ISO9001 and the Internal Audit

When we talk to people about ISO9001 there are a few things that come up as the reasons not to do it, one is the need to document things, the other is around non-conformance and the final one is always the need for doing internal audits. Typically, I get told we fail enough external audits to know what we need to fix anyway! Or worse – we never fail and audit and never have any issues raised – that really does sound like a wasted opportunity and a poor audit!!
The point of the internal audit is to give you a feedback loop on your processes and adherence to them that allows you to firstly find out where you are not compliant with the processes that you wrote and secondly to be able to highlight areas for improvement. Those areas may well be that you need to do some training to follow the process, but it could just as easily be that your process is too onerous, and you could scale it back to make things better.
Internal Audits then need to be looked at as a treasure-trove of opportunities and you really want some non-conformance or feedback out of them otherwise, they genuinely are pointless. The International Standards Organisation (ISO) see them as so useful they have mandated them in clause 9.2 Internal Audit of ISO9001:2015, but don't be too worried, it's not about tripping you up its about helping to continuously improve your organisation.

Setting Boundaries and Expectations

Clause 9.2.1 of the standard is all about setting up the boundaries and expectations if you like of the audit process. The first thing to realise is that it says that the organisation SHALL conduct internal audits so there is no getting around it you must do it. It also says that they should be at planned intervals (we'll come back to the planned interval point) to provide enough information of a few things:

1. That the Quality Management System conforms to your own requirements i.e. are you doing what you said in your QMS you would do, are you following your own procedures?
2. That the Quality Management System conforms to the ISO9001:2015 standard's requirements for each of the clauses that are relevant to your organisation.
3. That the Quality Management System is effectively implements and maintained, in other words is it a living system that forms a real part of your organisations culture and day to day operation or is it something that sits on the shelf getting dusty only to be dragged out a week prior to an external audit, visit form a potential customer or an ISO visit?

So that's it the boundaries and expectations have been set, you have to audit and the audits are about ensuring your organisation is complying to your quality management system processes & procedures and of course any relevant clauses in ISO9001:2015

How To Do Your Audits

Clause 9.2.2 is where the real help kicks in as it's going to tell you exactly what you need to do with your audits to ensure they are useful for your organisation.

The first part of this clause is all about the planning of the audit program (which you must also keep up to date), you need to decide a number of things about your audit program: frequency of audits, how you will audit, responsibilities around auditing, planning requirements and reporting.

In terms of frequency of audit, there is a real misunderstanding here. A great many people I talk to believe you must audit your entire QMS every year, that's just not the case, especially with ISO9001:2015 which remember takes a risk-based approach to everything. So, there may be things within your organisation that deemed low risk with respect to your QMS and meeting the needs of the customer so auditing them every 6 months or even every year isn't sensible so why would you do that? It adds no value, right? So, in that case how about every 2 years of this things? Where are there are other requirements that may be critical to your customer that you audit every 6 months no matter what, it's very similar in thinking to the frequency of calibration that we called about previously. This frequency is up to you, a word of caution however, setting everything to 2 yearly or 5 yearly isn't going to fly come audit time.

How will you audit, again it's up to you but it is important to try and follow good audit practices, if you haven't got a hold of ISO19011 – Guidelines for auditing Management Systems it would be useful to get that as well but essentially you can do it with interviews, you can work through a pre-formatted questionnaire what ever makes sense. When working through your questions though mix them up, follow the data and don't get hooked on every single question, keep front of mind you are trying to add value with this process not trip people up or interrogate them.

The next element to think about is the scope of the audit, for example if you set out to audit your supply chain well that's a pretty large beast so you may decide that this audit is about the purchase order process or the stores control process, that's what you audit, that part of it and the processes and procedures linked to it.

Once you have your audit you need to report out on it, otherwise, what's the point. Remember the 1^st customer of the audit is the department getting audited and so the output should be discussed with the department management and anyone else relevant to it before going out to a wider audience. It's also good practice to compare the audit to previous ones to show improvements over time as well.

If the audit is any good there will be things found in it that could be improved, you need to decide if these are major things and so have a non-conformance or improvement notice raised or if they are just suggestions for things that could be done but not a must. Anything that is a non-conformance or improvement notice needs to be raised and acted upon in a realistic timeframe for your organisation, that may be hours, days, weeks even months… it's unlikely however to be years!

Finally, you need to retain the documented information as evidence that the audit program has been created and carried out and of course the results of the audit. There are many ways you can do this if a simple calendar was drawn up to reflect the audit plan is OK for example. Holding a copy of all the audits in a single folder would also work, referencing any non-conformances or improvement notices is certainly required and ideally being able to show them closed out would be good. An integrated system like Mango does most of this work for you.

Summary 

The requirement of clause 9.2 Internal Audit for ISO9001:2015 doesn't have to be feared, it's there to help ensure your system is working as intended and adding value to your business, it lets you uncover areas where you can both improve what you are doing and remove wasteful elements as well.

Planning and running with it is key to it as well as understanding that you don't have to audit everything every year, just want make sense and being able to back up that rational. Anyone can do the audit as long as they don't have a vested interest in the area they are auditing and of course you want to get value for money so you really do want to get some great suggestions and feedback on where you can improve on your processes form it.