What You Need to Know About ISO 9001 Internal Audits (Part 4)

In Part 4 of the series:  ISO 9001 Implementation – What You Need to Know, Jim Lee, simpleQuE’s CEO focuses on ISO 9001 internal audits.  During his career, Jim has conducted many internal audits for companies in a variety of industries, as well as 3rd party audits for a Certification Body.  He has also assisted many companies in attaining and maintaining their certifications, and created this series of helpful articles for companies implementing an ISO 9001 quality management system (QMS).  

Note:  Companies may not realize they can outsource their internal audits to a 2nd party like simpleQuE whose auditors are qualified, certified, and are experts on the standards, industry, and customer-specific requirements. Many have 3rd party auditing experience and bring valuable insight because of the knowledge gained from extensive auditing for certification bodies, and from seeing many companies and various ways these companies meet the requirements.

Getting started with your ISO 9001 Internal Audit

The implementation of ISO 9001:2015 Quality Management Systems (QMS) requirements brings with it the responsibility and expectation of commitment for companies to conform to requirements imposed by the standard.  ISO 9001 (Clause 9.2.1) requires companies to conduct internal audits at planned intervals to provide information on whether the QMS conforms to:

• the company’s own self-imposed requirements for its QMS and
• the requirements of the ISO 9001 standard, and
• the effective implementation and maintenance of the QMS.

The process owner for “internal audits” (refer to Clause 9.2.2) must ensure:

• a documented procedure is in place,
• an audit planning schedule is created and used,
• auditors are independent of the area audited,
• records of audits are retained,
• audit findings initiate corrective actions,
• audit results (findings) are shared with company management,
• and that a full system internal audit is completed prior to an external audit with a certification body.
• Internal auditors should also be trained and competent to perform internal audits using the process audit approach. 

1. Complete an internal audit covering all elements of ISO 9001:2015 using the process audit approach.

This ISO 9001 audit checklist of questions can be used to audit any core process. You will need to have a schedule of the internal audits (see our examples). A full round of internal audits should be conducted yearly. Be sure to follow ISO 19011 for guidance on completing your internal audit. Audits can be broken down into pieces or completed all at once. For a new quality management system there is no practical way to justify less frequent internal audits. Once there is some history and maturity, there will be enough information to assess the risks and determine whether there are some processes that can be audited less frequently than once a year, or whether some processes need to be audited multiple times a year. Any analysis or justification should be covered in the management review meeting.

Note that the process approach wants you to avoid auditing clauses of the standards, when it comes to the core business processes.  Auditing the internal audit requirements (Clause 9.2) or management review requirements (Clause 9.3) can follow traditional checklist and clause-based audits.  When it comes to the core business processes, it is important that you audit each of those processes, which cover many clauses of the standard, and shouldn’t solely focus on just the sub-clause. 

The internal audit, prior to certification, is a way to thoroughly assess that all gaps are closed and that all systems and processes are working as intended through records generated from the processes. Use the internal audit as a tool to improve employee awareness of ISO 9001 requirements and to reinforce expectations for what can happen during and audit and how to conduct themselves with an outside auditor.

Knowledge. Expertise. Experience.

Schedule A Free Consultation

Outsource Your Internal Audits

2. Collect at least 1-3 months (preferably >12 months) of performance data, which should include:

• Customer Scorecards (if provided)
• Customer complaints and request for corrective actions
• Your own quality and delivery performance
• Process measurements (key process indicators)
• Internal nonconformities and actions taken

You may justify and defend different metrics as your quality objectives. As you monitor and evaluate your performance against the goals, make appropriate adjustments over time to the goals, or even change the metric if you aren’t getting value from the metric.

3. All the core process owners should be able to demonstrate that their processes are working as intended through records generated from the process.

Process owners should be aware of any poor performance against department or company quality objectives and should be working to turn poor performance around.

4. Complete a management review according to Clause 9.3.

Whether this is met with one annual meeting, or with multiple management meetings covering pieces of the management review requirements in Clause 9.3, all topics need to be covered at least once through the year, with action items being captured to show evidence the meetings are effective. Since internal audit results need to be reviewed in the management review, it should be completed after audits are completed.

For more resources and detailed information on conducting your internal audits, see simpleQuE’s Guide to Performing Effective ISO 9001 Internal Audits. If your internal auditors need training to bring their ISO 9001 knowledge and qualifications up to speed, simpleQuE offers onsite Internal Auditor Training.  Or if you don’t have the resources to conduct an effective and compliant ISO 9001:2015 internal audit, our quality experts, have the auditing expertise and certified resources to offer true value to your business.  

The benefit of a certification readiness audit

You may want to consider a certification readiness audit which is performed prior to a surveillance or initial Certification Body (CB) audit to be sure that your quality management system and team are ready. Many registrars recommend and offer optional practice or pre-assessment audits. Their audits can’t count as your internal audit, but ours can. Unlike CB auditors, our auditors can consult, coach and provide guidance. SimpleQuE also offers support during and/or after the Registration Audit to provide the most effective and efficient method of establishing corrective actions for nonconformances identified during the registration audit. We work with your team to assure root cause analysis and corrective action implementation to successfully close findings to obtain certification.  Contact us to discuss a customized strategy.

Click below for links to the series: ISO 9001 Implementation – What You Need To Know

Syncing the ISO 9001 Quality Management System With Your Business System and Priorities – Part 1

What to Know When Implementing Your ISO 9001 Quality Management System and Processes – Part 2

What to Know About Management Processes, Quality Objectives, QMS Documentation, and More When Implementing ISO 9001 – Part 3

What You Need to Know About ISO 9001 Internal Audits When Implementing your QMS – Part 4

SimpleQuE is a leader in AS, IATF® and ISO consulting, auditing and training.  Whether you are just beginning the certification process or looking for a partner for ongoing maintenance and internal audits, simpleQuE makes the process easier and more efficient. Contact us for a consult and see the difference that simpleQuE can bring to your quality management process.