Rosapeak Advisors

Part 3 – Internal audit

For management and board members – 5 min reading

The internal audit is often a hot topic during the regular audit especially in small companies. The meaning of internal audits tends to be underestimated and neglected.

An external auditor can read out important details from an internal audit plan, – report and potential deviation:

– Is the internal auditor really qualified? Does she/he know, what he is supposed to do?- Is the internal auditor independent and could possibly bring up critical points? Does he have support from the management?
– Is the audit plan solid? How is the audit report written? What happened with the deviations?

From a manager’s perspective the internal audit is a chance to check the effectiveness of a company’s processes and compliance with a small investment of time. Like inventory and internal revision, internal audits stand for the “check” in the plan, do, act and check circuit. If an internal audit is effective and complete, the regular audit should not come to another conclusion or result.

It is therefore essential, that the internal audit is done by a qualified and impartial person. By nature, impartiality is rather limited for employees in comparison to an external auditor. Qualified means that she/he has a thorough understanding of all the requirements. Formally this can be learnt in courses, but it also needs experience. The importance of a qualified internal auditor is often underestimated and by consequence the internal audit becomes a rather formal activity. To judge the effectiveness of an internal audit, it is interesting to look, if the internal audit does ever bring up any deviations and how they are dealt with? As with other issues as well, the formal requirements for an internal audit according to ISO 9001 are lower in comparison to ISO 13845.

However, to make an internal audit effective following points should be considered. Audits should be planned in an audit plan covering several years and may be updated. Key points for an audit plan are listed below.

Audit plan

– previous audit results – e.g., critical deviations, complaints, recalls.
– criteria e.g., ISO 13485, client requirements, industry standards etc.
– scope e.g., company site, processes, teams
– interval e.g., every three years for all processes
– methods e.g., document control, on-site interviews

Audit reports are important records and must be transmitted to the management as well. Key elements of an audit reports are listed below.

Audit report

– Auditor, Auditee
– Audit schedule
– Audit scope
– Audit evidence
– Audit deviations, observations
– Auditor qualification

Audit deviations may have several categories. Appropriate corrections and corrective actions should be planned and implemented within due time (ISO 9001 & 13485) to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (ISO 13485).

Both standards require classical improvement activities, but the level of documentation is formally different.

In conclusion, the internal audit is a small-time investment with a significant leverage.


Sign up for our newsletter covering following topics.

Part 4 – management review

Written by Dr. Thomas Hug, November 2023