The primary purpose of the Internal Audit Checklist is to keep you, the auditor, focused on the task at hand. The checklist is supposed to serve as a memory jogger.
Auditors create a list of questions to be asked, documents to view, process flows to follow and so forth. All of this pre-audit activity is considered to be the function of the internal audit plan.
Looking for a public auditor class?
View our Internal Quality Auditor Public Class Schedule
Internal audit checklists are meant to be created by and for the auditor. The checklist is not supposed to be the entire audit. Here's why… the auditor will uncover many documents, records and other facts during the course of the audit activity. These documents should lead to additional questions, support processes, and additional evidence. Auditors cannot predict the evidence that will be presented, and therefore cannot anticipate the follow-up questions that will need to be asked. Hence, the checklist is created, the device to bring you back to the necessary questions after you've exhausted the follow-up questions.
So, let's begin planning… obtain copies of previous audits for the process to be audited and review the audits for any findings issued. Make a note of any findings and add the note to your checklist. The auditor should collect evidence that the issues from previous audits have actually been resolved. Review any corrective action requests pertaining to the process as this is a likely target for deeper questioning and fact finding. Add these questions to your internal audit checklist as well.
Determine the documents that apply to the process and make a list of these documents. What, if any, procedures, work instructions, process aids, and records are part of the process? If your company is using turtle diagrams, all of this information has been determined for you already (see our process model page). Verify the revision status of the documents prior to conducting the audit. During the course of your audit, you can easily check off each document you've reviewed and verify that the correct revision of the document was available at the location where it would be used. Both are ISO 9001 requirements- correct revision being used and available at point of use.
Imagine you've been asked to audit the purchasing process of your company. You'd locate the previous audit records to review. You'd locate any corrective actions issued against the purchasing process. You'd also determine what procedures, work instructions, flow diagrams, etc. apply to this process. Determine the support processes and how these processes interact with the process to be audited. Support processes may include Training, Control of Documents and Records, and Resource Management. Then you'd begin to formulate the high level questions to ask.
One last concept before you begin to create your internal audit checklist- which clauses of the standard apply to this process? Having a process/clause matrix helps you determine the clauses you must cover to have a complete process audit. An example is shown below.
Because purchasing is a process, it must have inputs to begin the process. What are these inputs? What triggers the purchasing process (how does purchasing know to begin the process)? Who is authorized to perform the purchasing process? What are the competency requirements for these people? What are the outputs of the process and where do they go when the process is completed? Does the process meet its goals or objectives? These are all very good questions for the checklist, but they are just beginning questions. Auditors usually have follow-up questions to the responses they received from the checklist questions.
Verify that you've developed enough high level questions to relate to all the clauses that you must cover for the audit to be considered thorough. Compare the process/clause matrix to your internal audit checklist to ensure the best audit possible.