Abstract
Research on internal audits of quality management systems is scarce, and no clear study exists that could guide practitioners in improving the auditing practice and help researchers advance existing knowledge. Thus, the aim of this paper is to review empirical research on internal audits of ISO 9001 to synthesise advice for increasing the value of internal audits and to establish a research agenda. The research method used in this paper is a systematic literature review. The result from a thematic analysis revealed two main causes for why internal audits should be improved, three main areas of what to improve, and three groups of suggestions for how audits can be improved. In conclusion, this review show that earlier research agrees on that internal audits focus too much on compliance and less on improvements, and that auditors should improve their knowledge, skills, and audit planning. The implications of this paper are consolidated in four propositions for future research, focusing the need for (1) more research contributing to both practice and theory, (2) enhanced focus on organisational needs and improvement opportunities, (3) changes in audit planning and auditor skills to enable process-oriented auditing, and (4) how to implement changes in internal auditing.
Introduction
Quality management (QM) has strong roots in resolving practical industrial problems and remains an applied field in the interplay between researchers and practitioners (Dahlgaard-Park et al., Citation2018). Despite this, the field has not been left unquestioned by researchers or practitioners. Scholars have discussed failed Total Quality Management (TQM) initiatives during the 1990s (Boaden, Citation1996; Zairi, Citation1994), and QM initiatives with excessive focus on standardisation that potentially quench creativity and innovation (Poksinska et al., Citation2006; Terziovski & Guerrero, Citation2014). The perceived over-emphasis on standardisation is sometimes tied to the quality management system (QMS), for example, certified ISO 9001 systems. A QMS is a set of policies, objectives, and processes to support an organisation in achieving its objectives regarding quality (International Organization for Standardization [ISO] 9001, Citation2015). While the ISO 9001 system has been shown to positively impact quality improvements (Sousa & Voss, Citation2002) and operational performance (Kaynak, Citation2003), it has also been accused of offering limited value beyond compliance to requirements (İlkay & Aslan, Citation2012; Wayhan et al., Citation2002). If this is true for most of the over one million ISO 9001 certified firms (ISO Survey, Citation2018), many resources are being spent without achieving significant value. Thus, an important question arises: How can activities related to the QMS be enhanced to ensure that sufficient value is created? Naturally, QMS have also undergone developments in a strive to increase the value added, before further reflecting on needed enhancements of QMS related activities it is thus of interest to outline some key developments of ISO 9001.
The ISO 9001 management system standard was first released in 1987 and has since undergone several revisions. The main focus of the first editions of the ISO 9001 (i.e. ISO 9001:1987 and ISO 9001:1994) was to provide a ‘model for quality assurance in design, development, production, installation and servicing’ (ISO, Citation1994). During the implementation and certification of these first editions of the ISO 9001 management system standard, organisations efforts were very much geared towards conforming to procedures and creating binders with manuals (Clear Quality, Citationn.d.). In the ISO 9001:2000 edition, the 9001-management system standard requirements were extended to cover the entire organisation (ISO, Citation2000). In this edition, the process approach was introduced and suggested to be adopted when implementing and improving a QMS (ISO 9001, 2000). The later changes in the 2008 edition were minor and focused on clarifications of existing requirements e.g. process requirements, but also on improving the compatibility with ISO 14001:2004 (ISO, Citation2008). In September 2015 the current version, ISO 9001:2015, was released. In this edition several enhancements were introduced, such as less prescription of documents, simplified language, risk-based thinking and an adoption to the high-level structure now being implemented in all ISO management system standards (ISO, Citation2015a). It has been argued that this edition is a move towards TQM (Fonseca, Citation2015), with reported benefits such as more risk-based thinking, similarity to other management system standards, and alignment with contemporary business (Fonseca et al., Citation2019; Fonseca & Domingues, Citation2017a).
Irrespective of edition, a necessary and resource-consuming part of holding an ISO 9001 certificate is to conduct regular internal (first-party) and external (third-party) audits. The ISO defines auditing as a ‘systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled’ (ISO 9001, Citation2015, p. 30). Internal audits are conducted by, or on behalf of, the organisation by trained auditors as a means of declaring conformity to a management system standard e.g. ISO 9001, or ISO 14001 (ISO, Citation2015b). External audits are conducted by auditors from an accredited certification body, providing certification towards a management system standard (ISO, Citation2015b). A certification of a management system is a means of assuring that a system for managing activities, products and services has been implemented, and that it is in line with an organisatiońs policies and applicable management system standards (ISO, Citation2015c).
Auditing of QMS also constitutes an area of research that often focuses on suggested changes needed to enhance the value of audits. These suggested changes pertain to the content of auditing, the context in which the audit takes place and the process of auditing. Examples of the suggested changes concerning the content of audits are that auditors should have specific knowledge about the audited organisation and an adaptability (Power & Terziovski, Citation2005; Ramly et al., Citation2007), communication skills and the ability to demonstrate empathy (Power & Terziovski, Citation2007), as well as the ability to ensure that information about the audit is shared in advance (Kondo, Citation1998). Naturally, auditors also need to have necessary skills in, and experience from, the audited management system standard e.g. ISO 9001:2015 (Domingues et al., Citation2019; Fonseca & Domingues, Citation2017b), or in cases of integrated management systems there is a need for skills from multiple areas e.g. both environmental and quality management (Rivera et al., Citation2017). In relation to the context of auditing, scholars have argued that auditors need to adapt to the maturity of the QMS being audited, e.g. focusing less on compliance to requirements in a more mature QMS (Terziovski et al., Citation2002). Furthermore, connecting the audit programme and audits to organisational needs and activities (Askey & Dale, Citation1994; Rippin et al., Citation1994; Roth, Citation2003) have been argued to produce positive effects, as auditors then have become better at assisting management teams in achieving organisational objectives (Alic & Rusjan, Citation2011; Roth, Citation2003). In terms of the process of auditing, scholars have also suggested educating the auditor on how to evaluate evidence (Roworth & Muir, Citation1999) and establishing a sponsor role to act as a bridge between auditor and management (Lenning & Gremyr, Citation2017).
There is general agreement that internal audits need to be changed to better support value creation beyond compliance to standards, and existing research points to changes in for example audit reports (Berlitz & Gaelzer, Citation2009), planning and procedures (Ramly et al., Citation2018). Several aspects have been considered, and some suggestions have been made to improve auditing of QMS; however, research specifically on internal audits is scarce. Moreover, there is no overview paper that could guide practitioners in improving the auditing practice and help researchers advance existing knowledge and contribute to improvements of a practice that is central to QM practitioners (Elg et al., Citation2011; Gremyr et al., Citation2019). This paper aims to review empirical research on internal audits related to ISO 9001 to synthesise advice for increasing the value of internal audits and to establish a research agenda. To this end, a systematic literature review was conducted, guided by the Prisma steps proposed by Moher et al. (Citation2009). The conceptual goal of the review is to summarise (MacInnis, Citation2011, p. 144), that is ‘to take stock of, digesting, recapping, and reducing what is known to a manageable set of key take-aways’. First, this paper contributes key take-aways for practice in the form of summaries of improvement suggestions for internal auditing, motivations for improvement, the content of internal audits, and the audit process. Second, key take-aways for research are synthesised into a research agenda. In the following, the review approach is elaborated, and the results of the review are provided. The concluding parts of the paper discuss the state of research on internal audits and propose a research agenda.
Method
Review approach
In the first phase of the review, potential papers of interest were identified using a set of inclusion criteria. Following Torraco (Citation2016, p. 418), the inclusion criteria were designed to be broad enough to capture the breadth of relevant literature. Thus, the review was not limited to papers published in peer-reviewed academic journals; it also included ‘grey’ literature (Schöpfel, Citation2010), such as conference proceedings, magazines and book chapters as it is argued to be increasingly important (Adams et al., Citation2017), and suggested to be included in meta-analysis to more completely reflect existing evidential bases (Conn et al., Citation2003). As the topic of interest is rather practical in nature, it was argued that excluding the ‘grey’ literature would lead to losing out on pertinent work. However, we acknowledge that there are other types of resources available for auditors wishing to improve their audit practice e.g. Auditing Practices Group (Citation2020). Moreover, the focus of this paper is on empirical research as a means to capture actual changes done in auditing rather than conceptual views. The main literature search was performed in the Scopus and Web of Science in December 2019. The following search strings were used:
Scopus: ((TITLE-ABS-KEY (quality W/2 management W/2 system*)) OR (TITLE-ABS-KEY (iso9001 OR iso9000 OR ‘ISO 9001’ OR ‘ISO 9000’))) AND (TITLE-ABS-KEY ((audit*) W/2 (internal)))
Web of Science: ((TS= (quality NEAR/2 management NEAR/2 system*) OR TS= (iso9001 OR iso9000 OR ‘ISO 9001’ OR ‘ISO 9000’) AND (audit* NEAR/2 internal)).
In total, both databases churned out 258 publications. The search was not limited to a certain time span, although it followed naturally that no publications were identified before 1987, when ISO 9001 was first launched. Moreover, the search was delimited specifically to internal audits of QMS and did not include, for example, auditors’ views of management system standards overall, e.g. ISO 9001. A systematic literature review was conducted, following Prisma (Moher et al., Citation2009), as shown in . The Prisma flowchart was completed by following the procedures suggested by Nolan and Garavan (Citation2016) and Torraco (Citation2016).
Figure 1. PRISMA flowchart (based on Moher et al., Citation2009).
All papers were initially screened by titles jointly by both authors, followed by individual screenings of the abstracts. The screenings were guided by the following exclusion criteria: papers were not included for full paper review if they were non-empirical, not focussed on ISO 9001 or if they dealt with audits other than internal audits (i.e. external audits, certification audits or financial audits).
Coding framework, review and analysis
The full text of the reviewed papers was coded using a coding framework () that was developed both deductively and inductively. The deductively derived codes were: focus on content, context or process of change (Pettigrew, Citation1987), auditor position in relation to management (Lenning & Gremyr, Citation2017), research outcomes (Barratt et al., Citation2011), formal or actual competence (Ellström, Citation1998) and research strategies and data collection methods (Elg et al., Citation2020). Inductive codes were exemplified by coding if the impact of ISO 9001 was evaluated based on financial or non-financial performance indicators or if a code captured whether or not internal auditors worked on their own or conducted audits in a team. The number of papers passing through to final review limited the possibilities to use bibliometric analysis software, which could otherwise have been a way to generate codes inductively e.g. by studying co-occurrence of key concepts.
Figure 2. Excerpt from the coding framework.
To enhance reliability and calibrate the interpretations of the coding framework, the complete full-text review was preceded by calibration, which was done by coding three papers by both authors in parallel, followed by a discussion of the coding process and the use of individual codes. Thus, the process for enhancing intercoder reliability, suggested by Nolan and Garavan (Citation2016), was followed. Both researchers were active in reviewing the remaining papers: neither researcher reviewed both the abstract and the full paper for any of the papers. In unclear cases, especially related to an inclusion/exclusion decision, a joint discussion was taken.
The coding framework also included codes based on Pettigrew’s (Citation1987) suggested dimensions of change, that is, context, content and process. The coding of the papers with respect to these areas was guided by the descriptions from Stetler et al. (Citation2007): context being the ‘why’ (i.e. context in relation to the motivation for change); content being the ‘what’ (i.e. the elements or processes changed to enhance the chances for a successful change); process being the ‘how’ (i.e. the methods, strategies or interventions used to move towards a changed state). Naturally, there were papers that addressed more than one of these dimensions; thus, one paper could be coded for multiple areas (context, content, process).
Towards more value-adding audits
In this section, the research reviewed is first described in terms of, for example, the number of papers published, methods applied, and types of outcomes in focus. This descriptive analysis is followed by a synthesising description based on the dimension of change suggested by Pettigrew (Citation1987).
Descriptive analysis
In the review process, only papers with empirical data were included. Of the 41 papers that contained an identifiable type of organisation, there were 23 private companies in business-to-business markets, 6 private companies in business-to-consumer markets, 9 public organisations and 3 cross-sectional studies. shows that the number of articles on internal auditing and QMS has increased over time.
Figure 3. Year of journal publication and QMS standard version for reviewed papers.
The 44 papers reviewed were published between 1992 and 2019, and during this period, several different versions of the ISO 9001 QMS standard were used. In most papers, the version observed, audited or reviewed is explicitly stated; however, in some papers, the term ISO 9001 was used without stating the version. In these cases, the authors judged which version of the QMS standard had been under focus based on the date when the papers were received by the journal.
Turning to research methodology (see (a)), a qualitative research strategy was used in 25 of the 44 papers reviewed, whereas 9 papers applied a quantitative research strategy. In 3 papers, a mixed-method research strategy was used, and 7 papers did not explicitly state the research strategy but accounted for authors’ personal experiences from internal auditing. The 4 most frequently used data collection methods were observations (14 papers), followed by surveys (12 papers), secondary data (11 papers) and interviews (8 papers).
Figure 4. Numbers of papers and (a) utilised research strategy, (b) research outcome.
To classify the types of outcomes in the reviewed research, the categorisation of research outcomes by Barratt et al. (Citation2011) was applied [see (b)]. Naturally, some papers had multiple research outcomes, but in general, this categorisation follows that the most frequent outcome from the analysed papers includes guidelines (24 papers), followed by descriptive insights (11 papers) and ideas (9 papers). It should be noted in the categorisation of outcomes that no papers proposed a research agenda and that only a few (4 papers) proposed theoretical or conceptual frameworks.
Thematic analysis
The description of the content of the reviewed papers is organised into three themes, departing from the dimensions suggested by Pettigrew (Citation1987), that is, context, content and process. provides an overview of these themes, describing the key messages from the papers reviewed and providing a list of the references included in each theme.
Table 1. Summary of themes and references.
Theme 1 – context: why should internal audits be improved?
The first theme focuses on why internal audits are thought to be in need of change, including aspects that call for a change in the organisation’s external and internal environments. First, reasons related to perceived shortcomings of internal audits are presented, followed by a second paragraph focusing on the perceived potential in internal audits to drive improvements. First, in a study of why companies cancel their 9001 certification, several respondents perceived the internal audit activity as a waste of time from which little value was gained (Chiarini, Citation2019), and this is supported by other studies, which reveals perceptions of audits as being a time-consuming activity with limited value added by the audit findings (Ramly et al., Citation2018). It has also been argued that internal audits should not only be a simple check focusing on compliance with ISO requirements (Chiarini, Citation2019; Roworth & Muir, Citation1999). Making symbolic improvement suggestions related to non-conformities by following a checklist of ISO requirements is argued to enhance neither the quality of offerings nor the capability of an organisation (Sun et al., Citation2017). Furthermore, when analysing a checklist for audits designed by internal auditors, Masanganise et al. (Citation2013) found a lack of objective assessment criteria, that is, criteria from a standard. This could explain the view that the current audit system focuses on fault finding, in that it is not objective, standardised or transparent. Instead of focusing on a checklist related to ISO requirements, it is argued that internal audits should measure the performance of the processes audited (Chiarini, Citation2019).
Second, focusing on the potential of internal audits as a driver for improvements, Roworth and Muir (Citation1999) and Chiarini (Citation2019) argued that auditors focus on compliance and not on improvement. At the same time, it has been argued that in every non-conformity from an audit, there is a potential for quality improvements (Jarrell & Vanderlinden, Citation1995) and that audits can contribute to a more positive view of continuous improvements (Meegan & Simpson, Citation1997) and encourage more improvement work (Kochan, Citation1993). In essence, the audit process should be viewed as an opportunity for improvement (Esa et al., Citation2006; Masanganise et al., Citation2013). Earlier research also points to the idea that internal audits can drive continuous improvements (Underdown & Yentzen, Citation2012; Verkhovskaya et al., Citation2016), contribute to improving business performance (Alic & Rusjan, Citation2011) and enhance customer satisfaction (Tomic & Spasojevic Brkic, Citation2019). Audits are found to be a way of identifying process improvements (Fletcher & Gupta, Citation1999) and generate new ideas and opportunities for strategic initiatives, which could challenge existing practices and lead to improvements (Hassan et al., Citation2019; Tomic & Spasojevic Brkic, Citation2019). Furthermore, it is claimed that audits can be used to sustain gained improvements in, for example, a Six Sigma project as well as in the evaluation of such projects (Marques et al., Citation2013). Finally, Hernandez (Citation2010) argued that audits can drive implementation of a QMS, and Thijeel and Bachay (Citation2019) pointed out that auditors, with their in-depth knowledge of quality requirements in the standards, can also support certification applications when QMS are developed.
Theme 2 – content: what to change to improve internal audits
The second theme deals with what to change in order to improve internal audits, such as organisational elements or processes. There are three areas of focus regarding content: auditor skills and knowledge, the focus of an audit and the different types of audit integration. First, the analysis of the articles shows that 11 of the 44 articles view internal auditors’ personality, skills and knowledge as key improvement areas. An auditor’s skills and personality have been shown to influence both the effectiveness of the audit (Kochan, Citation1993; Piskar, Citation2006) and the overall value added from the audit (Sun et al., Citation2017). Pointing to the need for auditors to advance their skills and knowledge, summarises various suggestions.
Table 2. Summary of auditor skills and knowledge needed for value-adding audits.
Regarding management experience, Kaziliunas (Citation2008) argued that preparations and training to support interaction with top management is important. However, Kaziliunas (Citation2008) claimed that auditors often lack the ability to interact with top management or shop floor workers. Thus, in addition to basic skills in auditing, there is a need for strong communication skills (Balagué, Citation2009) to be able to present and discuss audit findings at different organisational levels.
Second, existing research suggests various improvements in the audit process, such as emphasising audit planning (Esa et al., Citation2006) and focusing less on ISO 9001 elements and more on ISO 9001 QM principles (Abuazza et al., Citation2019). Several papers in the review identify a need for internal audits to focus more on auditing an organisatiońs processes rather than focusing on auditing a certain function. Fletcher and Gupta (Citation1999) argued that a process focus is the key intent of an audit, but this intent is lost in many organisations, leading to a shift in focus away from actual performance of the processes (Chiarini, Citation2019). Abandoning the traditional approach (with a focus on functional units) in favour of internal audits focusing on processes is argued to enhance audit effectiveness (Islamova & Volkova, Citation2017; Kaziliunas, Citation2008; Ni & Karapetrovic, Citation2003). In one study, a shift of focus on process in the audits led to a 50% reduction in time and cost for the audit cycle and a similar reduction in the number of auditors needed (Berlitz & Gaelzer, Citation2009). However, such a shift is challenging and requires not only expertise in quality but also high levels of interpersonal skills (Frei, Citation1998; Kaziliunas, Citation2008; Sun et al., Citation2017).
Third, different integrations involving internal audits are a reoccurring theme in the research reviewed. Hutchins (Citation2001) claimed that internal audits of different management systems in areas such as quality, environment and safety will eventually converge, and a positive effect of this is that auditing will receive more attention and focus from senior management and the board. In addition, it is argued that the integration of audit teams, audit procedures and processes is a way to reduce costs, for example, by reducing the time needed from both auditors and auditees (Hassan et al., Citation2019; Hoy & Foley, Citation2015). The integration of different types of internal audits is also argued to decrease the number of disturbances in the organisations, for example, by avoiding duplications of audit results (Hoy & Foley, Citation2015). Besides suggesting the integration of audits for various types of management systems (often QMS and environmental management systems), Marques et al. (Citation2013) proposed that audits could be integrated and used in Six Sigma initiatives. The suggestion is to use internal audits to identify improvement areas where a Six Sigma project could be needed and/or to use internal audits to sustain the improvements resulting from Six Sigma projects (Marques et al., Citation2013). Finally, when comparing the integration of different external audits with the integration of internal audits, internal integration is more common and arguably easier, as these auditors focus on one organisation, while external audits focus on both various management system standards and organisations (Bernardo et al., Citation2010).
Theme 3 – process: how to improve internal audits
The third theme focuses on how to improve internal audits, that is, the actions needed to move from the present to a future state. First, suggestions for improving the audit process are presented, followed by suggestions for how audits can focus on processes; the third part emphasises suggestions to focus audits more on continuous improvements. First, considering the audit process in general, it is suggested that there is a need to change how the effectiveness of audits is evaluated. Piskar (Citation2006) argued that audits should be evaluated through management assessments of the audit’s usefulness in contributing to improvements in business processes. Moreover, the development of qualitative metrics for evaluating the audit process is suggested, for example, audit performance (Abuazza et al., Citation2019) and progress in auditing and action follow-up (Roworth & Muir, Citation1999). It is also suggested that audit objectives should be aligned with business objectives, which enables an internal audit to better support managers in achieving such business objectives (Alic & Rusjan, Citation2011).
Second, Berlitz and Gaelzer (Citation2009) have suggested that internal audits should be aligned with processes and that each auditor should be assigned to and responsible for a defined set of processes. Process-oriented audits should focus less on procedures and records (Piskar, Citation2006), be planned to target, for example, known weak processes in an organisation (Merrill, Citation1996) and have a frequency based on the performance and importance of the process (Fletcher & Gupta, Citation1999).
Third, to perform more improvement-focussed audits, Roworth and Muir (Citation1999) have suggested that auditors should be trained in questioning techniques and handling organisational complexities. Moreover, one method of enhancing the improvement focus, as well as improvements of the audit per se, is to establish regular meetings between auditors to discuss problems and results (Roworth & Muir, Citation1999).
Discussion
This paper reviewed empirical research on internal audits of ISO 9001 to generate advice for value-adding internal audits and to establish a research agenda. In general, research on internal audits of QMS is not extensive, which is surprising in light of accusations that QMS is limited in terms of value added to organisations (İlkay & Aslan, Citation2012; Wayhan et al., Citation2002), and remains a primary concern in QM practice (Elg et al., Citation2011; Gremyr et al., Citation2019). Moreover, for internal audits, this is a mandatory activity for organisations with certified QMS and an activity with the potential to contribute to improvements (Kochan, Citation1993; Lenning & Gremyr, Citation2017; Meegan & Simpson, Citation1997). To advance this field and with the intention of contributing to practice and research, this discussion will focus on four overarching themes. First, there is a lack of research on internal audits that moves beyond an and not only to understanding related to a specific study setting. Second, drivers for improving internal audits are related to the context of change (Pettigrew, Citation1987). Third, the need for the development of auditors’ competencies, related to the content of change (Pettigrew, Citation1987). Fourth, the process of advancing internal audits to become more value-adding, related to the process of change (Pettigrew, Citation1987).
First, the review did not include papers that proposed a research agenda, and few theoretical or conceptual frameworks were developed. Common outcomes were guidelines or descriptive insights based on authors’ personal views. Naturally, as QM is an applied field in which developments are often driven by practice (Dahlgaard-Park et al., Citation2018), practice-oriented research outcomes are expected. However, building further research on guidelines or descriptive insights is challenging, and the field risks being dispersed. One established research strategy, aiming for simultaneous contributions to theory and practice is action research (Elg et al., Citation2020) and the use of data collection methods such as focus groups, which allows data to be collected in proximity with practitioners. Such a research strategy would contribute to research as well as practice.
PROPOSITION 1. Research should focus on internal audits to support continuous improvements, as a suggestion by action research, with the aim of contributing to practice as well as theory.
Second, even though there are opportunities for audits to contribute to quality improvements (Sousa & Voss, Citation2002), enhance customer satisfaction (Tomic & Spasojevic Brkic, Citation2019) and improve operational performance (Kaynak, Citation2003), there seems to be general agreement that the value of audits needs to be improved. The two main reasons internal audits should be improved are as follows: (1) internal audits are perceived to be a waste of time, and auditors mainly follow checklists based on ISO requirements, which do not help improve organisational performance (Chiarini, Citation2019; Ramly et al., Citation2018) and (2) there is excessive focus on seeking compliance with ISO requirements instead of on opportunities for improvement (Sun et al., Citation2017).
PROPOSITION 2. To enhance the value of internal audits, auditing should focus on organisational needs in addition to ISO requirements and on identifying opportunities for improvements.
Third, auditors are trained to prepare a checklist for an audit that departs from the standard requirements; other types of preparations and input are needed for improvement-focussed auditing. This includes, for example, internal strategies and targets, records from internal follow-up activities and data on customer satisfaction, all of which are needed to identify key areas for auditing and hence enable a needed focus on key processes (Islamova & Volkova, Citation2017; Kaziliunas, Citation2008; Ni & Karapetrovic, Citation2003). Thus, a key area is to identify the skills and competencies auditors need to enhance the value added from internal audits and focus on key processes. The suggested skills and competencies are, for example, management experience (Sun et al., Citation2017), an overall understanding of business operations (Merrill, Citation1996) and the ability to move between different contexts in an organisation (Lenning, Citation2018). In addition to the suggested changes in auditor skills and competencies, changes in the actual content of the audit have been suggested in relation to audit planning (Esa et al., Citation2006), as well as the integration of different types of audits (Hoy & Foley, Citation2015; Hutchins, Citation2001) to gain increased management support.
PROPOSITION 3. Auditors’ skills and competencies as well as the planning of internal audits need to be adapted to process-focussed auditing and an integration of audits.
For both Propositions 2 and 3, these are supported by guidelines for auditing management systems (19011: 2018; the ISO 9001 Auditing Practices Group’s Guidance on internal audits, 2020). Proposition 2 in pointing out that organisational needs and opportunities for improvements should be in focus in audits, and Proposition 3 in pointing to the need for an identification of auditors’ skills and competencies, and changes in audit planning such as integrating audits (e.g. Domingues et al., Citation2011; Kraus & Grosskopf, Citation2008).
Fourth, most papers in the review provide suggestions on why there is a need for improved internal audits as well as what to improve related to the context and content of change (Pettigrew, Citation1987). Comparatively less research focuses on the process, that is, how to improve internal audits. Thus, despite the dominance of practice-oriented outcomes (guidelines and descriptive insights), the process leading up to the outcomes is not elaborated. Such research could be carried out as action research and would benefit both theory and practice, especially if examples of both successful and unsuccessful interventions were provided. The research that does exist on the process of changing internal audits emphasises management’s responsibilities and involvement in auditing, for example, in audit assessments (Piskar, Citation2006) and in supporting alignment with business objectives (Alic & Rusjan, Citation2011), as well as the auditors’ responsibilities in, for example, learning to handle organisational complexities and sharing experiences in the auditor group (Roworth & Muir, Citation1999).
PROPOSITION 4. Research needs to address how to implement changes in auditing practices and clarify the responsibilities of management and internal auditors.
The present literature review focuses internal audits of ISO 9001. To further explore and enhance the findings, future literature reviews could be conducted focusing internal audits of other management system standards such as ISO 14001, or ISO 27001. Furthermore, this literature review included research papers published up until, and including 2019. However, the latest version of the ISO 9001 management system standard, encompassing several major changes argued to support an increase of the value gained from a QMS (Fonseca & Domingues, Citation2017a), was approved by the European committee for standardisation in September 2015. The approval was followed by a three-year grace period for implementation, hence the numbers of reviewed research papers studying internal auditing of ISO 9001:2015 will likely increase (). Moreover, the latest version of the guidelines for auditing management systems (ISO 19011) was released in mid-2018 and included, among many changes, an extended focus on management aspects and risk-based auditing. Future literature reviews are therefore suggested to extend this review once more papers on internal audits of ISO 9001:2015 have been published.
Conclusions
This paper presents a review of papers on internal audits of ISO 9001 to generate advice for value-adding internal audits as well as to establish a research agenda. The review was thematised in relation to (I) causes for why internal audits should be improved (context), (II) suggestions for what to improve in internal auditing (content) and (III) suggestions for how to improve internal auditing (process). Most of the reviewed articles belong to the two first themes and agree that internal audits place excessive focus on compliance and less on improvements, and that auditing could be improved by, for example, developing auditors’ knowledge and skills and audit planning. These findings have practical implications for auditors in auditing different management system standards (e.g. 9001, 14001) as input on how to improve internal audits. Furthermore, it addresses the hidden potential in auditing as a driver of continuous improvements. In addition, the findings can also be used in training new auditors. As an example, the auditor training could include fictive cases with incomplete data to train future auditors in identifying the data needed to be able to identify critical areas to audit.
In conclusion, this review puts forth four propositions on the need for; (1) more research contributing to both practice and theory, (2) enhanced focus on organisational needs and improvement opportunities, (3) changes in audit planning and auditor skills to enable process-oriented auditing, and (4) how to implement changes in internal auditing. builds on these propositions and displays various associated research areas based on the review results.
Figure 5. A research agenda to support the use of internal audits to support continuous improvements.
Specifically related to proposition 3, two future research avenues related to auditors’ skills and process-oriented auditing, are remote audits and auditing in the Industry 4.0 era. First, remote auditing was performed already before the Covid-19 pandemic but has now increased dramatically and includes both opportunities (e.g. time savings, reduced costs, and reduced negative environmental impact from travelling), but also challenges (e.g. reduced in-person contact, information security, and risk of missing out evidence). Second, auditing in the era of Industry 4.0 and digitisation also includes opportunities and challenges. On one hand, through big data analytics and artificial intelligence auditors will be equipped with new tools in their preparations. On the other hand, a move towards e.g. automated processes will require new and specialised auditor skills to uncover possible non-compliances.
Acknowledgements
Financial support from the Area of Advance Production at Chalmers is gratefully acknowledged.
Disclosure statement
No potential conflict of interest was reported by the author(s).
References
- Abuazza, O. A., Labib, A., & Savage, B. M. (2019). Development of an auditing framework by integrating ISO 9001 principles within auditing. International Journal of Quality and Reliability Management, 37(2), 328–353. https://doi.org/https://doi.org/10.1108/IJQRM-02-2019-0048
- Adams, R. J., Smart, P., & Huff, A. S. (2017). Shades of grey: Guidelines for working with the grey literature in systematic reviews for management and organizational studies. International Journal of Management Reviews, 19(4), 432–454. https://doi.org/https://doi.org/10.1111/ijmr.12102
- Alic, M., & Rusjan, B. (2011). A model for measuring an ISO 9000 internal audit outcome. African Journal of Business Management, 5(13), 5388–5404. https://doi.org/https://doi.org/10.5897/AJBM10.247
- Askey, J. M., & Dale, B. G. (1994). Internal quality management auditing: An examination. Managerial Auditing Journal, 9(4), 3–10. https://doi.org/https://doi.org/10.1108/02686909410056329
- Auditing Practices Group. (2020). Guidance on: Internal audits [White paper]. https://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing%20Practices%20Group%20docs/Auditing%20to%20ISO%209001%202015/APG-InternalAudit2015.pdf
- Balagué, N. (2009). Auditing the library’s quality system. Library Management, 30(4–5), 286–294. https://doi.org/https://doi.org/10.1108/01435120910957940
- Balague, N., Duren, P., Juntunen, A., & Saarti, J. (2014). Quality audits as a tool for quality improvement in selected European higher education libraries. The Journal of Academic Librarianship, 40(5), 529–533. https://doi.org/https://doi.org/10.1016/j.acalib.2014.01.002
- Barratt, M., Choi, T. Y., & Li, M. (2011). Qualitative case studies in operations management: Trends, research outcomes, and future research implications. Journal of Operations Management, 29(4), 329–342. https://doi.org/https://doi.org/10.1016/j.jom.2010.06.002
- Berlitz, F., & Gaelzer, R. (2009). ISO 9001 process-oriented internal audits. Clinical Chemistry, 55(6), A28.
- Bernardo, M., Casadesus, M., Karapetrovic, S., & Heras, I. (2010). An empirical study on the integration of management system audits. Journal of Cleaner Production, 18(5), 486–495. https://doi.org/https://doi.org/10.1016/j.jclepro.2009.12.001
- Boaden, R. J. (1996). Is total quality management really unique? Total Quality Management, 7(5), 553–570. https://doi.org/https://doi.org/10.1080/09544129610649
- Chiarini, A. (2019). Why are manufacturing SMEs cancelling their ISO 9001 certification? Research from Italy. Production Planning and Control, 30(8), 639–649. https://doi.org/https://doi.org/10.1080/09537287.2019.1566840
- Clear Quality. (n.d.). ISO 9001 History. Clear Quality Ltd. Retrieved February 3, 2021, from https://www.clearquality.co.uk/iso-9001-history
- Conn, V. S., Valentine, J. C., Cooper, H. M., & Rantz, M. J. (2003). Grey literature in meta-analyses. Nursing Research, 52(4), 256–261. https://doi.org/https://doi.org/10.1097/00006199-200307000-00008
- Dahlgaard-Park, S. M., Reyes, L., & Chen, C.-K. (2018). The evolution and convergence of total quality management and management theories. Total Quality Management & Business Excellence, 29(9–10), 1108–1128. https://doi.org/https://doi.org/10.1080/14783363.2018.1486556
- Domingues, J. P., Mufato Reis, A., Fonseca, L., Ávila, P., & Putnik, G. (2019). The added value of the ISO 9001: 2015 International standard from an auditors’ perspective: A CB-SEM based evaluation. International Journal for Quality Research, 13(4), 967–986. https://doi.org/https://doi.org/10.24874/IJQR13.04-15
- Domingues, P., Sampaio, P., & Arezes, P. (2011). Beyond audit definition: A framework proposal for integrated management systems. Proceedings of Institute of Industrial engineers Annual Conference, Reno, EUA, May 21-25, (pp. 8).
- Elg, M., Gremyr, I., Halldorsson, A., & Wallo, A. (2020). Service action research: Review and guidelines. Journal of Services Marketing, 34(1), 87–99. https://doi.org/https://doi.org/10.1108/JSM-11-2018-0350
- Elg, M., Gremyr, I., Hellström, A., & Witell, L. (2011). The role of quality managers in contemporary organisations. Total Quality Management & Business Excellence, 22(8), 795–806. https://doi.org/https://doi.org/10.1080/14783363.2011.593899
- Ellström, P.-E. (1998). The many meanings of occupational competence and qualification. Key Qualifications in Work and Education, 39–50. Spirnger, Dordrecht. https://doi.org/https://doi.org/10.1007/978-94-011-5204-4_3
- Esa, M., Rashid, R. A., Abdullah, R., & Masodi, M. S. (2006). Value-adding through internal audits: A continuous improvement process in microwave engineering education. 2006 International RF and Microwave Conference, (RFM) Proceedings, September 12-14, Putra Jaya, Malaysi. 329–333. https://doi.org/https://doi.org/10.1109/RFM.2006.331097
- Fletcher, K., & Gupta, P. (1999). Conducting value-added internal audits. Printed Circuit Fabrication, 22(11), 64–76.
- Fonseca, L. (2015). From quality gurus and TQM to ISO 9001: 2015: A review of several quality paths. International Journal for Quality Research (IJQR), 9(1), 167–180.
- Fonseca, L., & Domingues, J. P. (2017a). ISO 9001: 2015 edition-management, quality and value. International Journal of Quality Research, 1(11), 149–158. https://doi.org/https://doi.org/10.18421/IJQR11.01-09
- Fonseca, L., & Domingues, J. P. T. (2017b). The results are in - what auditors around the world think of ISO 9001:2015. Quality Progress, 50(10), 26–33.
- Fonseca, L., Domingues, J. P., Baylina, P., & Harder, D. (2019). ISO 9001: 2015 adoption: A multi-country empirical research. Journal of Industrial Engineering and Management, 12(1), 27–50. https://doi.org/https://doi.org/10.3926/jiem.2745
- Frei, U. (1998). A fresh impetus for internal audits. Measuring Business Excellence, 2(4), 50–53. https://doi.org/https://doi.org/10.1108/eb025555
- Gremyr, I., Elg, M., Hellström, A., Martin, J., & Witell, L. (2019). The roles of quality departments and their influence on business results. Total Quality Management & Business Excellence, 1–12. https://doi.org/https://doi.org/10.1080/14783363.2019.1643713
- Hassan, N. A., Mohamad Zailani, S. H., & Hasan, H. A. (2019). Integrated internal audit in management system: A comparative study of manufacturing firms in Malaysia. The TQM Journal., 32(1), 110–126. https://doi.org/https://doi.org/10.1108/TQM-03-2019-0077
- Hernandez, H. (2010). Quality audit as a driver for compliance to ISO 9001:2008 standards. The TQM Journal, 22(4), 454–466. https://doi.org/https://doi.org/10.1108/17542731011053361
- Hoy, Z., & Foley, A. (2015). A structured approach to integrating audits to create organisational efficiencies: ISO 9001 and ISO 27001 audits. Total Quality Management and Business Excellence, 26(5–6), 690–702. https://doi.org/https://doi.org/10.1080/14783363.2013.876181
- Hutchins, G. (2001). The state of quality auditing: It’s being integrated into internal auditing. Quality Progress, 34(3), 25–29.
- International Organization for Standardization. (1994, June). ISO 9001:1994, Quality systems – model for quality assurance in design, development, production, installation and servicing. https://www.iso.org/standard/16534.html
- International Organization for Standardization. (2000, December). ISO 9001:2000, Quality management systems – Requirements. https://www.iso.org/standard/21823.html
- International Organization for Standardization. (2008). Implementation Guidance for ISO 9001:2008. (ISO/TC 176/SC 2/N 836). Secretariat of ISO/TC 176/SC 2. https://www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/06_implementation_guidance.pdf
- International Organization for Standardization. (2015a). Giving ISO 9001 a fresh sparkle. ISO focus November-December 2015. https://www.iso.org/isofocus_113.html
- International Organization for Standardization. (2015b). Quality management systems – Fundamentals and vocabulary (ISO 9000:2015). https://www.iso.org/standard/45481.html
- International Organization for Standardization. (2015c). Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements (ISO/IEC 17021-1:2015). https://www.iso.org/standard/61651.html
- International Organization for Standardization. (2018). Guidelines for auditing management systems (ISO 19011:2018). https://www.iso.org/standard/70017.html
- Islamova, O. V., & Volkova, R. M. (2017). Effectiveness of internal audit of processes in the organization. In S. Shaposhnikov (Ed.), Proceedings of the 2017 International Conference “quality management, transport and Information security, Information technologies” (IT and QM and IS) (pp. 425–427). IEEE.
- ISO survey. (2018). International Organization for standardization. International Organization for Standardization.
- İlkay, M. S., & Aslan, E. (2012). The effect of the ISO 9001 quality management system on the performance of SMEs. International Journal of Quality & Reliability Management, 29(7), 753–778. https://doi.org/https://doi.org/10.1108/02656711211258517
- Jarrell, D., & Vanderlinden, N. (1995). Effective internal quality systems auditing.1. The quality management-systems auditor. Tappi Journal, 78(2), 271–272.
- Kaynak, H. (2003). The relationship between total quality management practices and their effects on firm performance. Journal of Operations Management, 21(4), 405–435. https://doi.org/https://doi.org/10.1016/S0272-6963(03)00004-4
- Kaziliunas, A. (2008). Problems of auditing using quality management systems for sustainable development of organizations. Technological and Economic Development of Economy, 14(1), 64–75. https://doi.org/https://doi.org/10.3846/2029-0187.2008.14.64-75
- Kochan, A. (1993). Internal evaluations. The TQM Magazine, 5(2), 15–17. https://doi.org/https://doi.org/10.1108/EUM0000000003063
- Kondo, Y. (1998). Hoshin kanri-a participative way of quality management in Japan. The TQM Magazine, 10(6), 425–431. https://doi.org/https://doi.org/10.1108/09544789810239155
- Kraus, J. L., & Grosskopf, J. (2008). Auditing integrated management systems: Considerations and practice tips. Environmental Quality Management, 18(2), 7–16. https://doi.org/https://doi.org/10.1002/tqem.20202
- Lenning, J. (2018). Auditing of explorative processes. Total Quality Management and Business Excellence, 29(9–10), 1185–1199. https://doi.org/https://doi.org/10.1080/14783363.2018.1487605
- Lenning, J., & Gremyr, I. (2017). Making internal audits business-relevant. Total Quality Management & Business Excellence, 28(9–10), 1106–1121. https://doi.org/https://doi.org/10.1080/14783363.2017.1303891
- MacInnis, D. J. (2011). A framework for conceptual contributions in marketing. Journal of Marketing, 75(4), 136–154. https://doi.org/https://doi.org/10.1509/jmkg.75.4.136
- Marques, P., Requeijo, J., Saraiva, P., & Frazao-Guerreiro, F. (2013). Integrating six sigma with iso 9001. International Journal of Lean Six Sigma, 4(1), 36–59. https://doi.org/https://doi.org/10.1108/20401461311310508
- Masanganise, K. E., Matope, G., & Pfukenyi, D. M. (2013). A survey on auditing, quality assurance systems and legal frameworks in five selected slaughterhouses in bulawayo, south-western Zimbabwe. Onderstepoort Journal of Veterinary Research, 80(1), 1–8. https://doi.org/https://doi.org/10.4102/ojvr.v80i1.575
- Meegan, S. T., & Simpson, R. (1997). Progressive roles of the internal audit function: A case study of BTNI. Managerial Auditing Journal, 12(8), 395–399. https://doi.org/https://doi.org/10.1108/02686909710177070
- Merrill, P. (1996). Category III. Process quality improvement - the `hidden’ communication systems in an ISO 9000 quality system. In Anon (Ed.), Annual Quality Congress Transactions, presented at the Proceedings of the 1996 ASQC’s 50th Annual Quality Congress (pp. 468–478). ASQC.
- Merrill, P. (1997). ISO 9000 - life beyond registration. In Anon (Ed.), Annual Quality Congress Transactions, presented at the Proceedings of the 1997 51st Annual Quality Congress (pp. 686–692). ASQC, ASQ.
- Moher, D., Liberati, A., Tetzlaff, J., Altman, D. G., & Group, P. (2009). Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement. PLoS Medicine, 6(7), e1000097. https://doi.org/https://doi.org/10.1371/journal.pmed.1000097
- Ni, Z., & Karapetrovic, S. (2003). Perennial self-audit: Model and applications. Managerial Auditing Journal, 18(5), 363–373. https://doi.org/https://doi.org/10.1108/02686900310476837
- Nolan, C. T., & Garavan, T. N. (2016). Human resource development in SMEs: A systematic review of the literature. International Journal of Management Reviews, 18(1), 85–107. https://doi.org/https://doi.org/10.1111/ijmr.12062
- Pettigrew, A. M. (1987). Context and action in the transformation of the firm. Journal of Management Studies, 24(6), 649–670. https://doi.org/https://doi.org/10.1111/j.1467-6486.1987.tb00467.x
- Piskar, F. (2006). Quality audits and their value added. International Journal of Services and Standards, 2(1), 69–83. https://doi.org/https://doi.org/10.1504/IJSS.2006.008159
- Poksinska, B., Eklund, J. A., & Dahlgaard, J. J. (2006). ISO 9001: 2000 in small organisations. International Journal of Quality & Reliability Management, 23(5), 490–512. https://doi.org/https://doi.org/10.1108/02656710610664578
- Power, D., & Terziovski, M. (2005). The process, practice and outcomes of non-financial auditing: Five Australian case studies. International Journal of Manufacturing Technology and Management, 7(1), 52–82. https://doi.org/https://doi.org/10.1504/IJMTM.2005.006502
- Power, D., & Terziovski, M. (2007). Quality audit roles and skills: Perceptions of non-financial auditors and their clients. Journal of Operations Management, 25(1), 126–147. https://doi.org/https://doi.org/10.1016/j.jom.2006.02.005
- Quality Management Systems – Requirements (ISO 9001:2015). (2015). 4th ed., 2015, Swedish Standard Institute, Stockholm.
- Ramly, E. F., Atan, H., & Osman, M. S. (2018). Issues and improvement opportunities in management system internal audit - A survey. Proceedings of the International Conference on Industrial Engineering and Operations Management, 2018-March (pp. 337–343).
- Ramly, E. F., Ramly, E. S., & Yusof, S. M.. (2007). Effectiveness of quality management system audit to improve quality performance – A conceptual framework. International Conference on Quality and Reliability (ICQR 2007), Chiang Mai, Thailand, Nov 5-7.
- Rippin, A., White, J., & Marsh, P. (1994). From quality assessment to quality enhancement: A framework”. Quality Assurance in Education, 2(1), 13–20. https://doi.org/https://doi.org/10.1108/09684889410054536
- Rivera, D. E., Villar, A. S., & Marrero, J. I. S. (2017). Auditors selection and audit team formation in integrated audits. Calitatea, 18(157), 65–71.
- Roth, J. (2003). How do internal auditors add value? Institute of Internal Auditors, 60(1), 33–37.
- Roworth, C., & Muir, G. (1999). The secret’s in the audit. Quality World, FEB, 52–56.
- Schöpfel, J. (2010, December). Towards a Prague definition of grey literature. In Twelfth International Conference on Grey Literature: Transparency in Grey Literature. Grey Tech Approaches to High Tech Issues. Prague, 6-7 December 2010 (pp. 11–26).
- Sirk, I., & Popovic, S. F. (2015). A decade of quality management system at the maribor public library. Qualitative & Quantitative Methods in Libraries, 4(2), 317–320. http://www.qqml.net/index.php/qqml/article/view/248
- Sousa, R., & Voss, C. A. (2002). Quality management re-visited: A reflective review and agenda for future research. Journal of Operations Management, 20(1), 91–109. https://doi.org/https://doi.org/10.1016/S0272-6963(01)00088-2
- Stetler, C. B., Ritchie, J., Rycroft-Malone, J., Schultz, A., & Charns, M. (2007). Improving quality of care through routine, successful implementation of evidence-based practice at the bedside: An organizational case study protocol using the Pettigrew and whipp model of strategic change. Implementation Science, 2(1), 1–13. https://doi.org/https://doi.org/10.1186/1748-5908-2-3.
- Sun, J., Zhang, Y., Zuo, Z., Chang, Z., & Guo, J. (2017). Research on the effectiveness improvement strategy of quality management system of chemical enterprises. Chemical Engineering Transactions, 62, 1603–1608. https://doi.org/https://doi.org/10.3303/CET1762268
- Terziovski, M., & Guerrero, J.-L. (2014). ISO 9000 quality system certification and its impact on product and process innovation performance. International Journal of Production Economics, 158, 197–207. https://doi.org/https://doi.org/10.1016/j.ijpe.2014.08.011
- Terziovski, M., Power, D., & Sohal, A. S. (2002). From conformance to performance and continuous improvement using the ISO 9000 quality system standard. International Journal of Business Performance Management, 4(1), 1–23. https://doi.org/https://doi.org/10.1504/IJBPM.2002.000105
- Thijeel, A. M., & Bachay, I. R. (2019). Sample for the inner control on the quality in accordance with standard. Opcion, 35(Special Issue 20), 566–582.
- Tomic, B., & Spasojevic Brkic, V. K. (2019). Customer satisfaction and ISO 9001 improvement requirements in the supply chain. The TQM Journal, 31(2), 222–238. https://doi.org/https://doi.org/10.1108/TQM-07-2017-0072
- Torraco, R. J. (2016). Writing integrative literature reviews: Using the past and present to explore the future. Human Resource Development Review, 15(4), 404–428. https://doi.org/https://doi.org/10.1177/1534484316671606
- Underdown, R., & Yentzen, G. (2012). The process of internal audits as a catalyst for continuous improvement. In 62nd IIE Annual Conference and Expo 2012.
- Verkhovskaya, M. V., Khazanov, O. V., Vasina, J., & Gavrikova, N. A. (2016). Improvement of the procedure of internal audit at TPU (Institute of Natural resources). In K. S. Soliman (Ed.), Proceedings of the 27th International business Information management association conference - innovation management and Education Excellence vision 2020: From regional development sustainability to global Economic growth (pp. 31–37). IBIMA.
- Wayhan, V. B., Kirche, E. T., & Khumawala, B. M. (2002). ISO 9000 certification: The financial performance implications. Total Quality Management, 13(2), 217–231. https://doi.org/https://doi.org/10.1080/09544120120102450
- Zairi, M. (1994). TQM: What is wrong with the terminology. The TQM Magazine, MCB UP Ltd.