Management systems (e.g. ISO 9001, ISO 14001, ISO/IEC 17025, ISO/IEC 15189, OSHAS 18001, ISO 22000, ISO/IEC 27001 and ISO 30301) were built on processed based approach that assimilates the commonly known PDCA/PDSA cycle, made popular by Dr W. Edwards Deming. The cycle describes that good practice of managing of any activity starts with the planning (P for Plan) on how to carry out the activity in order to achieve customer satisfaction. Usually target (objective) of the activity are set to reflect key perception of the customer that should satisfy the customer expectation. Subsequently, the plan is executed (D for Do), then it is evaluated (C for Check or S for Study) whether the execution was effective in achieving the planned objective. Subsequently, action (A for Act) is taken to improve the activity based on the evaluation findings to meet the original objective. Occasionally, the A will trigger a revised P for the next cycle of the activity. Hence the PDCA cycles continuous as long as there is an activity to satisfy the person who requested the activity, i.e. the customer.
One of the instrument of checking (C) or study (S) is by conducting Internal Audit, also known as "first party audit". The word "internal" reflects that it is initiated within the organization, especially by the owner of the activity. Knowing that self-checking by the person who conducted the activity is inadequate to build confidence, often another person who is very familiar with organization's implemented systems and the P (e.g. the procedure, time, objective) of the activity is engaged as the second pair of eyes (aka Internal Auditor) to evaluate the executed activity. In the event, the activity did not adhere to the organization's system or the predetermined P, the internal auditor would suggest doable actions (A) to correct and improve the activity while taking into consideration of the organization resources, priorities and limitations, which were the factors that influenced the initial P and D of the activity.
For various reasons, there is an option to engage person outside the organization to perform the role of Internal Auditor on part-time basis, whereby the person only present at the organization during the audit sessions, often unaware the organization operational resource and progress. I call this Externally Internal Audit. In general, it is allowable but it may have serious disadvantages to the overall management system of the organization. Hereby listed some of the issues that I've seen while performing 3rd party auditing:
- The organization's human resource loses opportunity of job enrichment via internal auditing because they don't experience the whole activities within the management system in realizing the product.
- The organization's human resource lacks appreciation on the importance of their activity to entire management system because they can't see the impact to other activities throughout the organization.
- The organization's human resource lacks understanding on the mechanics of organizational continuous improvement in relation to preventive actions because they implement PDCA in isolation of their own activity.
- The organization's human resource i.e. the auditee sees the internal auditor as the "problem maker - fault finder" not as "problem solver" because the person is not considered as part of the "family" thus creating stressful and non-constructive internal auditing sessions.
- The internal auditor often performs audit (C or S) similar to the "3rd party audit" whereby only non-compliance is highlighted without advising actions (A) to be taken to resolve it.
- The internal auditor often recommends actions (A) without considering the organization's resources, priorities and limitations, consequently organization incurs expenses to remedy a non-compliance.
- The internal auditor tends to dictate/force the auditee to execute the activity (D) in accordance to his/her organization practice, even though the existing D meets the P, causing non-essential purchase of resources.
While maintaining the principles of auditing (integrity, fair, professional care, confidentiality, independence & evidence-based) as described in ISO 19011, whoever been appointed as the internal auditor (internally or externally), shall make themselves perceived as part of the family of the organization, "one for all, all for one" in the sole mission of improving the management system of the organization.