Is there a required number of internal auditors a company must have?
No. A company does not have to have any Internal Auditors on staff. However, in order to conduct a full management system audit, a minimum of 2 auditors must be involved. The internal auditors could be staff members or contracted. The reason you must have at least 2 internal auditors is that all management system standards prescribe that auditors must be independent and thus may not audit their own work. Therefore, even a contracted auditor could not audit the internal audit process because it would be his/her own work. An organization should have a sufficient number of competent internal auditors to do full meaningful internal audits at appropriate intervals without compromising the completion of other organizational responsibilities.
What are the audit requirements for each standard to gain or maintain certification?
Certificates are issued for three year periods. At the initial certification audit, auditors must verify fulfilment of each and every requirement of the standard. During the three year period, surveillance or maintenance audits are arranged between the Certification Body / Registrar and the certified organization. At each visit, typically every six months (or once yearly for a small organization), the third party auditors verify the fulfilment of the core requirements of the standard (Management Review / Internal Audit / Corrective and Preventive Action / Objectives, Targets & Programs / Continual Improvement) and a significant minority of the balance of the requirements (Purchasing / Document Control / Training etc.). During the three year period, the entire system must be thoroughly audited. By the third anniversary date of the certification, a re-certification audit is conducted and a new certificate issued. The re-certification audit is not as comprehensive as the initial audit was and focuses on areas that are important, have had less attention or have produced more issues during the previous three year period. Typically, about 75-85 % of the requirements are audited at a re-certification audit. At any audit, nonconformities can be identified and corrective action requests raised by the auditors. These corrective actions must be addressed by the organization based on their classification either as minor nonconformities of major nonconformities. Major nonconformities must be addressed quickly and fully in order to receive or maintain certification.
What is required to designate a staff member as an internal auditor and what role do they play throughout the process?
Internal Auditors must be trained and/or developed to a level of verifiable competence (determined by the organization) to conduct internal audits of the management system. It is our recommendation that a cross-section of personnel be selected to act in the additional role of internal auditor (office/operations/sales/IT etc.). This is to ensure that technical competence from various parts of the organization are represented thus allowing for a more in-depth and value-added audit process. ISO 19011 – Guidelines for auditing management systems is a key document to select, evaluate and qualify internal auditors.