Dejan Kosutic - ISO Internal Audit – A Plain English Guide: A Step-by-Step Handbook for Internal Auditors in Small Businesses

ISO Internal Audit:
A Plain English Guide

Also by Dejan Kosutic:

Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own

9 Steps to Cybersecurity: The Managers Information Security Strategy Manual

Becoming Resilient: The Definitive Guide to ISO 22301 Implementation

ISO 27001 Risk Management in Plain English

ISO 27001 Annex A Controls in Plain English

Preparing for ISO Certification Audit: A Plain English Guide

Managing ISO Documentation: A Plain English Guide

Preparations for the ISO Implementation Project: A Plain English Guide

Dejan Kosutic

ISO Internal Audit:
A Plain English Guide

A Step-by-Step Handbook for
Internal Auditors in Small Business

Advisera Expert Solutions Ltd

Zagreb, Croatia

Copyright 2017 by Dejan Kosutic

All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without written permission from the author, except for the inclusion of brief quotations in a review.

Limit of Liability / Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representation or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. This book does not contain all information available on the subject. This book has not been created to be specific to any individuals or organizations situation or needs. You should consult with a professional where appropriate. The author and publisher shall have no liability or responsibility to any person or entity regarding any loss or damage incurred, or alleged to have been incurred, directly or indirectly, by the information contained in this book.

First published by Advisera Expert Solutions Ltd

Zavizanska 12, 10000 Zagreb

Croatia

European Union

http://advisera.com/

ISBN: 978-953-8155-03-1

First Edition, 2017

Dejan Kosutic is the author of numerous articles, video tutorials, documentation templates, webinars, and courses about ISO 27001, ISO 22301 and other ISO standards. He is the author of the leading ISO 27001 & ISO 22301 Blog, and has helped various organizations including financial institutions, government agencies, and IT companies implement information security management according to these standards. He holds numerous certificates, among them ISO 27001 Lead Auditor and ISO 9001 Lead Auditor.

Click here to see his LinkedIn profile

When we published our internal auditor online courses on Adviseras eTraining website , we soon realized that there is a huge demand for this topic. And, although the students are quite satisfied with the courses, it became obvious that many were in need of some written materials that would take them through the internal audit.

This is why I have written this shorter book, a part of the handbook series, which is focused solely on how to perform the internal audit. I have written this book in such a way so that it is perfectly acceptable for any management system, including ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, and IATF 16949.

This book, ISO Internal Audit: A Plain English Guide, is based mostly on the above-mentioned internal auditor online courses, and has been edited with only a few smaller details. So, if you compare the curriculum from the internal auditor courses, youll see the same sections here, with almost the same text as I mentioned, the text was adapted in a way that it is readable from any ISO standard point of view.

So, why have two learning materials with almost the same text? Because I wanted to provide a quick, written reference for people who are performing the audit, who might not have the time to join the course each time they want to remind themselves of some detail. I would say that both attending the internal auditor course and reading this book will give you a perfect combination of learning through visual media, and referring to textual media for details.

You might also be puzzled by the fact that this book is rather short, whereas there are other books on ISO audits on the market that are much more lengthy and detailed. Is it really possible to explain such a complex subject in a short book like this? Well, there are three answers for this:

First, this book is focused on internal audits only, which are much simpler than certification audits; second, this book is written for internal auditing in smaller companies therefore, I have intentionally simplified the steps so that your auditing can be done rather quickly, and left out most of the elements that would be needed only for larger companies.

Third, and most important, I followed my company mission: We make complex frameworks easy to understand and simple to use. In other words, it is easy to complicate things, but it is difficult to make things easy to understand. So, when you start reading this book youll notice I eliminated all the hard-to-understand talk, all the unnecessary details, and focused on what exactly needs to be done, in a language understandable for beginners with no prior experience in ISO internal audits.

So, rest assured: if you are an auditor in a smaller organization, by using this book you will be able to perform your first internal audit it will take you step by step through the whole process, without stress.

Special thanks to Strahinja Stojanovic, who has done a great job of developing the ISO 9001 and ISO 14001 internal auditor online courses that serve as the basis for this book. Im also grateful to Mark Hammar for his text about gap analysis.

Why is the internal audit so important for management systems, and how can it be useful for the company? What will you find in this book? And, is this book the right choice for you?

Note: This book covers the internal audit process for all ISO management standards ISO 9001, ISO 14001, ISO 27001, ISO 20000, and ISO 13485, but also OHSAS 18001 and IATF 16949 (former ISO/TS 16949) so when I refer to ISO standard or simply standard, by this I mean any of these standards. Also, when I mention management system, I mean the system that is compliant with any of these standards e.g., Quality Management System according to ISO 9001, Information Security Management System according to ISO 27001, etc.

From my experience as a certification auditor, the sad truth is that most organizations perform internal audits just to satisfy the certification body.

Such internal audits usually uncover a few minor nonconformities, which do not get deep into the real problems of the companys management system. And this is very unfortunate because this is a waste of time if companies have invested the time of their internal auditors to perform such jobs, they should gain some benefits out of it.

The point with internal audits is that they should discover problems that would otherwise stay hidden and would therefore harm the business. Lets be realistic it is human to make mistakes, so its impossible to have a system with no errors; it is, however, possible to have a system that improves itself and learns from its mistakes. Internal audits are a crucial part of such a system.