit checklist helps simplify the audit process; the auditor utilizes the checklist to work through the list of areas to be assessed, review, gather evidence and collate observations until the process is complete and the checklist has been completed.  

Where areas cannot be assessed, notes are taken recognizing this fact.

Some auditors prefer to “tidy up” their audit checklist before finalizing it and may use the “field copy” as a draft before writing up notes following the audit.

The checklist is then saved as evidence of audit plan execution. 

How to build an internal Audit Checklist

Firstly, you may not need to build anything at all. If your organization uses auditing software, you may already be able to automatically generate audit checklists containing all the information you need to carry out your audit successfully.

If you don’t have access to these and/or prefer to build your own, you can easily create your own using word or excel. I’d suggest four simple steps to do this.

1/ Create a header for the checklist

You’ll probably want this in your house style (i.e. company logo) and contain information relevant to your organization’s audit process.

2/ Create the body of the checklist

As a minimum, I’d suggest areas to record:

  • Reference number (which could relate to your QMS or the ISO standard or other)
  • Description of what is to be audited
  • Compliance status (indicated by a Yes/No)
  • The evidence reviewed – enables the auditor to record what evidence was reviewed as part of that element of the audit, together with its status.
  • Observations/Information that the auditor believes prudent to record on the checklist

3/ Carry out an audit using the checklist

Using the checklist, carry out a “dummy” audit and capture information about its effectiveness and any areas requiring a tweak.

4/ Incorporate any lessons learned by the auditor in your checklist.

Using information captured from the “dummy” audit, tweak your checklist as required.

I’d also consider a peer review of the finalized form.

Example Internal Audit Checklist 

Using the above ideas, we’ve created a simple checklist that we can then use to support the internal audit process. You can see this example below (Note this only shows the first page by way of an example – your actual checklist’s size will vary!):

We’ve created a slightly different version in this one by introducing a column that captures the specific question being asked while assessing an area during the audit. You can see this example below:

And here’s a final example as we introduce a column to capture the corresponding ISO Clause relating to the area under audit.

Summary

An internal audit checklist is a pretty simple tool that is highly effective at simplifying the audit process, ensuring audits focus on requirements, removing ambiguity and driving results.

They can often be generated from auditing software (but don’t take too much time to create yourself if you have to).

They offer various benefits, perhaps most significantly their simplicity.

Do you conduct internal audits? Perhaps you have some words of wisdom/best practice advice in utilizing checklists as part of the process?

As ever, we’d love to hear from you; you can reach us using the comments section below or via Twitter.