SW
Swedwise
[User Login]
← Back to IMS Documents
DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-ROLE-002

Internal Auditor

Version

1.0

Owner

IMS Owner

Effective Date

TBD

Review Date

TBD

Role: Internal Auditor

Document ID: SW-IMS-ROLE-002-v1.0
Effective Date: [TBD]
Review Date: [TBD]
Reports to: IMS Owner (for audit assignments)
Current Pool Members: [TBD - Names to be assigned by management]

Role Summary

Internal Auditors are qualified individuals within Swedwise AB who conduct planned and systematic audits of the Integrated Management System (IMS) to verify compliance with ISO 9001:2015, ISO 14001:2015, and ISO 27001:2022 requirements. Internal Auditors operate as a pool of trained personnel who are assigned to specific audits while maintaining their regular operational roles.

This is an occasional-duty role, not a full-time position. Auditors are called upon to conduct audits according to the annual audit program, typically requiring 2-5 days per year per auditor.

Context for Swedwise

Given Swedwise's size (~35 employees), maintaining a pool of 3-5 trained internal auditors provides:

  • Sufficient coverage for annual audit program requirements
  • Flexibility for scheduling around operational commitments
  • Independence through audit assignments outside auditor's own area
  • Continuity and resilience (backup auditors available)
  • Development opportunity for staff interested in management systems

Time Allocation

Typical Annual Commitment

  • Audit preparation: 0.5-1 day per assigned audit
  • Audit execution: 1-2 days per assigned audit
  • Audit reporting: 0.5-1 day per assigned audit
  • Total per audit: 2-4 days
  • Annual total: 2-5 days per year (1-2 audits per auditor)

Training and Competence Development

  • Initial auditor training: 2-3 days (one-time)
  • Annual refresher/calibration: 0.5 day
  • Shadowing/mentoring: 1 day (for new auditors)

Pool Structure

Pool Size

Swedwise maintains a pool of 3-5 qualified internal auditors to ensure:

  • Coverage for all IMS domains (quality, environmental, information security)
  • Independence (auditors don't audit their own work areas)
  • Availability despite leave, workload, and operational commitments
  • Succession and continuity

Pool Composition

The pool should include representation from:

  • Different organizational units or departments
  • Mix of management and operational perspectives
  • Balance of domain expertise (QMS, EMS, ISMS)
  • Senior and developing staff (for knowledge transfer)

Lead Auditor

One internal auditor may be designated as Lead Internal Auditor with additional responsibilities:

  • Coordinating audit team assignments
  • Mentoring new auditors
  • Reviewing audit reports for quality and consistency
  • Supporting IMS Owner in audit program planning

Key Responsibilities

1. Audit Preparation and Planning

  • Review audit assignment: Understand scope, objectives, and audit criteria
  • Study relevant documentation: Review policies, procedures, and previous audit findings related to audit scope
  • Prepare audit checklist: Develop audit plan and interview questions based on ISO requirements and organizational processes
  • Communicate with auditees: Inform process owners of audit schedule and requirements
  • Identify documentation needs: Request relevant records, documents, and data in advance
  • Coordinate with audit team: If multi-auditor assignment, coordinate responsibilities

2. Conducting Audits

  • Opening meeting: Explain audit scope, methodology, and schedule to auditees
  • Evidence gathering: Review documents, observe processes, conduct interviews
  • Objective evaluation: Assess conformity with requirements using evidence-based approach
  • Note-taking: Document observations, findings, and evidence during audit
  • Sampling: Select representative samples of records, transactions, or activities
  • Professional conduct: Maintain objectivity, respect, and professionalism
  • Closing meeting: Present preliminary findings and confirm understanding

3. Audit Documentation and Reporting

  • Document findings: Clearly describe nonconformities, observations, and opportunities for improvement
  • Classification: Categorize findings (major nonconformity, minor nonconformity, observation, positive practice)
  • Evidence documentation: Record objective evidence supporting each finding
  • Root cause consideration: Note potential root causes where applicable
  • Prepare audit report: Complete audit report using standard template within agreed timeframe (typically 1 week)
  • Report distribution: Submit report to IMS Owner and relevant process owners
  • Record retention: Ensure audit records are maintained in accordance with document control

4. Follow-Up Activities

  • Review corrective actions: Evaluate proposed corrective action plans for adequacy (if requested)
  • Verification audits: Verify implementation and effectiveness of corrective actions in follow-up audits
  • Lessons learned: Share audit insights and best practices with IMS Owner and other auditors
  • Trend identification: Note patterns or systemic issues across multiple audits

5. Maintaining Competence

  • Stay current: Keep knowledge of ISO standards and Swedwise IMS requirements up to date
  • Participate in training: Attend auditor refresher training and calibration sessions
  • Self-development: Engage in relevant professional development (webinars, reading, networking)
  • Peer learning: Participate in auditor team meetings and knowledge sharing
  • Feedback incorporation: Apply lessons learned from own audits and peer feedback

6. Independence and Objectivity

  • Declare conflicts: Inform IMS Owner of any conflicts of interest for assigned audits
  • Maintain impartiality: Conduct audits objectively without bias or favoritism
  • Fact-based approach: Base findings on verifiable evidence, not assumptions
  • Respect confidentiality: Handle audit information confidentially and appropriately
  • Professional skepticism: Question and verify claims rather than accepting at face value

Authority

Internal Auditors have authority to:

During Assigned Audits

  • Access: Access all areas, documents, systems, and personnel relevant to audit scope
  • Interview: Request interviews with any personnel involved in audited processes
  • Documentation review: Review any documented information within audit scope
  • Observation: Observe work activities and processes being audited
  • Sampling: Select samples of records, transactions, or activities for review
  • Time allocation: Expect auditees to allocate time for audit activities
  • Report findings: Report findings objectively and without interference

Limitations

  • No operational authority: Auditors do not have authority to change processes or make operational decisions
  • Recommendation only: Auditors recommend corrective actions but do not mandate them
  • Escalation: Significant or critical findings are escalated to IMS Owner and management
  • Independence: Auditors do not audit their own work areas or processes they are responsible for

Required Competencies

Education and Foundation Knowledge

Minimum:

  • Understanding of Swedwise's business operations and processes
  • Basic knowledge of management system principles (PDCA cycle, risk-based thinking)
  • Awareness of ISO 9001, ISO 14001, and ISO 27001 requirements (overview level)

Preferred:

  • Working knowledge of areas to be audited (quality, environmental, or information security)
  • Experience in relevant operational areas
  • Previous exposure to audits (internal or external)

Mandatory Training

All Internal Auditors must complete:

  • ISO 19011 Internal Auditor Training (2-3 days, classroom or online)
    • Audit principles and methodology
    • Audit planning, execution, and reporting
    • Evidence gathering and sampling techniques
    • Interviewing and communication skills
    • Finding classification and nonconformity writing
    • Auditor competence and ethics

Additional Training (recommended based on audit scope):

  • ISO 9001 Internal Auditor training (for QMS audits)
  • ISO 14001 Internal Auditor training (for EMS audits)
  • ISO 27001 Internal Auditor training (for ISMS audits)
  • Integrated Management Systems (IMS) auditor training

Auditor Qualification Process

To qualify as an Internal Auditor at Swedwise:

  1. Nomination: Nominated by manager and approved by IMS Owner
  2. Training: Complete required internal auditor training course
  3. Shadowing: Participate in at least one audit as observer/trainee auditor
  4. Supervised audit: Conduct first audit under supervision of experienced auditor
  5. Competence confirmation: IMS Owner confirms competence based on training and performance
  6. Ongoing qualification: Maintain competence through regular audit assignments and refresher training

Skills and Competencies

Audit-Specific Skills:

  • Evidence-based assessment and analysis
  • Objective observation and documentation
  • Structured interviewing techniques
  • Nonconformity identification and classification
  • Report writing and clear communication
  • Time management during audits

Interpersonal Skills:

  • Professional and respectful communication
  • Active listening and questioning
  • Diplomatic handling of sensitive issues
  • Constructive feedback delivery
  • Conflict management and de-escalation
  • Cultural sensitivity

Analytical Skills:

  • Critical thinking and logical reasoning
  • Pattern and trend identification
  • Root cause analysis (basic level)
  • Sampling and statistical awareness
  • Documentation review and verification

Personal Attributes

  • Integrity: Honest, ethical, and trustworthy
  • Objectivity: Impartial and unbiased in assessments
  • Professionalism: Respectful, courteous, and appropriate
  • Confidentiality: Discreet with audit information
  • Courage: Willing to report findings regardless of organizational politics
  • Curiosity: Inquisitive and thorough in investigation
  • Adaptability: Flexible in audit approach based on context
  • Continuous learning: Open to feedback and improvement

Independence Requirements

Audit Assignment Rules

Internal Auditors must not audit:

  1. Own work: Processes or areas they are directly responsible for
  2. Direct reports: Areas where they supervise the personnel involved
  3. Recent involvement: Processes they have been significantly involved in within past 6 months
  4. Conflicting interests: Areas where they have personal or financial interests

Independence Verification

  • Pre-audit check: Auditor confirms independence before accepting assignment
  • Conflict declaration: Auditor declares any potential conflicts to IMS Owner
  • Alternative assignment: IMS Owner reassigns audit if independence cannot be ensured
  • Management awareness: Senior management is aware of auditor assignments to verify independence

Audit Frequency and Scheduling

Individual Auditor Commitment

  • Typical assignment: 1-2 audits per year per auditor
  • Peak periods: May be assigned more during high-audit seasons (pre-certification, surveillance)
  • Advance notice: Minimum 2 weeks notice for audit assignments (where possible)
  • Scheduling flexibility: Audits scheduled in consideration of operational commitments

Annual Audit Program

Swedwise's IMS requires:

  • Full IMS coverage: All processes and ISO clauses audited over 12-month cycle
  • Frequency: Critical or high-risk processes audited more frequently
  • Total audit days: Approximately 10-15 audit days per year across all domains
  • Auditor rotation: Auditors rotate through different areas over time

Audit Conduct and Ethics

Professional Conduct

Internal Auditors are expected to:

  • Conduct audits professionally and respectfully at all times
  • Communicate clearly and constructively
  • Be punctual and prepared for audit activities
  • Respect auditee time and operational constraints
  • Maintain confidentiality of audit information
  • Avoid disrupting normal business operations unnecessarily

Ethical Principles

  • Integrity: Perform work with honesty and diligence
  • Fair presentation: Report findings truthfully and accurately
  • Due professional care: Apply care and judgment during audits
  • Confidentiality: Protect audit information appropriately
  • Independence: Maintain objectivity and impartiality

Managing Audit Challenges

If challenges arise during an audit (resistance, access issues, scope disputes):

  1. Attempt professional resolution with auditee
  2. Escalate to IMS Owner if unresolved
  3. Document issues in audit report
  4. Do not compromise audit integrity to avoid conflict

Auditor Development and Support

Ongoing Development

  • Refresher training: Annual calibration sessions or refresher training
  • Peer review: Opportunities for peer observation and feedback
  • Mentoring: Experienced auditors mentor newer auditors
  • Lessons learned: Regular sharing of audit experiences among auditor pool
  • IMS updates: Briefings on IMS changes, new procedures, or standard updates

Support from IMS Owner

The IMS Owner provides:

  • Clear audit assignments with scope and objectives
  • Access to relevant documentation and audit tools
  • Audit checklists and templates
  • Answers to audit methodology questions
  • Review and feedback on audit reports
  • Recognition and appreciation for audit contributions

Auditor Pool Meetings

The internal auditor pool meets:

  • Quarterly: Calibration, training, and experience sharing
  • Pre-audit program: Review annual audit program and assignments
  • Post-external audit: Discuss external audit findings and lessons learned
  • As needed: Address specific issues or changes

Performance and Feedback

Auditor Performance Evaluation

Internal Auditors are informally evaluated on:

  • Audit quality: Thoroughness, accuracy, and relevance of findings
  • Professionalism: Conduct during audits and communication with auditees
  • Timeliness: Meeting audit schedules and reporting deadlines
  • Report quality: Clarity, completeness, and usefulness of audit reports
  • Competence development: Engagement in training and self-improvement

Feedback Mechanisms

  • Auditee feedback: Process owners provide informal feedback on audit conduct
  • IMS Owner review: IMS Owner provides feedback on audit reports and performance
  • Peer feedback: Auditors provide constructive feedback to each other
  • Self-reflection: Auditors reflect on own performance and improvement areas

Recognition

Swedwise recognizes internal auditor contributions through:

  • Acknowledgment in management reviews
  • Professional development opportunities
  • Inclusion in IMS-related projects or initiatives
  • Certification support (if pursuing professional auditor credentials)

Relationship with Other IMS Roles

IMS Owner

  • Primary relationship: Receives audit assignments, submits reports, requests guidance
  • Frequency: Contact during audit assignments and for annual program planning
  • Support: IMS Owner provides audit tools, templates, and methodology guidance

Process Owners (Auditees)

  • Professional relationship: Respectful, objective, and constructive
  • Communication: Clear communication of audit scope, schedule, and expectations
  • Collaboration: Work together to understand processes and identify improvements

Domain Leads (Quality, Environmental, CISO)

  • Technical consultation: May consult domain experts for specialized knowledge
  • Coordination: Coordinate audit scope with domain responsibilities
  • Reporting: Findings in specialized areas reported to relevant domain lead

Key Relationships

Stakeholder Nature of Interaction Frequency
IMS Owner Audit assignments; reporting; guidance During audits
Lead Internal Auditor Coordination; mentoring; quality review During audits
Process Owners Audit planning; interviews; findings discussion During audits
Auditees Evidence gathering; observations; interviews During audits
Domain Leads Technical consultation; specialized findings As needed
Fellow Auditors Peer learning; team audits; calibration Quarterly
Management Audit results presentation (occasionally) During audits

Success Factors

An Internal Auditor is successful when:

  1. Effective audits: Audits identify meaningful findings and improvement opportunities
  2. Objective approach: Audits are conducted with impartiality and evidence-based rigor
  3. Professional conduct: Auditees view audits as constructive rather than punitive
  4. Timely completion: Audits are completed on schedule with quality reports
  5. IMS improvement: Audit findings contribute to continual improvement of the IMS
  6. Competence growth: Auditor develops and maintains audit skills over time
  7. Value addition: Audits add value to the organization, not just compliance checking
  8. Positive reputation: Internal audits are respected and well-received by the organization

Document Control

Version Date Author Changes
1.0 [TBD] [Author] Initial release

Approval

Role Name Signature Date
IMS Owner
CEO

Appendix: Auditor Pool Management

Current Internal Auditor Pool

Name Department Domain Focus Qualification Date Last Audit
[TBD] [TBD] [QMS/EMS/ISMS] [TBD] [TBD]
[TBD] [TBD] [QMS/EMS/ISMS] [TBD] [TBD]
[TBD] [TBD] [QMS/EMS/ISMS] [TBD] [TBD]

Auditor Qualification Records

Maintained by IMS Owner:

  • Training certificates and records
  • Audit assignment history
  • Competence assessment records
  • Refresher training completion
  • Independence confirmation forms

Lead Internal Auditor

Current Lead Auditor: [TBD - Name to be assigned]

Responsibilities:

  • Coordinate audit team assignments with IMS Owner
  • Mentor and support new auditors
  • Review audit reports for quality and consistency
  • Lead auditor calibration sessions
  • Represent auditor pool in management reviews
Related Documents