Referring to ISO 19011 criteria, is it conforming if internal auditors who are the head of their division audit the other divisions, even if the head of all of the divisions is the same person?
We recently had a great question via email from one of our students in Malaysia.
Their question was:
Referring to ISO 19011 criteria, is it conforming if internal auditors who are the head of their division audit the other divisions, even if the head of all of the divisions is the same person?
Thankfully the student provided an example!
For example, an organization has a department named QEHS, which consists of a:
- QEHS Manager
- QA Executive
- EHS Executive
They are planning to perform internal audits for ISO 9001, ISO 14001 and ISO 45001 together and against each other. The EHS Executive will perform an internal audit on the Quality division against ISO 9001; the QA Executive will perform internal audits on the EHS division against ISO 14001 and ISO 45001. Both of them then reporting the audit results to the QEHS Manager.
Our response was:
Thank you for your question and your example to help us put it into context.
ISO 19011 does include the principle of Independence when conducting audits. It states that auditors should be independent of the activity being audited wherever practicable and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the function being audited if practicable.
Auditors should maintain objectivity throughout the audit process to ensure that the audit findings and conclusions are based only on the audit evidence. For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity.
So, taking this into consideration for your organisation with the EHS Executive conducting audits against the Quality Division under the QA Executive and the QA Executive conducting audits against ISO 14001 and ISO 45001 under the EHS Division – this is certainly demonstrating considered effort to remain fully independent of the activity.
If I was your certification auditor, I would certainly come to the conclusion that this was satisfactory. I always say that as long as you are not generating the records or evidence within the scope of the audit being conducted then you are independent.
Well done on coming to this solution and thank you again for coming to us to ask this question. It is always a pleasure to help.
As you can see ISO 19011 does recognize that in smaller organizations that it may not be possible for complete independence, so if this is the case it is important to demonstrate objectivity in the results of the internal audits.
Another story:
When we got to the internal audit stage of the system, I was able to conduct the internal audits remotely (to a degree) with the owner, while demonstrating to him the process to follow. After much discussion we decided that we would write in the Quality Manual (yep, in the day when it was a requirement to have one) that due to the location and the logistics of the business, the owner would be conducting the Internal Audits. We stated that the owner would conduct the audits taking into consideration objectivity and the awareness of the outcome being for improvement.
Prior to the Certification Audit, we ensured that the Owner had conducted several Internal Audits without my assistance. This would then demonstrate the objectivity of the internal audits – this objectivity was able to be demonstrated by the owner actually identifying areas of nonconformance and improvement. The audits that he conducted were not just a quick ‘tick and flick’ and ‘everything is alright mate’ attitude. They were clear in the objectives, scope and criteria, as well as the evidence sampled and of course the outcome of the audits demonstrated clear findings for action.
I was still nervous on the day of the Certification Audit though as I wasn’t sure if the auditor would agree with our approach. I waited patiently all day thousands of miles away from my client and it was an excited phone call I received confirming that the company had been granted certification!
The key ‘takeaway’ here then is, to ensure that your internal audits do DEMONSTRATE independence and objectivity. The OUTPUT and FINDINGS will be the key areas that should demonstrate this.