ISO 9001:2015 INTERNAL AUDIT

ISO 9001:2015 Clause 9.2 Internal Audit

Definition:

ISO defines audits as “Systematic, independent and documented process for obtaining audit evidence
and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the
organization itself for management review and other internal purposes, and may form the basis for
an organization’s declaration of conformity. In many cases, particularly in smaller organizations,
independence can be demonstrated by the freedom from responsibility for the activity being
audited. External audits include those generally termed second- and third-party audits. Second-party
audits are conducted by parties having an interest in the organization, such as customers, or by
other persons on their behalf. Third-party audits are conducted by external, independent auditing
organizations,such as those providing certification/ registration of conformity to ISO 9001 or ISO
14001. When two or more management systems are audited together, this is termed a combined
audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed a
joint audit.

Introduction:

An audit is a systematic, independent, and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audits are
structured and formal evaluations. The term systematic means the company must plan and
document its system for auditing. It must have management support and resources behind it. Audits
must be performed in an impartial manner, which requires auditors to have freedom from bias or
other influences that could affect their objectivity. For example, having responsibility for the work,
or a vested interest or shares in a supplier or third party company they are assigned to audit, would
be conflicts of interest. Internal audits must be carried out to a procedure according to requirements
given in clause 9.2 of ISO 9001:2015. The procedure must address the responsibilities for conducting
the audits, ensuring independence, recording results, and reporting to management. Audits obtain
objective evidence of conformity with requirements. The evidence must be based on fact and may
be obtained through observation, measurement, test, or by other means. Evaluating the extent to
which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. Is
the organization practicing what it described in its documentation? Are the practices being carried
out well? The presence of nonconformities in a department or process may indicate the system is
ineffective for those areas

9.2 Internal Audit

9.2.1

The organization should conduct internal audits at planned intervals to provide information on
whether the quality management system conforms to the organization’s own requirements, the
requirement of ISO 9001:2015 standards and is effectively implemented and maintained

9.2.2

The organization must plan, establish, implement, and maintain an audit program, which must
include frequency, methods, and responsibilities, planning requirements and reporting. While
making an audit program, consideration must be given to the importance of concerned
processes, changes impacting the organization and the results of previous audits. It must define
audit criteria and scope for each audit. It must select auditors and conduct audits for impartial and
objective audit process. It must ensure results of audits are reported to relevant management. it
must take necessary correction and corrective actions without undue delay. It must retain
evidence of audit program implementation and audit results.

Example of ISO 9001:2015 Internal Audit Checklist

Example of Procedure for Internal Audit

Example of form of Internal Audit Observation Sheet

Example of form of Internal Audit Summary Sheet

Example of Format of List of Internal Auditors

Example of formats for Audit Schedule and Audit Plan

Example of Format of Internal Audit corrective action report

Internal audit is the one of the important tool required by this standard used to gauge the health of
your QMS. How effective is it in meeting ISO 9001, your own QMS, customer and regulatory
requirements. You must have a documented procedure for your internal audit process.The scope of
your internal audit program must cover the:

 Audit of operation processes to determine conformity of both product / services and their
processes to customer and applicable regulatory requirements.

 Audit of the QMS to determine conformity to the ISO 9001 standard.

 Audit of the QMS to determine conformity to organizational requirements.

 Audit of QMS processes and their interaction to determine if the QMS has been effectively
implemented and maintained.

In determining the time frame for your audit program, you should consider organization size,
complexity of product and processes, health of the QMS, customer, registrar and regulatory
requirements, etc. The most common time frame is six months. Consider adjusting the audit
frequency and perhaps even the audit scope, of specific processes or group of processes, when:

 You experience internal or external nonconformities.

 Get customer complaints.

 Have critical or high risk processes.

 Have frequent or significant changes to processes and product.

Your internal audit program should consider the following:

 Input from audited area and related areas

 Key customer oriented processes

 Process and product performance results and expectations

 Opportunities for continual improvement

 Feedback from customers

Audit criteria, refers to the specific QMS policies, objectives, ISO requirements, documentation,
customer and regulatory requirements, etc., that the audit is referenced to or conducted against.
Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods
refer to the specific techniques that auditors use to gather objective audit evidence that can be
evaluated to determine conformity to audit criteria. Examples of audit methods include interview of
personnel, observation of activities, review of documents and records, etc. You must define the
minimum qualification requirements for internal auditors. These requirements include knowledge of
QMS processes and their interaction, related QMS controls, customer requirements, applicable
regulatory requirements, the ISO 9001 standard, the audit process and audit techniques. Internal
auditors needs to be trained in the ISO 9001 standard as they generally audit for conformity to
organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO
19011:2002 Guidelines for quality and environmental auditing says that auditors should have
knowledge of quality management system standards and their application to the organization.
You must have appropriate resources for your annual audit program. These include having sufficient
trained auditors available to conduct scheduled audits, sufficient time to perform audits, availability
of department or process personnel to be audited, time and tools to prepare audit records and
reports, etc. Auditor should be Independence. During the audit Auditors should ensure that the
objectivity and impartiality of the audit is not compromised. Auditors cannot audit their own work.
Auditor independence must be ensured when assigning personnel to specific audits. Process owners
must take timely corrective action on nonconformities found in their area. They should use the
corrective action procedure to determine root cause, take appropriate action and follow-up to
determine if results indicate that the root cause has been eliminated. Audit results must be
summarized and reported for management review. The Process manager must also report any
opportunities for QMS improvement. The Process manager must analyze the results of each audit as
well as the annual audit program to determine strengths and weaknesses in QMS processes,
interactions, functions, products, etc., to identify and prioritize opportunities for improvement.
Audit records include annual audit schedule, audit planning such as criteria, scope, frequency,
methods, auditor selection and assignment, etc., auditor competence and training, audit checklists
and forms, audit notes and other evidence gathered, audit findings, nonconformity reports, audit
reports, corrective actions and follow-up of internal audit nonconformities, analysis of audit program
performance indicators and trends, and identified improvement opportunities. Performance
indicators should be used to measure the effectiveness of your internal audit process and monitor
trends in these indicators, to continually improve your audit program. Performance indicators may
include reducing the number of – late or delayed audits, incomplete audits, incomplete audit records
and late reports, auditor errors, auditee complaints, and use of untrained auditors, etc.
The output of your internal audit program may be used as performance indicators to:

 Determine the degree of conformity of the QMS to ISO 9001, customer and regulatory
requirements.
  Determine the effectiveness of QMS implementation and maintenance.

 Determine the degree of conformity of product to contractual and regulatory requirements.

 Identify areas of the QMS that need improvement.

Audit Objectives

Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001
standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the
resources needed. Being clear on the objectives provides focus and helps the auditor from being
distracted and going off on unnecessary detours beyond the scope of the audit. Audit
objectives may include:

 Evaluating conformity of requirements to ISO 9001

 Evaluating conformity of documentation to ISO 9001

 Judging conformity of implementation to documentation

 Determining effectiveness in meeting requirements and objectives

 Meeting any contractual or regulatory requirements for auditing

 Providing an opportunity to improve the quality management system

 Permitting registration and inclusion in a list of registered companies

 Qualifying potential suppliers

Types of Audits

Audits that are carried out to determine whether an organization conforms to a quality Standard
may be termed Quality System Audits. This type of audit requires the auditor to use a fair degree of
judgement to establish whether controls are adequate. Many second and third party audits are
carried out as Quality System Audits, as are many audits for the purpose of consultancy. Audits that
are carried out against specifically defined practices, procedures, and instructions, and that are
perhaps (but not necessarily) more limited in their scope, are termed conformity audits. Many
internal audits and many contract related audits between two parties are carried out as conformity
audits. Process and product audits are subsets of QMS conformity audits and therefore limited in
scope.An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as
well, as its relationship with other processes and may include using some or all of the following
approaches:

 Individual processes in terms of:

o Input / Output / Value-added activity

o Plan / Do / Check / Act

 Relationship to other processes in terms of:

o Flow / Sequence / Linkage / Combination

o Interaction / Communication
  Customer contract for conformity to contractual requirements through the various
processes used to fulfill the customers order

 Audit trails – following concerns or unresolved issues to processes or departments, that are
be beyond the scope of a specific audit.

Process audits may include the following processes, as well, as related sub-processes – Context of
organization; Leadership; Planning; support; Operations; Performance evaluation; Improvement. A
product/Service audit is a process audit that focuses on the processes needed for
executing operations for the product or service realization. For the purposes of this discussion,
however, there are two basic types, further sub-divided according to different emphases and
objectives. The two types are external audits and internal audits.

External Audits

These are audits done outside one’s own organization and there are at least two distinct types of
external audit second and third party.

Second Party Audits

These audits, carried out by one company on another, originally came from the idea of an
organization auditing its suppliers. There are a number of reasons why an organization may wish to
audit its suppliers.

1. One method to satisfy clause 8.4.1 of the ISO 9001:2015

2. Input to selecting, grading, and approving suppliers

3. Help to improve supplier Quality Management Systems

4. Mutual understanding of quality requirements

Many major organizations carry out second party audits to advise user departments of areas of
weakness in suppliers so appropriate contract and/or surveillance mechanisms can be instigated if
the supplier is to be given work. It can also highlight likely additional costs.

Third Party Audits

As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and
more second party audits were being carried out. Some companies in certain fields had to employ
people whose sole task was to accompany visiting auditors around the company! Clearly this state of
affairs was helping nobody, particularly the supplier. After considerable discussions at national
levels, the ISO 9000 scheme was introduced to rationalize all the assessment schemes as a third
party audit operated by an independent body that would certify companies as conforming with the
Standard (or not, as the case may be). Various bodies became registration bodies (Registrars) and
BSI, UL, SGS, DNV are prominent examples.There are different types of registration, but the main
interest here is on the Registrar’s Quality Management System assessment and registration. On
payment of an initial fee to the Registrar, they will assess your Quality Management System to ISO
9001 and, depending on the results of the assessment, the organization would become registered.

Internal audit or First Party Audits

First party audits are carried out by an organization on itself to confirm to management that their
documented quality management system is working effectively. An organization’s own defined and
documented system forms the basis for this audit.Reasons for a first party audit:

1. ISO 9001:2015 clause 9.2 requires it

2. Control and feedback mechanism for management

3. Correction of nonconformities before external bodies find them

4. Systematic improvement of the organization

As in second party, if the audits are done only for reason (1) or (3) above, the value is going to be
limited. By establishing an internal audit program, management is making available an extremely
useful and powerful tool for improving business, and for assessing the effectiveness of the quality
management system.Of course, in considering (3) above, it means that if an organization is to find
for itself the kinds of nonconformities that external bodies are likely to find, it should, if possible,
carry out its audits in a similar way to the Registrars. It must be remembered that all audits are
based on sampling; therefore, there is no guarantee that all nonconformities will be found during
the internal audit process.

Benefits of Quality Management System Audits

 Provides information for management review

 Demonstrates senior management commitment

 Improves personnel awareness, participation, and motivation

 Provides opportunities for continual improvement

 Improves customer confidence and satisfaction

 Increases operational performance

Audit results are a major input to the management review process. Management must take
appropriate actions based on the review of quality system strengths, weaknesses, and opportunities
for improvement. The allocated time and for conducting internal audits demonstrates top
management commitment. If the purpose of the audit is properly communicated, and employees
realize that the audit is not an evaluation of personal performance, they are more likely to discuss
weak areas and opportunities for improvement. This should lead to improvement in operational
performance and improved customer satisfaction.