Of the three main ways to assess the system (Management Review, Internal Audit, Analysis of Data) the most popular and well-known is Internal Audit. An Internal Audit is conducted according to the requirements in the standard which include the assessment that the management system meets the standard and that the system is maintained (ISO, 2008). The internal audit schedule must be done at planned intervals is typically planned for a calendar year (ISO, 2008). Internal Audits can be of any length or scope but they must be defined in a procedure (ISO, 2008). In the author's experience an Internal Audit typically reviews a particular process over one to two days while the number of days required for an External Audit is fixed according to industry standards. The limited amount of time that is used for an audit means that the auditor may only review evidence of previous activities in the form of records rather than observe the actual functioning of the system in real-time. The review of records that show past compliance with the system (assuming that the records are not adulterated) does not mean that the system is compliant at the time of the audit. The most effective way to audit a system is to observe the functioning of the system over time. An internal auditor should spend at least a week together with the audited function to observe the various activities including actual occurrences such as award of new business, team meetings and customer complaints. Only by directly observing such activities can the auditor get a real sense of the status of the system. As detailed later [in a future post in this series], the role of "auditor" would be changed to allow this type of assessment of the organization's quality system.
ISO (2008). ISO 9001:2008 Quality management systems — Requirements. Geneva:author.