An internal audit procedure must define:
Q: What do we audit against?
A: Your procedures, ISO 9001:2008. Plus any industry specific regulations or contractual requirements.
Tip: Read the relevant documentation prior to the audit and make an audit checklist of the key aspects that you wish to audit. The checklist is merely an aide-memoir, don't be blinkered by it.
Q: How far do we go?
A: Far enough to ensure the sequence and interaction of processes.
Q: How often?
A: Internal audit program frequency is not specified in ISO 9001:2008. Normal practice is to audit the whole QMS (but in bite-sized pieces) at least once per year or more often if considered appropriate.
Tip: Use the company process-map (see 4.1 ) as a basis for the audit programme – plan to audit related procedures (e.g. Enquiry and Quotation, Order Receipt, etc.) within a process (e.g. Sales) and ensure there is some overlap into the next process.
Q: How do we audit?
A: Interviewing staff, observing activities and viewing relevant records.
Report the audit results to management. You need to include in your procedure how any problems and improvements are followed up.
Q: What should be included in my report?
A: Your report should be objective and provide a balanced view. Report good things (conformance), bad things (non-conformance) and observations on possible improvements.
Q: What is a non-conformance?
A: ISO 9000 defines non-conformity as the failure to fulfil a requirement. So, if you can demonstrate that a requirement of ISO 9001, your procedures or other relevant document has not been met then you have a non-conformance.
The term "observation" is your opinion - so make sure you report it as such.
Auditor training records are also required, see 6.2.
1. confirm compliance with ISO 9001, any other regulations, company procedures, etc.
2. seek improvements (or simplifications) in processes.
Tip: Don't forget to audit "top management".
There is considerable emphasis on top management being seen to be on-board and playing the game. Top management is defined as the person(s) who direct an organisation at the highest level.
The principal message that management must get across is that the objective of this business is to keep the customer happy.
Specifically, management must communicate these ideas (5.1, 5.2, 5.3, 5.5.1, 5.5.2, 5.5.3) to the employees who should be aware of their own roles and responsibilities (6.2.2).
Notice that few of these clauses specify a procedure or a record – top management are simply required to do it.
As a result, the Certification Body will want to question the Directors and the staff. This something that your own auditors must also do.
Also see ISO 19011.
Good auditors realise very early on that they are dealing with personalities as much as processes and systems. Whilst the intent of the audit a serious one, often light humour, politeness and diplomacy are the best ways to build rapport. It is vital every effort is made to reassure those being audited that the audit’s primary function is to drive improvement, not to name and shame.
If you are new to auditing, acknowledge this fact, be open and honest. It is also important to explain to the auditees that they are free to express their views during the audit. Remember that you, the auditor, are also there to learn.
Always discuss the issues you have identified with the auditees and always provide guidance on what is expected in terms rectifying any non-conformances or closing out observations you raised. Let the auditees know they are welcome to read your notes and findings; the audit is not a secret.
Try not to be drawn into arguments concerning your observations. It is never appropriate to directly name people in the audit report as this may lead to defensiveness which is ultimately counter productive.
Preparation is the key to a meaningful audit and, as such, you should have an up-to-date audit schedule and a well defined audit plan for each process. Be sure to communicate the audit schedule to all parties involved as well as to top management as this will help reinforce your mandate.
The audit schedule is a living document and should not be cast in stone, but instead, it should be allowed to evolve organically with the needs of the business. Always review historical audit reports and check during the audit that any previous corrective or preventive actions are still operating.
These basic audit questions will help guide the audit in the right direction since the answers they provide often unlock the doors to information the auditor requires in order to accurately assess the particulars of a process.
Consider these common audit questions:
If you have been involved in a certification body audit, you will have probably noticed that the professional auditors often use this method to perform the audit. They will start at either the beginning or the end of the organisation's workflow and follow a sample of inputs and outputs (e.g. orders, contracts, projects, products, etc.) through the organisation. This is known as a process audit. On an internal audit, you may not have time to cover the entire process in one audit, in which case, divide the process into manageable units and use that as the basis for your audit schedule and checklist.
The first task for the auditor is to establish what the process is intended to achieve. If it is a sales department, it could be that its primary function is to provide an effective interface between the organisation and its customers and to input clear and accurate customer data onto the computer system in a timely manner. (These may turn out to be the ‘quality objectives' for that process as required by Para 5.4.1). If these are the most important objectives of that process, then the audit must concentrate on verifying whether or not they are being achieved.
Performance is often best proven by looking at how well output of Process A satisfies the input requirements of Process B. For example: how often does Process B have problems with customer data entered on the system, how many customer complaints have arisen due to inaccurate or late information being entered? If there is a documented procedure in place, it should define the process and the steps to be taken to ensure the objectives are achieved.
Consider these points:
A clue can be found in ISO 9001:2008 Clause 8.4. We are told to determine, collect, and analyze data to provide insight about the health of your quality management system. It goes on to provide a minimum of four areas that you must perform this analysis for: customer satisfaction, product quality, process performance, and supplier performance.
Clause 8.2.3 broadly addresses the monitoring and measurement of the processes referred to in Clauses 4, 5 and 6. Clause 8.2.4 mainly focuses on monitoring and measurement of the outputs from the Product Realisation process.
The processes that require measurement are:
A common way measure a process is with quality objectives and key performance indicators. Select an objective or indicator for each core process, ensure it is measurable and track that indicator on a periodic basis (monthly, quarterly, annually, whatever makes sense for that metric). A single indicator may be used for more than one process. Include trend charts showing the performance of the metric from period to period.
In cases where an organisation has chosen not to operate a documented procedure, the first in step must be to establish what methods exist to control the process. From there, the auditor can evaluate the effectiveness of the process by testing to ensure it is performed consistently and by comparing it to the appropriate clauses of ISO 9001.
Select the ‘predominant' ISO clause for the process being audited plus the more general ones and you should be able to verify both the effectiveness of the process and also its compliance to the standard.
This can prove particularly useful when performing internal audits, as it helps the organisation to satisfy the requirements of clause 8.2.2 which requires us to ‘determine whether the quality management system conforms to planned arrangements, to the requirements of this International Standard and to the quality management system requirements established by the organisation’.
The audit schedule is divided up to reflect each section of ISO 9001:2008. You should determine which of these sections are of greatest relevance to your business; in other words, which processes, should there be problems, will affect your customers the most. These are the processes that your company must make certain remain stable and consistent. You might wish to schedule these key processes for additional audits, perhaps two or even three times per year.
The audit schedule provides the following benefits:
Our Internal Audit Template will help you establish and document your internal processes.