A Guide to Auditing Top Management and the Internal Audit
Organizations must audit the processes associated with top management as part of an effective internal audit program. These processes include those relating to strategic planning, the establishment of policies and objectives, ensuring effective communication and ensuring the availability of resources.
Auditing top management is often seen as a sensitive issue but by considering each top management activity as a normal organizational process, it becomes much easier to focus on determining whether the outputs of their activities are effective.
How to Audit Top Management
By using a formal risk-based approach to internal audit planning, as required by ISO 9001, auditors have a great opportunity to engage top management in the audit process. By making top management part of the planning process and by giving them ownership of the areas to be audited, the internal audit becomes a valuable mechanism for development.
A good starting point is to copy, into the audit checklist, all requirements from the standard that say ‘top management shall’, almost every clause of section 5 starts with ‘top management shall’ and it’s the auditors job to find if top management ‘did’. The audit checklist must cover the requirements from the following sections:
5.1 Management Commitment
5.2 Customer Focus
5.3 Quality Policy
5.4.1 Quality Objectives
5.4.2 Quality Management System Planning
5.5.1 Responsibility and Authority
5.5.2 Management Representative
5.5.3 Internal Communication
5.6 Management Review
During the Internal Audit
When undertaking the internal audit of top management, the auditor should collect and corroborate evidence of top management’s commitment from within the quality management system itself. The auditor should ask how the quality manual addresses management commitment issues and ask how they are accomplished; then, the auditor must find objective evidence that proves it’s actually being done. This method applies to top management as well as the production machinist, and everyone else in the organization for that matter!
If the standard, documented procedures, policies and objectives are audit inputs, then the evidence sampled and the interview statements made by top management auditees are the audit outputs. If the input does not align with the expected output, the auditor simply states this misalignment as a non-conformance whilst providing an audit trail to the supporting evidence.
Auditors should prepare the internal audit report in a manner appropriate for presentation to top management. It might be necessary to present the executive summary of the audit report directly to the top management and other interested parties within the organization. The executive summary must highlight both positive and negative findings and suggest opportunities for improvement.
The ISO 9001 internal audit checklist and gap analysis tool is ideal for organizations that require a quick and affordable approach to developing a reliable framework for their own internal audit process.
Download a free internal audit checklist example courtesy of ISO 9001 Checklist:
Richard Keen ACQI, 18th November 2010