The first-party audit, or internal audit, is a fundamental tool that companies can (and must) adopt to evaluate whether their Quality Management System (QMS) is effective and efficient, compliant with applicable requirements, effectively implemented, operated, and maintained, and whether its constituent elements (Quality Manual, procedures, records, etc.) are known and correctly used by all personnel.
The ISO 13485 standard establishes that the organization must conduct internal audits at planned intervals: it is good practice to verify all business processes at least once a year, taking into account the status and importance of the processes and areas being audited, as well as the results of previous internal audits.
The entire internal audit process can be conducted through interviews with personnel and reviewing the documentary evidence made available, and it is divided into:
- Opening meeting
- Field audit conduct and evidence collection
- Drafting of the audit report
- Closing meeting
For the operational management of internal audits, the ISO 19011 guidelines for auditing management systems can be considered.
Preparation for the Audit
The audit team leader is responsible for drafting an audit plan, which should be delivered to the process owners a few days before the audit. This plan should include at least the purpose, scope, and criteria of the audit, dates, locations, and times planned for the assessment of each process, as well as the definition of roles and responsibilities of the audit team members.
The audit team may also prepare checklists to be used as support for evidence collection.
Opening Meeting
The audit team holds an initial meeting to:
- Confirm the audit plan
- Provide a brief summary of how the audit activities will be carried out
- Confirm communication channels
- Introduce the audit team and their respective roles
- Address questions and resolve uncertainties of those being audited
The opening meeting should be conducted in the presence of management (or a representative) and the process owners being audited.
Field Conduct and Evidence Collection
During the audit, auditors must periodically communicate the progress of the audit and any issues identified, immediately reporting all objective evidence that poses an immediate and significant risk. All information collected must be verified, and only verifiable information can be considered audit evidence and therefore recorded.
Evidence can be collected through appropriate sampling and via:
- Direct observation of activities
- Interviews with personnel
- Examination of the documentation in use related to the audit aspects and evaluation of the level of compliance with requirements
Drafting the Audit Report
At the end of the audit activities, the audit team meets to document what was found and transcribe the results in the audit report [The Audit Report: An Effective and Compliant Structure]. The audit report should at least include:
- Objectives, scope, and criteria of the audit
- Dates and sites where the audit was conducted
- Audit team
- Reference to the audit plan and any checklists used
- Personnel interviewed and their roles within the organization
- Collected evidence
- Audit findings, obtained through comparison between collected evidence and audit criteria, which can be classified as observations, minor non-conformities, and major non-conformities
- Conclusions
Closing Meeting
Once the report is drafted, the audit team conducts a closing meeting to present the findings and conclusions of the audit, aiming to resolve any doubts and agree—if non-conformities were identified—on the timeframe for presenting the improvement plan.
The same functions involved in the opening meeting should participate in the closing meeting.
Follow-Up Activities
The management of non-conformities resulting from the audit should be entrusted to the process owners in question, to identify the most suitable improvement actions to address the identified deviations.
The completion and effectiveness of the improvement actions should be verified in the subsequent audit, unless particularly critical findings require an early verification.
Auditor Requirements
The organization must define the qualifications required of auditors for conducting internal audits.
The selection of auditors and the conduct of internal audits must also ensure the objectivity and impartiality of the audit process; in particular, members of the audit team should be chosen considering the concept of independence from direct responsibility for the activities being audited: an auditor should never audit a process managed under their direct responsibility.
Recording of Activities
The organization must establish adequate procedures for managing internal audits.
All records of internal audits (audit plan and report, any checklists, auditor qualifications and certifications, etc.) must be maintained in a controlled format and retained for a predetermined period.
