ISO 9001:2015 – Newsletter – Issue 137

Issue 137 – Do you need to audit all Processes/ISO Clauses at least once per year?

ISO 9001:2015…

Do you need to audit all Processes/ISO Clauses at least once per year?

I appreciate receiving emails with questions and/or comments from readers of this Newsletter… please continue to do so since it provides me with ideas on what these publications should cover.  In my last Newsletter (ISO 9001:2015 Newsletter Issue 136) we discussed the topic of  “When is ISO 9001:2015 getting revised?”, and now in this Newsletter we will discuss “Do you need to audit all Processes/ISO Clauses at least once per year?”.

The ISO 9001:2015 Element numbering…

Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement

Do you need to audit all Processes/ISO Clauses at least once per year?… The short answer from most, if not all, ISO Certification Bodies (ISO Registrars) is “YES”.  This is not something new… it’s always been the case.  In fact, I recently had to help a Client of mine to push back on an external auditor who needed to be convinced that Clause 7.1.4 (Environment for the operation of processes) had indeed been audited in the past 12 months.

My Client showed them my audit plan which clearly showed Clause 7.1.4 was included, and also showed them my audit summary page which had a check-mark denoting “conformance” for this Clause… but that still wasn’t enough… so I reminded my Client that my auditor handwritten notes (which I always leave a copy of) also indicated on one of the many pages of notes, that Clause 7.1.4 had in fact been audited.

The external auditor finally relented but it reminded my Client about the need to make sure all ISO Clauses have been audited at least once every year.

Why do both the words “Processes” and “ISO Clauses” need to be included in this question?… I need to explain why I continue to use both the words “Processes” and “ISO Clauses”.  If we look at my example above with Clause 7.1.4 (Environment for the operation of processes), I can easily show on any of my audit plans that it is listed at least once.  In fact Clause 7.1.4 is listed multiple times because this particular Clause applies to MANY work areas.  For instance, the “work environment” is very different in a Production area, versus a Lab Testing area.

In both cases, a proper “work environment” needs to be maintained for the activities that take place within those specific work areas.  So “yes” my audit plan could show that Clause 7.1.4 was indeed being audited in Production but then can I skip it for the Lab?  If the objective is to make sure each Clause is audited at least once in a year, then I guess that would satisfy your ISO Certification Body (CB)… but that conflicts with the whole “process-based approach” built into the ISO 9001 Standard.

The logic above is why CB’s abandoned conducting audits many years ago by just auditing a list of the ISO Clauses… it just doesn’t work… because implementing separate “ISO Clauses” does not produce a quality product (or service)… but rather a connected series of individual processes is what moves a Customer Order from Receipt to Delivery.  Process-based auditing is a much better way to make sure no surprises reach your Customers.

In my humble opinion, the objective of your Quality Management System (QMS) is to first “satisfy” your paying Customer… and if this also satisfies your CB at the same time, then that’s just gravy.  In fact, waiting twelve (12) months to assess whether a critical “process” is functioning properly may be too long!

Why did this question become a Newsletter topic?… I recently have had lengthy discussions with one of my Clients regarding this very question.  They interpreted the wording inside Clause 9.2 (Internal audit) as being vague enough to allow to change their current internal audit frequency into a three (3) year audit cycle, for those Processes/Clauses that have had no previous audit findings.  The sentence within Clause 9.2.2 (a) states: “…plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits”. 

So “yes”, the ISO 9001:2015 Standard, Clause 9.2 does NOT specifically say that internal audits must be conducted at least once a year, however most ISO Certification Bodies (CB’s) add this as part of “their” contract with the organization that hires them.  Another example would be that not only do CB’s require internal audits be conducted annually covering all Clauses, they ALSO require that “Management Reviews” (Clause 9.3) take place at least once per year.  Clause 9.3 also uses vague wording “… at planned intervals…” when indicating how often these management reviews should take place.

I have explained to my Client that there are multiple risks with taking this “3 year internal audit cycle” approach… the first one being that their ISO Registrar (one of the largest globally) will disagree with this “interpretation” and issue a major non-conformance… however the bigger risk, is that my Client may choose to skip an audit of a whole process/dept for a couple of years because it had no previous audit findings (…such as Purchasing) which could result in a “surprise” that slips right-through to the Customer!