Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




Internal auditing is an essential topic in Quality Management (QM). The important conceptual and methodological reference for auditing is ISO 19011 standard. Very often, however, in practical cases auditing methodology is misunderstood and applied very ineffectively. It is used only for quality assurance or as a reactive tool for searching for nonconformities and not understood as a key element for a proactive QM. Internal auditing is very different from the external auditing.

An innovative approach is to audit business processes reflecting business-like aims of QM and performance excellence. Also the scoring principles according to the performance excellence models may be applied with auditing. This modern approach is harmonious with the ISO 9000 standards, too.

This methodology is based on lessons learnt through benchmarking best practices in different companies and countries and many years' encouraging practical experiences by using this methodology.

Comprehensive quality approach established by a company-dedicated QM model

A corporate-wide QM model (performance excellence management infrastructure) consists of activities on four levels of business responsibility:
1. Corporate (cultural and normative issues),
2. Business areas (strategic issues)
3. Processes (operational issues)
4. Individuals and teams ( personal and human issues)

Management commitment and actions (plan, do / control, improve and assure) take place on all these levels.

Corporate-widely used methodology and tools that are essential from the QM point of view are developed and supported on the corporate level. Auditing procedure and process management model are very representative examples.

Because process approach is the most practical and effective basis for a comprehensive QM, therefore it is also very essential aspect from the auditing point of view. That means that the business processes are objects of auditing, and audits themselves are carried out and managed according to company's process practices. Management of business processes consists of:
- Process plan (definition of the process owner, activity flow, and measures and indicators),
- Process control,
- Continual improvement
- Quality assurance

Internal auditing is a support process of business management defined by appropriate procedure documents. Items being audited consists of company's business processes according to corporate's process management framework that includes customer processes, market processes, support processes and management processes.

Internal performance assessment, an essential part of QM

Performance management includes that business performance is assessed internally by company's own resources for performance improvement and also for quality assurance. Both strategic and operational assessments are needed. Aiming at performance excellence requires that also relevant references of competitors and best practices and benchmarks in other organizations are taken into account in the assessments.

Strategic assessments cover business units and their businesses as a whole. They are made as self-assessments by the management teams of the units. Malcolm Baldrige methodology and its criteria originated in the American national quality award form the rational methodology used for that purpose. Audits are empirical internal assessments of the performance of individual business processes. Thus audits are more operational than Malcolm Baldrige assessments. Audits are made by people who are independent from the processes being audited. Self-assessments are made by the responsible business leaders. The both methods support well each other.

Auditing is based on the international standard definition and principles

Internal auditing is a comprehensive task that should be both reactive and proactive by nature. Its purpose is not only to search for nonconformities (nonfulfilment of specified requirements) or defects (nonfulfilment of intended usage requirements or reasonable expectations under the existing circumstances) but there is a broader business related scope in auditing. Also performance strengths of the business processes should be noted in internal audits. It is useful to comply with the recognized international definition and principles of auditing. The formal definition for audits has been recently reconsidered in the new standards ISO 9000 and ISO 19011.

According to the above mentioned standards internal audit is understood as a systematic, independent and documented process for obtaining records, statements of fact or other meaningful data relevant to the criteria of business performance enhancement. These criteria are both qualitative and quantitative and relate to policies, and procedures/processes including their outputs and performance results. Requirements for business management and thus naturally also for internal audits consider need or expectation that is stated, generally implied or obligatory taking into account company's all interested parties (i.e. persons or groups having a interest in the performance or success of the company). Thus in auditing the business aspects of effectiveness and efficiency are being considered. Particularly performance excellence issues are necessary in internal audits within a company operating in severe competitive business environments.

In general and very often external auditing, e.g. third party auditing for certification or registration, does not comply with the broad range and business views of the above-mentioned standard definition of auditing.

Internal audits are carried out within the different business areas of the company as process audits examining business processes and related results whether they comply with planned arrangements, and whether these arrangements are implemented effectively and efficiently and are suitable to achieve objectives from the business point of view. Auditing is for improvement of the business process performance as well as for quality assurance. Auditing is a major means for quality management.

Business processes are more practical object-entities of auditing than quality (management) systems. In many organizations quality (management) systems are too artificial and vague. In a modern quality thinking quality management must be integrated with business. Thus in fact the real "quality system" is equal with the quality of a management system consisting of a network of interlinked business processes. Therefore separate concept of quality (management) system is no more needed. Also according to ISO 9000 standards quality management system is more a concept or a "mental system" for a systematic approach towards a business integrated quality management than a distinct system.

Figure 1. The auditing process

The internal auditing procedure defined by an auditing process

The internal audits are carried out according to the auditing process (see figure 1). Thus auditing practice is defined and documented through the process documentation of the auditing process and managed according to company's general process management model. This approach is along with the ISO 19011 standard.

Detailed principles and practices of internal auditing have been created and developed during the recent past decades in practical company cases. The auditing process is established through the methodology development and process owner nomination. Typically a group of internal auditors have been trained within different business units by internal training courses for auditors on regular basis.

The general aim is that all the major business processes are being audited at least once a year. Individual audits are carried out by about 3 to 5 persons including the lead auditor. Additionally 3 to 5 persons have been actively involved from the process being audited. Process description and performance documents and records as well as practical operations and facilities on site are examined by the auditors. A process audit itself normally takes about one day. Additionally time is needed for auditor's briefing and preparing the report and communication with the owner of the process being audited. Facts for the audit report is drafted immediately after the audit by the team of auditors, and a representative from the audited process may attend the drafting meeting as an observer. This makes the report and its basis better understandable for the process improvement.

Auditing covers all the relevant business aspects of a business process

A process examination of auditing covers six relevant business related areas (see figure 2) to address:
1. Customer issues (i.e. external and internal customers of the process), customer needs, products ie. the outputs of the process, customer relationships, and customer satisfaction results
2. Process entity as a whole, internal process activities/tasks, flow of information and material, process-internal performance and related measures and indicators, measurements, target values and related performance results
3. People issues including responsibilities, knowledge, competences and skills, education and training, learning, participation/involvement, innovation communication, and people satisfaction
4. Tools, methods, information systems including documentation, and work facilities and environments
5. Suppliers, supplier relationship/partnership, and supplier performance measures and indicators and related results
6. Process management, process plan and target setting, control, quality assurance, and improvement

Specialized items as environmental management issues and corporate/information security issues within the process are also examined within the six examination areas as necessary. In addition to general process audits, specifically directed audits for these specialized areas have been performed, too, using the same general audit methodology.

Figure 2. Examination areas for address in process auditing (C = customer, S = supplier). The numbered items are explained in the text.

A set of detailed questions for all above mentioned examination areas have been developed for guidance of practical audits and for training purposes. They are based e.g. on the general process management principles of the recognized QM references including ISO 9000 standards. Of course, also company's process management model is considered as a general reference model when the business processes are being audited. However, the key point is that always these general models are understood and interpreted from the business needs relevant to the process being audited.

Audit report as a basis for performance improvement and quality assurance

Audit report prepared by the auditing team consists of both pure observations (i.e. objective evidence) and proposals or recommendations (i.e. auditing team members' subjective issues for the process improvements). Both strengths and weaknesses of process performance are noted in the audit report.

In addition to textual information, the auditing report includes also a quantitative scoring of the overall performance of the process. The scoring (see figure 3) is based on the principles tailored from Malcolm Baldrige scoring rules and tables taken into account approach/deployment and results of the process.

Figure 3. Reporting performance scoring based on the audit observations

Auditing process is also being continually improved

The auditing process is also regularly evaluated and improved. The auditing is assessed in a broader business context as a support process through Malcolm Baldrige assessments. The auditing process itself should be audited, too. The process owner is responsible of the improvements.

Through benchmarking a lot of good ideas relating auditing has been learnt from different companies and professional experts. All these should influence to the further development of the auditing process/procedure.


Internal auditing, when used effectively and efficiently, is a proactive management means for QM:
- It is an activity within the company-dedicated QM model,
- It is an assessment tool for performance of business processes supporting consistently both quality management and quality assurance.
- It is managed through the normal business process management practices.
- Audit reports include both qualitative (textual) and quantitative (scoring) information.
- Auditing procedures are continually evaluated and improved.

Internal auditing is an excellent tool to create company-widely a systematic and also critical thinking for the business performance improvement. It is also positively influencing cross-organizational learning within the corporation. Thus auditing is enhancing the company's business-integrated QM culture.


1. Anttila, J. (1999). "Systematic integration of quality into management: Practical experiences from Sonera Ltd and generalized conclusions" Quality for business transformation, New Delhi: Institute of Directors
2. Anttila, J. (2000). "Using ISO 9000 standards for innovative learning" The best on quality, Vol. 11, Milwaukee: ASQ Quality Press
3. Anttila, J and Vakkuri J. (2000). Good Better Best. Helsinki: Sonera Corporation.
4. ISO 9000. Quality management systems - Fundamentals and vocabulary.
5. ISO 19011. Guidelines on quality and environmental management systems auditing.
6. National Institute for Standards and Technology. Malcolm Baldrige National Quality Award, Award Criteria. Washington: National Institute for Standards and Technology

[This material has been presented in different forms in differerent international seminars or conferences, e.g. at EOQ Annual Congress in Trondheim 1997]