1.1.

1 Guidance on QMS Internal Auditing

2 Introduction
ISO 9001 requires audits be performed using a “Process Approach.” Audits must do more
than check whether people “are following their procedures / work instructions”. Each process
making up your QMS must be scheduled for audit.
Clause 9.2 of ISO 9001:2015 sets out the objectives for your internal auditing:
“The organisation shall conduct internal audits at planned intervals to provide information on
whether the environmental management system:
a) conforms to:
1) the organisation’s own requirements for its environmental management system
2) the requirements of this International Standard (ISO 14001:2015)
b) Is effectively implemented and maintained”

3 Audit Rating System

A risk-based internal audit approach allows the internal audit to concentrate on reviewing all
significant risks to your organisation so as to ensure that they are well controlled.
Ratings range from “compliant” to “major non-conformance” to convey a concise and
consistent method for rating each audit finding.
Finding Definition / Impact Action / Mitigation
Compliant means adherence to the requirements of Repeat the audit at regular intervals.
the standard and your QMS. Records exist to verify
COMPLIANT that the process is both documented and
implemented.

A no or low risk issue that provides an opportunity Consider implementing the

Opportunity for improvement. For example, processes could be improvements and monitor trends /
for simplified even though they currently meet their indicators to determine if the expected
Improvement objectives and targets. improvement has been achieved.

A medium risk, minor non-conformance resulting
from deviation(s) from process definitions. Such
non-conformances are unlikely to either result in
MINOR Non the failure of the process to deliver conforming
Conformity outcomes or to reduce the effectiveness of the
QMS.
Investigate root cause(s) and implement
corrective action. Monitor corrective
actions at Management Meetings and
next scheduled audit.

A high risk, major non-conformance which is likely Implement immediate containment

to result in customers receiving non-conforming action, investigate root cause(s) and
MAJOR Non products or services, or which may reduce the apply corrective action. Re-audit within
Conformity effectiveness of the QMS. four weeks to verify the efficacy of the
corrective action.

Guidance on Internal Auditing Page 1 of 7

4 Principles of Auditing
Auditing has two, related, key objectives:

 to support your organisation’s quality management system

 to provide objective information that you can act upon to continually improve its
performance
To achieve these objectives, it is necessary to adhere to the following principles, if the
conclusions derived from the audit are to be accurate, objective and sufficient.

 Ethical conduct - trust, integrity, confidentiality and discretion are essential to

auditing

 Fair presentation - audit findings, conclusions and reports must truthfully and
accurately reflect the audit activities

 Professional care - auditors must exercise a level of care that reflects the
importance of the task they perform

 Independence and objectivity - auditors must be independent of the activity being

audited and be objective

 Evidence-based approach - evidence must be verifiable and based on samples of

the available information
Adherence to these principles also allows auditors working independently from one another
to reach similar conclusions when auditing in similar circumstances.

5 Audit Methodology
5.1 Introduction
The adoption of the “process approach” is mandated by ISO 9001:2015 and is one of the
most important concepts relating to quality management systems. Process auditing is about
auditing your organisation’s processes and their interactions, which together comprise the
quality management system.
The principle behind the process approach is that “consistent and predictable results are
achieved more effectively and efficiently when activities are understood and managed as
interrelated processes that function as a coherent system”.
A process audit provides assurance that the processes have been implemented as planned
and provides information on the ability of the process to produce a quality output.
Undertaken properly, a process audit is much more than the verification that processes are
being properly followed.
A process is a set of interrelated activities that transform inputs, such as materials, customer
requirements and labour, via a series of activities into outputs, such as a finished product or
service. Various clauses of the standard are applicable to stages of the process. There are
six characteristics to look out for when auditing a process:
1. Does the process have an owner?
2. Is the process fully defined?

Guidance on Internal Auditing Page 2 of 7

 3. Is the process fully documented?
4. Have links to other processes been established?
5. Are processes and their links monitored?
6. Are records maintained?
As part of the process approach, process audits must be scheduled in accordance with your
QMS. The audit schedule should be based on the importance and criticality of the process
itself. The audit should be based on a three stage process:
1. preparing for the audit (desk review)
2. auditing the process and its linkages
3. preparing the executive summary and audit report
The audit should begin with the process owner in order to understand how the process
interacts with the other process inputs, outputs, suppliers and/or customers.
The auditor should be able to determine whether the outputs are complete and that process
measurements demonstrate whether all of the outputs are consistently efficiently managed
and fit for purpose.
Each process audit should:

 determine whether the process conforms to planned arrangements

 determine whether the process is properly implemented and maintained

 provide information on process performance to top management
and include the following considerations:

 Is there continuity between the various support processes?

 Is the task done consistently from day-to-day and operative-to-operative?

 Do the interfaces between different operational functions operate smoothly?

 Does product information flow reliably and freely?
 Is the process practice right?

 Does it meet the requirements of the standard and/or specified requirements?

 Is it process effective is supporting the organisation?

5.2 Preparation
Thorough preparation is essential to an efficient and accurate audit!
Gather all relevant documents and records for the process you are auditing, such as process
metrics, instructions, turtle diagrams, flowcharts, etc. If applicable, collect control plans and
FMEAs too.
Review these documents thoroughly, and mark what you plan to audit. By marking directly
on the documents, they become audit records.

Guidance on Internal Auditing Page 3 of 7

Also, review relevant sections of the ISO standard. Your organisation’s documents may not
include all the ISO requirements, and this is how you would discover that. If certain
information is not available, it may become an audit finding, even during the preparation
stage.
Sources of information might include:
 Audit Scope, Audit Objectives, Audit Criteria:
- the “audit scope” defines which areas are included and which excluded from the
audit.
- the “audit objectives” define the purpose of the audit and what it should achieve.
- “audit criteria” define which systems, standards, and documents are to be be
audited
ISO requires that this information is defined and documented. Often this is routine
information, but when there are exclusions or unique situations, it can be significant.

 Process Criteria, Metrics, Objectives and Performance

Each process is required to define this in the QMS. Evaluate metrics and objectives
to determine strengths and weaknesses. Compare actual performance to targets.
Where goals are met, focus more on other areas with greater issues.

 Previous audit findings

Verify that previous corrective actions remain effective. Past areas of concern may
yield more opportunities for improvement or may require re-auditing.

 Customer complaints and other corrective actions

Verify that previous complaints have been properly addressed and that corrective
actions remain effective.

 Process Inputs and Outputs, Internal Suppliers and Customers

The QMS must define and document the inputs and outputs for each process. If your
system relies on flowcharts, turtle diagrams, process maps, etc., they should be
documented.

 Relevant Sections of the ISO Standards

Identify those sections in the applicable ISO Standard (ISO 9001, ISO 14001 etc.)
that are relevant to the process. Print those pages and mark significant requirements
to ensure they are documented correctly within the QMS, and that they get audited.

 Flowcharts, Turtles, Procedures, Instructions, Records, Process Sequence

Review the documents that describe and control the process and identify all of the
important steps and activities. Check that this information is documented within the
QMS.
Evaluate how effectively the process flows through the steps and note any issues
directly on the company documents (saves time). During the audit, use them as
checklists, and audit the trails and notes you marked.

 Links to Skills, Competencies and Training

Guidance on Internal Auditing Page 4 of 7

 The skill requirements for each process should be documented. Review skill lists for
the process being audited. Are there clear lists of skills, with sufficient detail, for each
position? This is a common failure where lists are generic and the detail is
inadequate. Training is a key process of any system. Are there specific people or
new members of staff that you wish to review? Are there particular skills you wish to
evaluate? Identify the names of those you wish to review later.

 Links and Interactions with other processes

Each process connects and interacts with other processes and it is important to
identify and audit those links. Often processes work well within their own scope but
link poorly to other processes, so these are often areas for improvement.
These links you have identified must be documented in the QMS. Plan how you will
audit the relevant links and interactions.
Prepare these documents and audit materials carefully as it is faster and easier to audit if
you have well organised and marked up information at hand. A well prepared auditor is a
confident and authoritative auditor. Using the documented information in this way ensures
they become audit records.
Use your preparatory work to develop an audit checklist for use in the future.
An audit checklist is just one of the various tools available to help ensure that your audits
address the necessary requirements. The checklist creates a basic reference point before,
during and after the audit process and provides the following benefits:

• ensures the audit is conducted thoroughly, systematically and provides objective

evidence
• promotes audit planning
• ensures a consistent audit approach
• provides clear support for your audit process
• ensures that different auditors audit uniformly
Your organisation’s documented information may not cover all of the requirements that may
be relevant to the process. If certain information is not available, it may become your first
audit finding, not bad for the pre-audit review!

5.3 Review Performance

Review metrics and performance with appropriate managers, supervisors and operators.
They should know how well things are running, objectives, customer issues and problem
areas. If they do not, the requirements are not being met.
Audit the sequence of the process with the people actually performing the process. Do
people know and follow the steps? Is what they do the same as what is documented? Are
best practices documented and followed? Do personnel have changes they would
recommend?
Review all the relevant steps of the assigned process. Evaluate how the process flows
through the steps. Are the process steps effective? Do you see roadblocks or issues? Notate
and follow audit trails you find with the relevant personnel. Observe their work. Look for
things that are not as they should be.

Guidance on Internal Auditing Page 5 of 7

5.4 Review Competencies
Training, skills and competencies are always a potential area for improvement. Training and
competency is vital and you should always review whether training could be improved. Pay
particular attention to newer employees or people who do not demonstrate good skills or
competencies. Put people at ease, so they are not nervous. If there are people who do not
seem to be “up on their game” note their names and review this with the training process
owner.

5.5 Review Linkages & Interactions

Linkages and interactions with other processes are always important. As you audit the
assigned process, you will see how it connects and interacts with other processes. As you
audit, also audit the relevant links to related processes and support processes. These would
include the input hand over from the previous process and the output hand over to the next
process. It should include interactions with relevant supporting processes, such as training,
quality, maintenance, calibration, record and document control, etc.

5.6 Review the Process

To audit, walk through the sequence of the process from start to finish. Review the same
sections, sequence and details as described above. This is why preparing and organising is
important.
Audit the notations and questions you documented and organised into a logical flow. Simply
work through the pages and paths you identified. If you see something interesting, you can
follow that trail to see if it leads somewhere. If all is well, return to your notes and continue
where you left off. If the trail leads to issues, follow through.
Performance is often best proven by looking at how well the output of Process A satisfies the
input requirements of Process B. For example: how often does Process B have problems
with customer data entered on the system, how many customer complaints have arisen due
to inaccurate or late information being entered? If there is a documented procedure in place,
it should define the process and the steps to be taken to ensure the objectives are achieved.

5.7 Review the Findings

Mark findings and issues as you go. When you finish auditing, you should have a collection
of various findings to review. Organise the notes you made, these findings need to be
reported to management. As you audited, you should have noted the issues and potential
improvements you observed. These should have been marked clearly so you are now able
to quickly review and capture them as you write the report.
When you have completed the audit, you will usually have “findings”. Findings can be both
problems and opportunities for improvement.
Review your notes and collect the findings into the audit report. Audit teams should review
findings with the lead auditor and/or management representative as it important to calibrate
the findings and the review also acts a learning process. If there is disagreement over some
findings, the Lead Auditor has the final vote!

5.8 Prepare the Report

Guidance on Internal Auditing Page 6 of 7

A good summary report is the output which is the value of the audit. It deserves an
appropriate amount of attention and effort.
Your summary report should describe findings objectively, provide objective evidence to
support the findings, and determine whether they should be classified as Corrective Actions,
Preventive Actions, or Opportunities for Improvement.
Too often, the audit report only recites back facts and data the managers already know. The
value is in identifying issues and opportunities they don’t know! This summary should be
reviewed first with the Lead Auditor, then the Process Owner and Management Team. Make
final revisions, and file the final audit report and all supporting audit materials and notes.

Guidance on Internal Auditing Page 7 of 7