Diving Deeper into ISO 9001:2015
Internal Audit - ISO 9001:2015
Conducting an internal audit that is passable to an external certification body auditor is relatively easy to accomplish. But what’s the point in simply passing? Shouldn’t an organization genuinely be interested in taking a deeper look at its process performance and management system’s effectiveness? You would think so. This, however, is not the case for many of the ISO 9001 certified organizations out there. It seems commonplace to have either a parallel “fake” management system ready for the 3rd party auditor or to have companies strive to do just enough to meet the “shall’s” of the standard. But enough is enough. Forget about stressing to meet the requirements of the standard, we can fulfill every requirement without even trying if we just focus on the fundamental purpose of the internal audit. Let’s try a more commonsense approach and see what happens! So if you’re ready, grab your ISO 9001:2015 standard and let’s dive in and see what we find. (If you need to obtain a copy of ISO 9001...)
Chapter 9.2 – Internal Audit
Chapter 9 is all about performance evaluation of the organization. This section effectively states that you are to monitor, measure, analyze and evaluate your system. 9.2.1 – We encounter the first shall statement and it simply says that your organization has to conduct internal audits at planned intervals. But what does planned intervals mean exactly? It simply means you can conduct an internal audit whenever you want as long as it’s planned. That’s right! It doesn’t say conduct an internal audit monthly, quarterly, or annually. So... your 3rd party auditor is going to ask you what question then? They are going to ask what is your planned interval, and you will respond with whatever your organization has determined works best for you! That’s it! Then your auditor will ask to see proof and you simply show them your audit schedule that demonstrates that you have planned your intervals and have your internal audit scheduled adequately. They will also want to see proof that the audit was actually conducted to that audit schedule, but more on that later.
The 3rd party auditor’s mindset: The certification body or 3rd party auditor will generally expect to see the entire management system (all processes) audited at least annually. What is not explicitly stated (but is generally a rule) of the 3rd party auditor is that a complete internal audit of all processes, systems, etc. must be completed over a three year period (a typical certification cycle). However, it is common (and best practice) for an organization to complete a full system audit annually. So what exactly are you auditing? In other words, what is the audit criteria that you are auditing against? 9.2.1 Part a, 1) and 2) states very clearly that you are auditing against the organization’s own quality management system requirements (what you say in your procedures or work instructions or what is common knowledge for a process flow) and how those processes match up and fulfill the requirements (shalls) found within the ISO 9001:2015 standard.
Ok, so far we have been asked to conduct an internal audit at predetermined, planned intervals against both your organization’s and ISO 9001’s requirements. Moving on to 9.2.2...
9.2.2 – Our 2nd shall requirement appears and simply states that you need to have an audit program established in which the frequency of audits, methods, responsibilities, planning and reporting requirements have been determined. It is no longer a requirement to jot these down in an internal audit procedure, but really how else are you going to effectively communicate them? You could jot them down in the quality manual, but the manual is also no longer a requirement in the 2015 version of the standard. At the end of the day, it’s ultimately up to you and your organization to plan, establish, implement and maintain this audit program as you see fit.
Moving on to the 3rd shall requirement in chapter 9.2 of the standard. First, the standard requires us to take into consideration the importance of processes concerned. Meaning some processes are more critical than others for varying reasons. It’s left to you to figure out what processes are critical. Perhaps you have a critical key process in the manufacturing of a product that’s quite complex. As an organization, you should probably audit that particular process a bit more frequently than others. How much more frequently? That’s up to you and it may be best to do some risk-based thinking here. What’s the risk of not auditing the process enough? Will it shut down production or the entire facility if not executed correctly? If so, then the risk is high and it might be best to audit that process more frequently. Use whatever method you’d like for determining risk, just be sure you can justify it. Once you assess the process, risk and make a time table that’s right for your organization, make sure those decisions are reflected in the audit schedule. Second, we also need to consider that there may have been changes in the organization that could potentially be a risk to the quality management systems effectiveness. Lastly, we should take a look at previous results of audits to determine if this process has historically been a trouble spot. If we previously saw 20 non-conformities in the last audit on this process, then we should audit it more frequently.
The rest of chapter 9.2.2 details the importance of defining what you are auditing (scope) and what you are auditing against (audit criteria), which is typically documented on an audit plan. Section 9.2.2b addresses your internal auditors. Internal auditors will be assigned (typically on the audit schedule or audit plan) to various processes of the management system. It is a requirement that auditors do not audit their own work, so that they may audit in an objective and unbiased fashion. In an associated section of the standard (7.2) regarding training and competency, auditors also must be deemed competent to conduct audits. Plain and simple, the internal auditor’s competency requirements are subjective. Your organization determines what competency means exactly. Once competency requirements are established, typically based on education, training, and experience, you must be able to demonstrate auditor competency through some means. What objective evidence is generally accepted? Typically, your 3rd party auditor is expecting to see an internal auditor certification and evaluation of internal audit performance. Internal auditor courses can be obtained from various sources, including here at wilkshireconsulting.com. The internal auditor education and competency is of vital importance to the organization in order to extract the most value from the internal audit. A solid internal auditor training course should include a review of ISO 19011:2011 guidelines for auditing management systems to ensure the development of sound understanding of auditing techniques and methodology. Additionally, the course should not just regurgitate the standards requirements, but instead review the requirements and then demonstrate how to best approach the auditing of these requirements. The objective evidence typically sought and the threshold for documented objective evidence should be reviewed in the course as well.
Chapter sections 9.2.2d, 9.2.2e, 9.2.2f from the standard discuss the reporting and response to the internal audit conclusions. Internal audit results need to be reported to management and appropriate action must be taken in the form of correction and corrective action when necessary and without delay. 9.2.2f also outlines the requirement for documented information to prove that you have an effectively implemented audit program. This would include your audit schedule, audit plan, objective evidence or audit notes, documented findings (nonconformance), opportunities for improvements, and audit report with associated responses to audit findings. 3rd party auditors that are doing a thorough job will dig deep into the audit plans and notes, reviewing the objective evidence documented. They will be most concerned with whether your results (number and severity of non-conformances) uncovered correlate to what they are seeing during their audit. They will ask to see your internal audit findings and dig into whether nonconformance's have been appropriately responded to in a reasonable amount of time and cross reference it to the time stated in the organization’s procedures. This information will be documented in their audit notes to determine if the requirements have all been met and if your internal audit program has been effectively implemented and maintained. Now that we have discussed the internal audit requirements as specified in ISO 9001:2015, we can move our focus to setting up your internal audit program for success.
One of the most critical items that is needed for a successful internal audit is the interaction of process (IOP) diagram. Continued in part 2 of this whitepaper, we will examine the process of establishing a proper and detailed IOP diagram in addition to utilizing process mapping and analysis, process-clause matrices, and auditing process linkages and audit trails. Way too many consultants have frightened their clients with misinformation regarding internal auditing complexity and requirements. We need to take a more practical approach to our internal audits so we can not only meet the requirements of the standard or 3rd party auditor, but strive to truly enhance our organization with a value-added internal audit. Sign up for Wilkshire Consulting updates and receive part 2 of the internal audit process whitepaper detailing how to successfully conduct a value added internal audit.