Two types of auditing are required to become registered to the standard: auditing by an external certification body (external audit) and audits by internal staff trained for this process (internal audits). The aim is a continual process of review and assessment to verify that the system is working as it is supposed to; to find out where it can improve; and to correct or prevent problems identified. It is considered healthier for internal auditors to audit outside their usual management line, so as to bring a degree of independence to their judgments.
- Tell me what you do (describe the business process)
- Show me where it says that (reference the procedure manuals)
- Prove that this is what happened (exhibit evidence in documented records)
The 2000 standard uses a different approach. Auditors are expected to go beyond mere auditing for rote conformance by focusing on risk, status, and importance. This means they are expected to make more judgments on what is effective, rather than merely adhering to what is formally prescribed. The difference from the previous standard can be explained thus:
- Under the 1994 version, the question was broad: “Are you doing what the manual says you should be doing?”, whereas under the 2000 version, the questions are more specific: “Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?”