An internal audit is an effective tool that is used for self-assessment of the organization and to determine the extent to which the QMS requirements are fulfilled.
The results of the audit (the audit findings) shall demonstrate the effectiveness of the QMS and identify nonconformities and opportunities for improvement.
First , Let us review the ISO 9001 requirements.
Some organizations also include detailed tests, investigations, or examinations that are conducted during the audit. I will refer to it as the “plan” of the audit.
The program must be documented and will be submitted to the controls suggested in clause 7.5—Documented information.
The first step in implanting effectively the internal audit is to define the scope of the audit. The audit scope defines the extent and the boundaries of the internal audit: the areas and limits to which the audit is applicable and which the audit must control.
The scope shall cover the following issues:
• The purpose of the audits (e.g., compatibility to the ISO 9001 Standard requirements).
• Physical locations (like branches or affiliations).
• Different organizational units like divisions or departments.
• The relevant or related activities and processes to be audited.
• The time period to which the audit results are valid and after this period a new audit shall be conducted (a year, a quarter, a month).
• Additional standards or regulatory and contractual requirements that may serve as audit criteria.
• The expected records.
This scope will be managed and implemented through the audit program and plan (which will be discussed later on in this chapter).
The audit shall include and specify the activities necessary for organizing and conducting the audit and describe the required resources for the audit. For this purpose you may define and use an audit plan. By audit plan I mean a specification (may appear on a document) that describes all the tests and examinations that must be performed during an audit and needed to be done in order to evaluate the extent of meeting
The plan will direct the auditor during the audit. The objective of the plan is to ensure that all aspects of the scope are covered and to allow auditees to prepare and organize for the audit. While auditing the QMS, you are required to evaluate
it through three distinct aspects (each of them will be discussed in detail separately):
• Implementing all the relevant ISO 9001 Standard requirements
• Achieving the organization’s requirements for its QMS: quality plans, processes and procedures, and maintenance of records
• Extent of effectiveness of implementing the QMS: achieving quality objectives, customer satisfaction, and improving the QMS
The audit plan should include reference to the following issues:
• The audit scope
• Locations where the audit activities are to be conducted
• The audit topics
• Time schedules
• Information for the opening of the audit
• Changes in the QMS that must be mentioned before the audit begins
• Results of the last audit
• Open nonconformities
• Required resources
• The audit criteria and reference to relevant documents
• The auditor or the audit team
• Roles and responsibilities of the auditee
• Other required accompanying persons
• The audit tests, inspections, and examinations
You may manage a general plan that will refer to all the organizational units and will ask to evaluate performance of procedures and work instructions, evaluate quality procedures, and sample evidences of executing those processes.
Such a plan will be applicable to the entire organization.
But I recommend adopting a more specific plan designed to audit one specific organizational unit and is therefore not applicable to other units.
Such a plan will refer to specific processes related to this unit, will consider the interrelations of this unit with other organizational units, will present with the appropriate criteria for evaluation, will examine specifically the quality requirements of this unit, and will ask to review documented information related to its processes.
This plan is more effective; for example, if the auditor is auditing a warehouse, a specific plan will direct them to the appropriate processes and activities, support them with the right criteria, and describe to them which records must they sample.
Defining Planned Intervals for Internal Audits
The audits will be planned and conducted at planned intervals. The intervals shall be documented on the audit program.
The goals of planning ahead are :
• To allow the different units of the organization time to prepare for the audit
• To maintain a periodical plan for internal audits (usually an annual plan)
• To ensure the continuity of the audit
In practice, you may define appointments for the audit on the organizational calendar.
The ISO 9001 Standard does not require specific dates but it is more practical. If you would like to perform “unexpected” audits, then define them on the program but do not publish them.
Conformance of QMS to the Organization’s Requirements
The organization has determined its own requirement of the QMS while designing and developing it. The internal audit is one instrument for self-review of whether those requirements are achieved.
Which type of requirements?
• Quality plans for the product:
Any requirement for product realization must be evaluated on whether it was performed as planned.
The best way is to sample and evaluate a product against its relevant predefined criteria.
Sample a product or an output of a process, review its quality plan, detect its specifications, and check whether the product was realized according to the plan. Document the results.
• The identification and implementation of international, national, or local regulations will be evaluated.
The audit shall examine the identification of appropriate regulations, their introduction to the quality processes (such as management review, or integration in the training program), implementation throughout the realization processes, and maintenance of the appropriate records.
• Processes and procedures:
The audit must evaluate whether the realization processes are performed as required. It could be correlated with the quality plans. The evaluation would refer to required results or predefined criteria.
Generally speaking, an audit must sample the processes and outputs and evaluate two things:
• Whether the process is managed as planned: according to its definition (process chart, diagram, SOP, etc.)
• Whether the process achieves its objectives: if the parameters of the process are valid and the outputs are as expected
Conformance of QMS to the ISO 9001 Standard Requirements
Aside from the organization’s requirements, the audit shall evaluate the implementation of the ISO 9001 Standard requirements. The implementation of the ISO 9001
Standard requirements for quality processes includes, for example,
• The specific documentation requirements
• Addressing risks and opportunities
• Implementing the required purchase controls
This part of the audit must be conducted throughout the entire organizational units related to product realization, or are under the scope of the QMS.
For each organizational unit, it is required to audit how much quality management tools are implemented, for example, management of resources, knowledge and competence, maintenance of quality documented information, or management of nonconformities.
Effectiveness of the Implementation and Maintenance of the QMS
The audit must provide the ability to evaluate whether the QMS is effective or not.
The effectiveness of the QMS refers to the extent to which objectives of processes were achieved and may indicate how much the QMS has improved.
This will be reviewed through two aspects of the QMS:
• Quality objectives:
The audit must indicate whether the organization has achieved its quality objectives. During the audit the relevant quality objectives will be reviewed for their relevance to the process and how they are measured and to what extent they were achieved (the results of the measurement).
When it is found that an objective has not been reached, the cause must be presented and the measure
taken to handle it.
• Improvement of the QMS:
The audit must indicate whether measures and actions were undertaken in order to improve the QMS and whether those actions were effective—the improvement was achieved.
In order to conduct effective tests or inspections, you need to assign and document criteria to each test.
Criteria are set of policies, procedures, or requirements used as a reference against which audit evidence is compared.
The objectives of the criteria are :
• To support decisions for judging, evaluating, and determining by facts, values, and data the compliance of the outputs to the requirements; the auditor samples a process or process output, views it, turns to the criteria, and decides whether the process was effective or not
• To enable the determination of the extent of conformity of processes or process outputs
The audit plan shall refer each test to its appropriate criteria.
The criteria may be quantitative such as tolerances and limits of processes, number of training per year, and number of accepted nonconformities or qualitative such as estimations of knowledge and skills.
One important property of the criteria is the ability to evaluate audit findings against it. In other words, the criteria must be adjusted to the type of findings; if you are auditing the processes of certifying new personnel, the criteria should be a procedure or a checklist that describes which activities must be accomplished when accepting a new worker.
The criteria will provide a successful validation by indicating whether the findings are accepted or rejected.
The criteria will present a method for the evaluation and will refer not only to products, parts, or components but also to realization processes and conditions for realization.
Types of criteria include
• Working instructions, test instructions, and procedures
• Drawing and specifications
• Management system requirements
• Quality plans
• Standards and technical specifications
• Laws, regulations, and directives
• Documented customer requirements like orders or contractual requirements
• Industry or business sector codes of conduct