ISO 9001:2015 & Internal Auditing: What You Need To Know
Guide to Performing Effective ISO 9001 Internal Audits
One of the most critical and valuable activities performed within an ISO 9001 quality management system (QMS) is your company’s internal audit program. A well-planned, conducted and reported internal audit will allow the QMS to continually improve. An effective internal audit process will also provide evidence of compliance to all of the ISO 9001 components, as well as provide evidence of the effectiveness of your company’s processes and practices. The purpose of this document is to provide guidance on planning and performing an ISO 9001 internal audit. It is our hope that this information and the helpful audit tools will provide value to your company’s QMS.
Components of the ISO 9001 Internal Audit
ISO 9001:2015 Quality management systems (QMS) requirements implementation brings with it the responsibility and expectation of commitment for companies to conform to requirements imposed by the standard. ISO 9001 requires companies to conduct internal audits at planned intervals to provide information on whether the QMS conforms to:
- the company’s own self-imposed requirements for its QMS and
- the requirements of the ISO 9001 standard, and
- the effective implementation and maintenance of the QMS.
Three key aspects of effective and conforming internal audits are planning audits, conducting audits, and following up and closing audits. Before going into the three key aspects in more detail, remember the purpose or objective of internal audits is not only to conform to ISO 9001 requirements, but in doing so, identify QMS weaknesses, identify opportunities for both process and QMS improvements, identify and share best practices, and assess QMS effectiveness to ensure the QMS supports the company’s strategy and direction. Benefits of effective and conforming internal audits lead to strengthening conformance of processes, reducing risks, improving efficiency, and taken altogether, improving business results. Useful reference information can also be found in two additional ISO standards, ISO 9000:2015 QMS – Fundamentals and vocabulary and ISO 19011:2018 Guidelines for auditing management systems.
Planning Internal Audits
Think about audit planning at two distinct levels, the overall audit program and individual audits. The technique of an annual or longer audit schedule (see examples) can be utilized by the audit program manager (for many companies this is the Quality Manager) to address the ISO 9001 requirement for planning, establishing, implementing and maintaining the audit program. Individual audits can be full system audits (e.g., all QMS processes and all ISO 9001 clauses covered all at once in one event), or can be split over time into multiple partial audits together covering the full system. Auditing all QMS processes and all ISO 9001 clauses annually is considered a best practice. Based on risk and past performance, some processes may be justified to be audited more than once per year, and other processes may not be audited annually.
An important element of audit planning relates to the selection of auditors. Auditors are typically assigned by the audit program manager when developing the overall audit program. Companies must define competence requirements for its internal auditors whether they are employees or an external supplier not part of the company. Benefits of using external suppliers is they are full-time auditors bringing proficiency, consistency and a fresh set of objective eyes to an audit, while employees tend to audit part-time or somewhat infrequently, and may not have sufficient time to audit with their other responsibilities. However, employees know and understand the culture and unwritten expectations of the company.
Desirable personal attributes for auditors have been described as ethical, open-minded, diplomatic, observant, versatile, tenacious, decisive, self-reliant, and willingness to be an auditor. Knowledge and skill expectations for auditors typically include a good understanding of ISO 9001:2015 standard requirements; audit principles and techniques; applicable laws, regulations and other requirements; quality-related methods and techniques; and facility operations, processes, products and services. Minimum requirements should include successful completion of ISO 9001:2015 internal auditor training/coursework (or training as an internal auditor and separate training on the requirements of the current standard). Other competence considerations, e.g., education, work experience, audit experience, technical knowledge, behavioral skills, etc. are established at the discretion of the company.
It is good practice to document internal auditor competency requirements in the company’s internal audit procedure, and also allow the qualification and use of external auditors should the need arise. You may also choose to document whether it is permissible to allow any external auditor to utilize their own audit report or whether they must use your internal forms and tools for conducting an audit.
The auditor is responsible for planning individual audits and initiating the audit. When preparing for a process-based audit, it is helpful to use internally developed process flow diagrams and turtles (if you use them). To initiate the audit, the auditor confirms the general audit activities and arrangements, and at that time should request information not readily available otherwise within the company describing the audit customer’s process(es) along with related procedures, work instructions and other applicable QMS documented information. Upon receipt of the audit customer’s documented information, the auditor can begin detailed audit planning by reviewing the QMS documented information, (e.g., prior audit reports, QMS performance results against objectives/metrics and targets, customer feedback including returns, corrective actions, and management review actions) looking for weaknesses or areas of concern. Following review of the audit customer’s documented information, the auditor can then determine what audit documentation (e.g., Audit Plan, audit checklist(s), audit notes, audit report, etc.) is appropriate for the audit.
An effective individual audit plan simplistically communicates the who, what, when, where, why, and how of an audit by identifying the audit’s objective, scope, criteria and methods.
- Audit objectives were identified earlier and are noted above.
- Audit scope can easily be defined by the company’s ISO 9001 certificate scope statement often supplemented with a description of the physical location, departments, activities and processes, as well as the time period covered.
- Audit criteria should include ISO 9001:2015 requirements together with customer, the company’s, statutory and regulatory, and other applicable (Code of Practice, industry standards, etc.) requirements.
- For internal audits, audit methods essentially refer to how audits will be performed, (e.g., on-site, remote/virtual or some combination thereof). Use of these audit methods should be balanced against the associated audit risks and opportunities.
- The final Audit Plan should include the audit date, the location and type of audit to be conducted, the audit scope describing the QMS and processes to be audited, the ISO 9001/customer/organizational requirements against which QMS conformance will be judged, and an agenda describing the start times for the process/topic interviews along with the interviewees.
Development of an audit checklist is at the option of the auditor and checklists tend to be more personal to the respective auditor. Checklist questions should be open-ended helping guide the auditor to cover various ISO 9001, customer and/or company requirements, assist with time management and audit flow direction, and serve as a convenient place to document audit notes. A good starting point for preparing an audit checklist is to review the process(es) to be audited asking probing questions about process inputs, outputs, equipment/materials, performance/metrics, and required resources/skills seeking verification of such process information. Following review of QMS processes, create the questions to be used for the audit and populate the audit checklist. Here is a link to a process audit checklist used to audit core processes of the QMS. More traditional, old-school checklists might be used for auditing clauses 4-7, 9, and 10, if not adequately covered when performing a process audit of the core processes.
The culmination of audit planning for an individual audit is the creation of audit documentation which is used to plan, conduct, capture evidence and report results for the audit. Audit documentation generally consists of the Audit Plan, audit checklist(s), audit notes and the Audit Report. The final audit planning step is communication of the Audit Plan to the audit customer for their agreement.
Knowledge. Expertise. Experience.
Outsource Your Internal Audits
Conducting Internal Audits
Auditing is essentially a fact-finding activity achieved by sampling information, in this case, about the company’s ISO 9001 implementation. So, what degree of sampling is necessary? Experience suggests auditing/sampling until you can make a decision on the information collected which leads to confirmation of conformity or nonconformity based upon objective evidence (this might be between 2-5 samples based on time constraints). The process approach for auditing is the recommended audit strategy presented here. Remember, a QMS is a series of integrated processes with various linkages and interactions amongst its respective processes. Embedded within the process approach is the technique of tracing audit paths/trails forward or backward from a starting point which can be either at the beginning, middle or end of a respective process. Simplistically, the steps in conducting an internal audit are to:
- begin the audit,
- collect and analyze data,
- conduct the Closing Meeting, and
- prepare the final Audit Report.
Beginning the audit can be as simple as informing the audit customer of the audit starting, but depending upon company size and/or effectiveness of company communications, an Opening Meeting on the first day of the audit may be beneficial to be sure everyone understands the expectations of the audit detailed in the Audit Plan. With or without an Opening Meeting, it is critical the auditor and audit customer confirm any changes to the Audit Plan and the timing of the Closing Meeting before proceeding with the audit.
Data collection is the activity where audit evidence is gathered by reviewing documents and verifying records, physically examining tangible things (quantitative is best, qualitative as a last resort), observing activities, and/or interviewing people (process owners, operators, support staff, management, etc.). The techniques used to collect data, e.g., process auditing, completing checklists, reviewing documents/records, and the degree of sampling, are dependent upon an auditor’s experience and to some degree on preferences. Data analysis is then performed by the auditor to classify the collected data and categorize audit findings against ISO 9001, customer, and the company’s requirements. For internal audits it is recommended to limit audit findings to three (3) types:
- Exemplary/Positive Practice, i.e., effective and positive process or system implementation;
- Opportunity for Improvement, i.e., identification of areas with a potential for breakdown or weakness; and
- Nonconformity, i.e., the non-fulfillment of a requirement.
The Closing Meeting serves the purpose of communicating and reviewing the audit findings, addressing audit questions and any concerns, and, together with the audit customer, agreeing upon the audit conclusions. Audit conclusions should address:
- the extent of management system conformity with the audit criteria, and
- the effectiveness of the system implementation.
Remember, auditing is a sampling process by its nature and there is a risk the audit evidence examined may not be representative and thus audit conclusions may not be fully representative of the overall QMS effectiveness. It is considered best practice to assign responsibility for follow-up actions, e.g. corrections, corrective actions or improvement actions, in the Closing Meeting.
The final step in conducting audits is to prepare and distribute the Audit Report and ensure formal corrective actions are issued for audit nonconformities. The Audit Report serves as the record for the audit and should include:
- audit scope and objectives,
- audit customer,
- audit date and processes/activities audited (audit agenda/schedule and arrangements),
- audit criteria,
- audit findings, and
- the audit conclusion.
The Audit Report should be formally published and distributed upon agreement with the audit customer. Whatever the company’s method for addressing audit nonconformities (typically documented in the company’s internal audit procedure and/or procedure that addresses corrective actions), they must be entered into the appropriate administrative system by the responsible party with corrective actions assigned and taken to prevent recurrence of the audit nonconformities. Decisions to take action on opportunities for improvement are at the discretion of the company. It is the responsibility of the audit program manager to ensure audit results are communicated into the management review process for top management review.
Following Up and Closing Audits
Audit follow-up generally consists of reviewing audit nonconformities and ensuring the corrective actions taken to eliminate nonconformity causes and prevent nonconformity recurrence or occurrence elsewhere are effective. A simple verification step is to confirm the nonconformity did not return after a reasonable period. Closing the audit is accomplished when all planned audit activities have been completed, and depending upon the company’s audit process/procedure, may also include verification of all audit nonconformities and their respective corrective actions have been completed.
Although not comprehensive, the intent of this document is to provide some guidance with your company’s ISO 9001 internal audit process and activities. A well-defined and executed internal audit process will benefit your company by:
- Improving accuracy (and compliance) within your company’s QMS.
- Helping to avoid or eliminate potential customer issues and problems.
- Uncovering any areas of non-conformance, redundancy, and waste…thus adding value to your company.
- Ensuring policies and practices of your company are being implemented effectively.
- Ensuring compliance to the interested parties’ requirements.
Effective internal auditing will provide your company with real value for the resources utilized when you use competent internal auditors. (If you’re interested in determining the cost of conducting your own internal audits, we’ve developed an Audit Cost Calculator that’s free to use.)
If your internal auditors need training to bring their ISO 9001 knowledge and qualifications up to speed, simpleQuE offers onsite Internal Auditor Training. Or if you don’t have the resources to conduct an effective and compliant internal audit, our quality experts, have the auditing expertise and certified resources to offer true value to your business. Whether you need help with problematic supplier assessments, sourcing evaluations, ongoing supply chain strategy assessments and audits, or corporate quality audits – simpleQuE can deliver. Contact us to discuss a customized strategy.
From International Organization for Standardization:
Learn More About The simpleQuE Advantage