Audit Internal ISO/IEC 17025:2017


What are internal audits good for?

The principal aim of conducting internal audits is to periodically verify that the internal operations continue to comply with the requirements of the management system, and the requirements of the standard.

Results of these audits – in particular deviations identified – offer valuable information for improving the organisation’s management system as well as the laboratory activities and should be used for management reviews.

Note: The relevant competence standards for laboratories and inspection bodies require internal audits to be conducted regularly.

Audit programme and auditors

First an internal audit programme shall be established (frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the laboratory activities concerned, changes affecting the laboratory, and the results of previous audits.) which might be based on the fiscal year. The different internal audits could be distributed over the entire year and should cover all elements of the management system.

The quality manager is in general responsible for ensuring that the audits are carried out in accordance with the established programme. Depending on the size and complexity of an organisation the different audits may be carried out by the quality manager or any other qualified person as lead auditor, alone or assisted by an audit team.

The auditors should have sufficient technical knowledge but should – wherever resources allow – not audit their own activities. If this is impossible, the management should take care that the activities of the auditors are also assessed and should nominate respective persons. Auditors performing such audits should be trained for this task.

External audits (e.g. audits carried out by accreditation bodies) cannot substitute internal audits.

Planning of internal audits
Based on the audit programme the time schedule, the location and the audit scope of an internal audit are fixed. In preparation of an audit, the auditor should access all relevant documents, manuals, previous audit reports and records of the department to be audited to check whether they conform to the requirements of the management system and to establish a list of key issues. In addition, the following documents are basic ones or are helpful:

- Standards, such as ISO/IEC 17025 or ISO/IEC17020 and ISO 19011

- Form for reporting audit observations, such as permitting to enter type of nonconformity or forms for requesting corrective actions.

Implementation of on-site audit activities

In the opening meeting, the audit team should be introduced, the audit criteria be confirmed, the audit scope be reviewed, the audit procedure be explained and the timetable be confirmed.

The on-site audit activities include asking questions, observing activities, examining facilities, and examining records. The auditor checks the conformity of the records with the management system. For this purpose, he uses the quality management system documents (quality manual, system procedures, test equipment files, operating instructions etc.) and examines how they are actually implemented. Information should be collected as efficiently as possible, without prejudice and without making the auditees insecure.

After all activities have been audited, the auditor (if necessary together with the audit team) reviews carefully which of their findings should be included in their report as nonconformities and which should be included as recommendations or be highlighted as particularly positive aspects.

In case serious nonconformities have been established, the management of the audited department must be informed who carries the responsibility for implementing the agreed corrections and decides on measures to be taken.

In a closing meeting with those responsible for the audited department the lead auditor should present the audit findings and the conclusions. Nonconformities must be recorded and a timetable for corrective actions to be completed should be agreed

Whenever a nonconformity is discovered that may jeopardise the result of any laboratory activity, the corresponding action should be discontinued until the appropriate corrective action has been taken and proved to be successful. If the validity of already issued certificates, calibration and/or test reports may be affected by this nonconformity, the findings must be examined accordingly and the customer be informed, if necessary

Follow-up corrective action and close-out

The lead auditor presents a clear and unambiguous report of the nonconformities based on objective audit findings. Recommendations for improvement are marked as such and are also documented. The quality manager makes sure that all staff members involved in the audited functions receive an audit report.
The head of the audited department is responsible for defining, implementing and scheduling the corrective actions. If provided for in the quality management system the auditor may check the implementation of the corrective actions after an agreed period of time.
All audit records shall be kept for a certain period of time. The trends observed in the internal audits are followed by the quality manager and the result of the internal audit shall be considered in the next management review.

[1] EN ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories
[2] EN ISO/IEC 17020:2012 Requirements for the operation of various types of bodies performing inspection
[3] EN ISO 19011:2011 Guidelines for auditing management systems
[4] EN ISO 15189:2012 Medical laboratories -- Requirements for quality and competence


There are requirements to perform internal audits in almost all quality management standards e.g. ISO 9001 [1], ISO/IEC 17020 [2] and ISO/IEC 17025 [3]. But the requirements on the auditors are rather limited in all these standards. In this Cook Book the role of the internal auditor is discussed. In ISO 19011 [4] internal audits as well as requirements on internal auditors are described in more detail.

Mandate of the auditor
Internal audits shall be planned activities. It is important that audits be ordered by the top management of the laboratory. The internal auditor should have a clear mandate and the whole process of the internal audits, including handling of non-compliances and the mandate of the internal auditor, should be clear to all involved parties. Mandate for the auditors, handling of non-compliances and other important issues concerning the internal audits should be described in a document in the quality management system.

One of the main differences between internal and external audits is the possibility for the internal auditor to be much more helpful in the laboratory’s work with continuous improvements compared to an external auditor whose influence is much more restricted. And that opportunity must be taken by the internal auditor to make the internal audits as valuable as possible for the organisation.

The independence of the auditor
In the normal case, an internal auditor from another department is chosen to assure the independence of an auditor. But if the laboratory has few employees the requirements for independence of the auditor may be a problem. It is allowed to use an internal auditor belonging to the department when the laboratory is small, e.g. less than 10 employees. It is however important that an auditor shall not audit her/his own work.

When internal auditors who are not members of the organisation are used the question of independence is no longer relevant. For small laboratories, a combination of internal auditors belonging to the organisation and internal auditors not belonging to the organisation (consultants) may be a good solution. E.g. use a consultant for a least one of the internal audits during an accreditation cycle.

Confidence in the auditor
Even though the auditor is acting upon a mandate from the top management of the laboratory the auditor should, if possible, try to avoid identifying co-workers interviewed during the audit when reporting especially if the information provided by the co-worker is negative. Otherwise the auditor could have problems to perform the audit in a way leading to real improvements of the activities of the laboratory.

The competence, training and qualification of the auditor
The top management of the laboratory can order the internal audits and might also preferably point to what the internal audits has to focus on. The needed competence of the internal auditor is decided by the management ordering the audits. In other words, it is possible that an auditor may be competent for some type of audits but not for others.

Even though the specific audit is deciding the needed competence of the auditor, it is reasonable to ask for some basic requirements on the auditor:
- knowledge about the requirement documents, normally ISO/IEC 17025, accreditation guidelines and in some cases ISO 9001. There may also be a need to be aware of documents including requirements from voluntary and regulatory schemes;
- knowledge about the audited activities, even though a different background may lead to interesting and good findings during an audit, in the normal situation an auditor with good knowledge about the technical area she/he is auditing is to be preferred in most of the internal audits during an accreditation cycle; and
- training in auditing technique, e.g. by participation in training courses but it also possible to be trained in auditing by following an experienced internal auditor during some audits.

Personal skills and attitude of the auditor
The internal auditor may:
- not act as a policeman,
- not act as a buddy,
- be discussion partner,
- be aware that the personnel that are audited usually are nervous and uncomfortable about the situation, and
- try to help and improve and at the same time keep a reasonable level of independence.

Advice to the auditor
- remember to introduce yourself to all personnel you are interviewing,
- do not ask for the impossible, the normal activities of the organisation must go on,
- be aware that not all people can answer all questions,
- be active, do not let interviewed persons lead the audit, but on the other hand you have to listen to and let the interviewed persons finish,
- do not get stuck in papers and documents but audit the real activities of the organisation,
- keep the focus on important issues and do not get lost in details,
- interview many persons,
- take clear notes all the time; it is hard to remember what was discussed in the early morning when you are writing the report in the evening,
- “sell” non-compliances, it is important that the non-compliances are understood and accepted by the audited organisation and the personnel,
- pick random samples, do not check everything,
- try to verify and search for evidence, do not search for faults,
- give advice and search for improvements,
- keep the time schedule, if you are getting late, inform the persons waiting,
- think about secrecy and independence, the personnel interviewed must be sure that the auditor, if it is possible, is not revealing the source of criticism, on the other hand the internal auditor is acting on the mandate and order of the management, and
- do not follow checklists too strictly, it is important to be able to improvise

Mandate and handling of non-compliances
It is very important to decide the mandate of the auditor before the audit starts. This is the responsibility of the top management. It is also important to stress that the internal auditor is not responsible for handling non-compliances. That is the responsibility of the management of the audited organisation.
[1] ISO 9001:2015. “Quality Management Systems – Requirements”
[2] ISO/IEC 17020:2012. “Requirements for the operation of various types of bodies performing inspection”
[3] ISO/IEC 17025:2017, “General requirements for the competence of testing and calibration laboratories”
[4] ISO 19011:2002. “Guidelines for quality and/or environmental management systems auditing”