The Internal Auditing

Pocket Guide

Also available from ASQ Quality Press:

The Process Auditing Techniques Guide
J.P. Russell
Continual Improvement Assessment Guide: Promoting and
Sustaining Business Results
J.P. Russell
ISO 9004 Assessment Criteria Checklist for Performance
Improvement
J.P. Russell
ISO Lesson Guide 2000: Pocket Guide to Q9001:2000,
Second Edition
Dennis R. Arter and J.P. Russell
The ASQ Auditing Handbook, Third Edition
J.P. Russell, editing director
Quality Audits for Improved Performance, Third Edition
Dennis R. Arter
ANSI/ISO/ASQ QE19011S-2004: Guidelines for quality and/or
environmental management systems auditingU.S. Version
with supplemental guidance added
ANSI/ISO/ASQ
The Process Approach Audit Checklist for Manufacturing
Karen Welch
ASQ Foundations in Quality Self-Directed Learning Series:
Certified Quality Auditor (CD)
ASQ and Holmes Corporation
Process Driven Comprehensive Auditing: A New Way to
Conduct ISO 9001:2000 Internal Audits
Paul C. Palmes
The Certified Manager of Quality/Organizational Excellence
Handbook, Third Edition
Russell T. Westcott, editor
To request a complimentary catalog of ASQ Quality Press
publications, call 800-248-1946, or visit our Web site at
http://qualitypress.asq.org.

The Internal Auditing

Pocket Guide
Preparing, Performing,
Reporting, and Follow-Up
Second Edition

J.P. Russell

ASQ Quality Press

Milwaukee, Wisconsin

American Society for Quality, Quality Press, Milwaukee 53203

2007 by J.P. Russell
All rights reserved. Published 2007
Printed in the United States of America
13 12 11 10 09 08 07
5 4 3 2 1
Library of Congress Cataloging-in-Publication Data
Russell, J. P. (James P.), 1945
The internal auditing pocket guide : preparing, performing, reporting,
and follow-up / J.P. Russell.2nd ed.
p. cm.
Includes bibliographical references and index.
ISBN 978-0-87389-710-5 (soft cover : alk. paper)
1. Auditing, Internal. I. Title.
HF5668.25.R877 2007
657'.458dc22

2007004699

ISBN: 978-0-87389-710-5
No part of this book may be reproduced in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written
permission of the publisher.
Publisher: William A. Tony
Acquisitions Editor: Matt T. Meinholz
Project Editor: Paul OMara
Production Administrator: Randall Benson
ASQ Mission: The American Society for Quality advances individual,
organizational, and community excellence worldwide through learning, quality
improvement, and knowledge exchange.
Attention Bookstores, Wholesalers, Schools, and Corporations: ASQ Quality
Press books, videotapes, audiotapes, and software are available at quantity
discounts with bulk purchases for business, educational, or instructional use.
For information, please contact ASQ Quality Press at 800-248-1946, or write to
ASQ Quality Press, P.O. Box 3005, Milwaukee, WI 53201-3005.
To place orders or to request a free copy of the ASQ Quality Press Publications
Catalog, including ASQ membership information, call 800-248-1946. Visit our
Web site at www.asq.org or http://qualitypress.asq.org.
Printed in the United States of America
Printed on acid-free paper

Table of Contents

Chapter 1

Welcome to Auditing. . . . . . . . . . . . . .

Chapter 2 Getting the Assignment . . . . . . . . . . .

13

Chapter 3 Audit Process Inputs (Purpose

and Scope) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

Chapter 4

Preparing for the Audit . . . . . . . . . . . .

29

Chapter 5 Identifying Requirements and

Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37

Chapter 6

Desk Audit and Audit Strategies. . . . .

53

Chapter 7

Beginning the Audit. . . . . . . . . . . . . . .

65

Chapter 8

Data Collection. . . . . . . . . . . . . . . . . . .

77

Chapter 9 Techniques to Improve Effectiveness

and Address Vague Requirements. . . . . . . . . . .

93

Chapter 10

Analyzing the Results. . . . . . . . . . . . . 109

Chapter 11

Reporting . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 12 Audit Follow-Up, Corrective

Action, and Closure. . . . . . . . . . . . . . . . . . . . . . . 135
v

vi Table of Contents

Appendix A

Example Audit Plan . . . . . . . . . . . . . 145

Appendix B Example Work Order . . . . . . . . . . . . 149

Appendix C Example Meeting Agenda
and Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Appendix D

Example Interview Schedule . . . . . . 155

Appendix E

Example Checklist Page . . . . . . . . . . 159

Appendix F

Audit Time Considerations . . . . . . . . 161

Appendix G

Example Notification Letter . . . . . . 163

Appendix H Popular Performance Standards . . . 165

Appendix I

Example Audit Nonconformities. . . . 167

Appendix J

Auditor Code of Conduct . . . . . . . . . 171

Appendix K Example Corrective/Preventive

Action Request . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Appendix L

Corrective Action Checklist. . . . . . . . 177

Appendix M

20 Basic Audit Principles . . . . . . . . . 181

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Chapter 1

Welcome to Auditing

he Internal Auditing Pocket Guide prepares

those new to auditing to conduct internal audits against quality, environmental,
safety, and other specified criteria. You may be
learning the basic auditing conventions to qualify as an internal auditor or for self-improvement.
In either case, both you and your organization
will benefit from your new skills. Your organization will benefit because you will be a more effective auditor and you will benefit because you will
gain knowledge and learn new skills. Not only
will you be learning new skills in auditing, you
can also use these skills in other job responsibilities, be able to link requirements to your job,
and improve your everyday communication skills
by practicing interviewing techniques. After you
learn the basics of internal auditing, you may
seek more advanced study to qualify as an ASQ
Certified Quality Auditor (CQA). The scope of
work for an internal auditor assignment can vary
1

Chapter One

from simple verification of compliance to identification of performance-improvement opportunities. Your organization has objectives that the
internal audit program can help achieve.
An audit is some type of formal independent
examination of products, services, work processes,
departments, or organizations. Conducting an
audit is a process, work practice, or service. Some
organizations prefer the word evaluation, survey,
review, or assessment instead of the word audit.
I will use the word audit when I reference the
process because it is universally accepted and, to
experts, it means a certain type of investigation
or examination as described in this guidebook.
The audit process steps (Figure 1.1) are to:
Identify plans (what people are supposed
to do)
Make observations (what people are
actually doing)
Evaluate the facts collected (sort the
evidence)
Report the results (conformance or
noncompliance)
Follow up (ensure that problems are
corrected)
No matter what name is used for the audit process, auditors are entrusted with confidential

Welcome to Auditing

Identify
plans
Make
observations
Evaluate
Report
results
Follow
up

Figure 1.1

The audit process.

2006 J.P. Russell.

information. Auditors must be ethical in their

dealings with the organizations they audit as
well as with the general public. People have various feelings about auditors that may include fear
as well as respect, but there is also a sense that
auditors hold a public trust of honesty and conduct their affairs in an ethical manner. When
this public trust is broken (for example, in the
Arthur AndersonEnron case) the public is outraged. At the time of the Enron incident, Arthur
Anderson was one of the top five accounting
firms in the United States and now, because of
the misconduct of a few auditors, they are out
of business.
From time to time throughout this guide I will
highlight one of the 20 Basic Audit Principles to

Chapter One

emphasize its importance. All 20 audit principles

are listed in Appendix M. The first audit principle concerns the public trust.

Audit Principle
Use knowledge and skills for the
advancement of public welfare.

TERMINOLOGY
This chapter is about the terminology of auditing to help you communicate effectively. Your
organization may have its own names for things
that are different from standard audit terms or
even different from the dictionary. If the terminology in the text starts to get confusing, consider starting your own cross-reference showing
the word you are familiar with compared to the
more generic terminology. You can start with
the examples shown in Table 1.1.

CONTROLS TO EXAMINE
An audit is a process of investigating and examining evidence to determine whether agreedupon requirements are being met. An effective

Welcome to Auditing

Table 1.1 Example terminology cross-reference

table.
No.

Universal
terminology

Your organizations term

Audit

Assessment, evaluation

Survey

Review

Audit program
department

Regulatory compliance
department

Employee

Associate

Customer

Client, patient, member,

passengers, students

Client

Program manager, quality/

safety/environmental manager

Audit program
manager

Compliance director

audit depends on how information is gathered,

analyzed, and reported. The results may verify conformance or indicate noncompliance with
rules, standards, or regulations. A quality audit
is linked to quality requirements, environmental audits to environmental requirements, financial audits to financial statements, and safety
audits to safety rules and regulations. One of the
things that makes an audit different from an
inspection is that individuals performing an audit

Chapter One

must be able to do so impartially and objectively.

This means that the person performing the audit
must be independent of or have no vested interest
in the area being audited. The level of independence necessary to ensure impartiality and objectivity will vary by industry, type of organization,
risks involved, and organizational culture.

INTERNAL AND EXTERNAL AUDITS

All audits are either internal audits or external
audits. Figure 1.2 shows how audits are classified as first (internal), second (external), and
third (external) party.
Think of your organization as the circle in
the figure. Internal or first-party audits are conducted inside the circle. You must go outside the
circle to conduct external or second-party audits
(audit your suppliers).
On the right-hand side of the figure is an
area designated for third-party audits. Thirdparty audits are independent of the customer
supplier relationship. Third-party audits may
result in certification, license, or approval of a
product, process, or system by an independent
organization. Your organization may have their
quality system or environmental system registered by a third-party registrar or licensed by a

Welcome to Auditing

Customer
Second-party
Customer
audits your
organization

External

Third-party
Independent
audit
organization

Internal
First-party
Audit your own
organization

Second-party
You audit
your supplier
Supplier

Figure 1.2

Audit classifications.

government oversight agency. One of the reasons

internal audits are conducted is to help prepare
organizations for audits conducted by external
audit organizations (for example, customers, registrars, government agencies).

Chapter One

AUDIT TYPES
Audits are also classified by area (process, system) or object (product, service) of the audit. You
may be assigned to conduct a system, process, or
product audit. Different audits may require different methods, personnel, or equipment.
The product audit (or service audit), the
smallest circle in Figure 1.3, determines if tangible characteristics and attributes of a thing are
being met. Typically, an auditor checks the object
or service to ensure that it has the proper markings, weight, size, viscosity, smoothness, amount,
hardness, color, texture, placement, arrangement, count, and so on. The auditor checks the

System audit

Process audit

Product
audit

Figure 1.3

Different types of audits.

Welcome to Auditing

object or service against a predetermined set of

characteristics or attributes. A product audit is
just like an inspection except there must be some
level of independence and the results of the audit
are not used to approve release of a product or
delivery of a service.
A process audit determines whether process
requirements are being met. During a process
audit, the auditor will examine an activity or
sequence of activities to verify that inputs,
actions, and outputs are in accordance with an
established procedure, plan, or method. Outputs
can be compared to objectives to determine effectiveness and efficiency. A process audit may
examine a particular task such as stamping,
welding, serving, sterilizing, filing, cleaning,
transacting, mixing, or sets of processes within
processes such as manufacturing, delivering,
purchasing, or designing. The activity examined
during a process audit normally is described with
a verb, indicating that an action is taking place.
A process audit normally follows a process from
beginning to end or end to beginning.
A system audit determines whether system
requirements (manual, policy, standards, regulations) are being met. When processes are
interrelated and interacting, you have a system.
A system is made up of processes organized to
achieve an objective such as quality, safety, or
income. During a system audit you may examine

10

Chapter One

the operation of a department, company, division,

or program. Auditors may conduct a product or
process audit as part of a system audit. Typically,
an auditor will audit an organization against
clauses of a quality, safety, or environmental
management system standard.
It may help you to think of this type of audit
classification as zooming in or out of a picture.
For example, in the picture of the racers below:
A product audit would be checking the
helmet or helmets for such attributes as size,
color, hardness, markings, identification, webbing, chin strap adjustment, and so on, against
requirements (specifications). You may decide to

Welcome to Auditing

11

check the team helmets, check all the helmets at

the skating rink, or visit the manufacturer and
sample a number of helmets. You can do the same
thing for a service such as inspecting for the
proper arrangement of a cleaned room, cleanliness of a rental car, proper storage of gear before
a flight, and so on.
A process audit may be evaluating the
methods used for skating during a race or methods for skating in a sharp turn. You may ask
about training, techniques to be employed, type
of equipment required, measures for determining a successful turn, adjustments for ice conditions, and equipment prep and maintenance.
A system audit may be evaluating the management of the skating team or management of
the skating arena. You may be interested in how
events are scheduled, communication with team
members, how changes are implemented, preventive maintenance programs, operating the box
office, maintaining and operating the zamboni,
how customer needs are determined, and so on.
Most internal audits are either process or system
audits. Many organizations divide up their system into little pieces or elements and assign each
of their internal auditors to one. Other organizations may divide up the system into big chunks
and assign teams of auditors to evaluate them.

12

Chapter One

KEEN OBSERVATIONS
Regardless of the type of audit, an auditor must
be good at observing and reporting factual
information.
The person conducting the audit is the auditor. Other equivalent descriptive words are evaluator, assessor, examiner, reviewer, and so on.
The organization being audited is called the
auditee. Any type of organization can be an auditee (your department, a corporation, government
agency, nonprofit organization, retail sales store,
manufacturer, and so on). The person or organization who requested the audit is the client.
Audits are only conducted when someone or some
group requests one. You might think of the client as the person who has authority to assign you
to do an audit. This person is one of the customers of the audit service, to whom you are accountable. This person (the client) normally is your
boss, the audit program manager, or the quality/
environmental/safety manager.
In the next several chapters we will take you from
getting the audit assignment and reporting findings to ending the audit by completing follow-up
actions.

Index

A
accessibility limitations, 6768
activities, observing, 8788
agenda
exit meeting, 12528
opening meeting, 6772
assignment, 1315
accepting, 1519
Arthur Anderson corporation, 3
audit
definition of, 2
follow-up, 14041
versus inspection, 56
types, 811
audit classifications, 67
audit conclusion, 11822
audit criteria, 77
audit escort, 71
audit evidence, 77, 78, 9091, 11213
audit follow-up, 13543
audit methods and techniques, 6869

207

208

Index

audit plan, 3435

example, 14547 (Appendix A)
audit planning, 3751
auditing objectives, 3740
checklists, 4448
collection plans, 4849
sampling plans, 4950
working papers, 51
audit preparation, 2936
audit team, 2931
contacting auditee, 3132
issuing audit plan, 3435
make a list, 36
audit principles, 20 basic, 18183 (Appendix M)
audit process steps, 2, 3, 14
inputs, 2127
audit purpose, 2527
audit report, 69
example, 16769 (Appendix I)
audit scope, 2223
audit team, 2931
audit team meeting, agenda, 73
audit time considerations, 30, 16162 (Appendix
F)
auditee, 12
contacting, 3132
responsibilities, 128, 135, 136
auditee meeting, agenda, 74
auditing, 1
auditor observations, 12
controls to examine, 46
internal and external, 67
against requirements, 4044

Index

209

strategies, 5963
techniques, process, 1026
terminology, 4, 12
types of, 811
auditor, 12
code of conduct, 19, 17172 (Appendix J)
number needed, 30
responsibilities, 24, 128
auxiliary verbs, 4041
availability, for audit, 15

B
best practice, 113
best practices, observed, 116

C
can, 42
canned checklists, 48
checklists, 4448
in desk audits, 54
example, 47, 15960 (Appendix E)
rules, 4546
client, 12, 13
responsibilities, 135
closed-ended requirements, 94
closing meeting, 123
code of conduct, auditor, 19, 17172 (Appendix J)
collection plan, 4849, 78
communication flow, between auditor and
auditee, 33
competence, of auditor, 1819

210

Index

concern, 113
conclusion, audit, 11822
conflicts of interest, 1518
conformance, 25, 3738
verifying, 8889
conformity, 113
controls verification, 80
correction, 138
corrective action, 138
corrective action
effective, 14142
timely implementation, 143
corrective action and preventive action (CAPA)
process
closure, 14243
effectiveness, 14142
elements, 13639
follow-up audit, 14041
verification, 13940
corrective action checklist, 17779 (Appendix L)
corrective action plan, 13637, 138
corrective/preventive action request
closeout, 14243
example, 17375 (Appendix K)
corroboration, of information, 8182
criteria, audit, 77

D
data collection, 7791
collection plan, 4849, 78
examination of documents and records, 7980
interviewing people, 8186

Index

observation of activities, 8788

physical examination, 86
data sorting, 11112
datum, as evidence, 110
defect, 112
definitions, in standards, 97
department method, 60
desk audit, 5357
directed sampling. See judgmental sampling
document evaluations, 5357
document levels, 2325
and requirements, 43
documents
examination during audit, 78, 7980
versus records, 43

E
element method (technique), 39, 60
ENCR4 formula, 114
Enron Corporation, 3
escorts, for auditor, 71
ethics, in auditing, 23
evaluation, of document, 5357
evidence, 77, 78, 10910
physical, 86
exit meeting, 70, 12328
external audits, 67
external requirements, 38

F
finding, 112, 11617

211

212 Index

closeout, 14243
first-party audits, 6
flowcharting, 5759
benefits, 59
symbols, 58
follow-up actions, 123, 127
exit meeting, 12328
recommending solutions, 13334
the report, 129
report format, 13031
responsibilities, 128
what to avoid, 132
follow-up audit, 139

G
good practice, 113

I
improvement point, 112
improvement potential, indicators of, 105
information analysis, 10922
classification of observations, 11014
nonconformity statements, 11417
overall audit conclusion, 11822
inputs, for audit, 2126
purpose of audit, 2527
scope of audit, 2223
standards to audit against, 2325
when and where, 22
inspection, versus audit, 56

Index

internal audits, 67
and conflicts of interest, 1518
interview questions, process interview, 101
interview schedule, 69
example, 15557 (Appendix D)
interviewing, 8186
guidelines, 85
six-step method for, 84
issue, 113

J
judgmental sampling, 50

L
lead auditor, 29, 31
and opening meeting, 6566, 72
responsibilities, 2930, 31, 125
logistics, 70

M
malicious compliance, 133
management systems, process approach for,
1067
mandatory requirements, 4142
may, 42
meeting agenda and record, example, 15153
(Appendix C)
meetings, during audit, 7374
must, 42

213

214

Index

N
nonconformance, in desk audit, 55
nonconformity, 112
nonconformity (noncompliance) statements,
11417
examples, 1689 (Appendix I)
nonrandom sampling, 50
noteworthy achievement, 113
notification letter, 35
example, 16364 (Appendix G)

O
objectives, of audit, 3740
observation , 113
of activities, 8788
classification, 11014
open-ended questions, 46
open-ended requirements, 9495, 9798, 99
types of, 9596
opening meeting, 6566
agenda, 6772
opportunities for improvement, 116
optional requirements, 4244

P
PDCA technique, 3940, 99101
questions, 100101
performance auditing, 105
performance standards, popular, 16566
(Appendix H)

Index

215

physical evidence, 86
physical examination, 86
planning. See audit planning
positive practice, 113
post-audit meeting, 123
prescriptive requirements, 94
preventive/corrective action request, example,
17375 (Appendix K)
process approach, for management systems,
1067
process audit, 6, 11, 3940
complex, 104
process auditing techniques, 1026
process model, 103
process technique, 39, 99101
questions, 100101
process techniques/process auditing, 94, 1026
closed-ended requirements, 94
open-ended requirements, 9495
process technique, 99101
product audit, 89, 1011
purpose, of audits, 2527

Q
qualitative data, 112
quantitative data, 112

R
recommendations, 13334
records
versus documents, 43

216 Index

examination during audit, 7980

remark, 113
remedial action, 13738
report, audit, 69, 129
example, 16769 (Appendix I)
report format, 13031
report summary (abstract), 118
reporting, 12334
what to avoid, 132
reporting process, 69
requirements, 4044
closed-ended, 94
in desk audit, 5457
identifying, 3751
mandatory, 4142
open-ended, 9495, 9798, 99
optional, 4244
prescriptive, 94
Type I, 95, 9798
Type II, 96, 9899, 100
Type III, 96, 9798
Type IV, 96, 99, 100
requirements method, 3839
results. See information analysis

S
sampling plan, 4950
scope of audit, 2223
problems outside of, 6263
scoring, 121
second-party audits, 6
follow-up, 14041

Index

217

shall, 41
should, 42
six-step method, for interviewing, 84
solutions, recommending, 13334
standards
audited against, 2325
performance, 16566 (Appendix H)
strategies, auditing, 5963
strong areas, 11920
surprise audits, 32, 33
system approach, for management systems,
1067
system audit, 910, 11, 104

T
team, audit, 2931
terminology, 4, 12
unclear, 97
third-party audits, 67
follow-up, 14041
traceability, 94
tracing (audit strategy), 6061
20 basic audit principles, 18183 (Appendix M)
Type I requirements, 95, 9798
Type II requirements, 96, 9899, 100
Type III requirements, 96, 9798
Type IV requirements, 96, 99, 100

V
vague requirements, 3940, 97
validation

218

Index

of system/process, 8990
versus verification, 88
value-added processes, managing, 106
verification
of conformance, 8889
of controls, 80
of corrective actions, 13940
of information, 8182
in process audit, 104
versus validation, 88

W
weak areas, 11920
work order, example, 14950 (Appendix B)
working papers, 51, 7475

Y
yes/no questions, 4546, 8586