Issue 62 – Clause 9.2: Internal Audit
Clause 9.2: Internal Audit
What’s the intent of Clause 9.2?… In our last Newsletter (ISO 9001:2015 Newsletter Issue 61) we discussed the topic of “monitoring, measurement, analysis and evaluation”, and now here in Clause 9.2 we address the area of “performing a self-check” of your QMS. The intent of this Clause is perform an audit yourself on the QMS so that you can identify any problems in your QMS before your Customer gets a surprise, or to find ways to improve your QMS.
Note A: This Clause DOES include requirements for “documented information”.
Note B: In case you were curious, the content for these Newsletters comes from working in the field with my Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from conducting training workshops, gap audits and internal audits, where the requirements of the Standard have to be interpreted and applied to each unique situation. A popular training request is our on-site Internal Process Auditor Training for ISO 9001:2015 since you will need to do a complete round of internal audits to the new Standard prior to your external upgrade audit. On that note, some organizations are opting to use an outside resource to assist with their internal audits in order to meet deadlines (…more details on this service, as well as the training sessions we offer, can be found below).
The new numbering format…
Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement
Clause 9.2: Internal audit consists of two (2) Sub-Clauses as listed below:
9.2.1 The organization shall conduct internal audits at planned intervals…
9.2.2 The organization shall…
The requirements for “internal audits” have had essentially no changes made to it from the previous 2008 version of this Standard. Based on this fact, some people have then assumed that there is no need to train their internal auditors, however keep in mind that although the requirements of the auditing process have not changed, the scope of the QMS requirements have indeed expanded. Internal Auditors should be educated on how the QMS has been revised to reflect the new 2015 requirements so that they can properly assess/audit it. In addition most ISO Registrars will expect to see that a complete system audit to the new requirements has been conducted by auditors trained on the new 2015 Standard.
Let me repeat that statement one more time… organizations will need to show documented evidence that their entire QMS has been internally audited to the new requirements PRIOR to their upgrade to this new ISO 9001:2015 Standard AND that the auditors who conducted this activity were trained on the ISO 9001:2015 Standard.
One very effective way to accomplish both of the above activities is to conduct a combination training/auditing event. I’ve been involved in a number of these sessions and besides the obvious benefit of getting training and auditing done at the same time, the other big advantage is that each auditor gets to immediately apply the training in the field. There is nothing better than hands-on experience in conducting audit interviews in a live setting vs classroom role playing. This type of event can be accomplished in a 3 day or a 4 day or a 5 day time frame, depending on the scope of the audit.
Here are a few suggestions I have for internal auditors: a) Try to look at auditing as a way to learn about an area you are not familiar with… being curious and wanting to learn more has kept auditing interesting for me (…at least for the past few decades that I have been doing it); b) Wear the hat of a typical Customer when conducting an audit… what I mean by that is, think like a Customer would… if you were spending your hard earned dollars buying the product/service that your company provides, what questions would you want answered?; and c) Pick just one sample of an outbound product (or service) that your company provides and take it to each and every department… set it down on the bench or table or desk and ask the person you are interviewing what THEY specifically do to make that product happen… and if a sample of your product is too large or can’t be carried around (or if you sell services), then find a way to represent it using possibly a picture/graphic of that final product or service… the idea is to get the discussion laser focused on how your interviewee contributes to making that product or service a reality… I use this approach myself (and have watched others do it as well) and it is a great way to get from just “general” audit discussions into a more specific process dialogue… and by the way, it works equally well with top management, with front line employees, as well as with every supporting function.
On a final note, if you are one of a number of organizations that outsource their internal audits to an outside firm (and nothing within the ISO Standard prevents you from doing that), keep in mind that you still need to “audit the audit process”. In these situations I recommend that my Clients retain objective evidence that they directed, observed, monitored, and were actively involved in, the conduct of the outsourced audit. This is how they ensure that their audit process is being carried out as planned/outlined within the QMS. The ISO Registrars that I have worked with have accepted this as evidence of “auditing the audit process”.
Be sure to watch for our next Newsletter issue where we will cover another section of ISO 9001:2015…
PS: Don’t forget to look at the Q&A section below for some final thoughts…
To view all of our past Newsletters or to sign up to receive them… click here
For cost effectiveness, the Internal Audit function can be outsourced to an external experienced auditor on a periodic basis. This will provide an independent and objective assessment to management, of where process issues may exist, along with identifying opportunities for improvement. It will also provide the evidence needed to satisfy the Internal Audit requirements in the ISO Standards. We have used two different approaches with this service: a) We conduct the entire audit ourselves, or b) We act as the lead auditor, and along with your Team of internal auditors, we complete the entire audit together. This latter approach allows your people to receive guidance and direction from an experienced lead auditor while at the same time maintaining significant involvement in the internal audit process.
The two (2) day Internal Process Auditing for ISO 9001:2015 Training Session is focused on a process approach to auditing with the objective being not only to assess conformance of the quality management system, but also to uncover process improvements during an audit. This goes hand in hand with the process auditing requirements found within ISO 19011 and the process approach covered in ISO 9001:2015, which promotes continual process improvement throughout this Standard. An enhanced checklist is developed, and there will be workshops throughout, to reinforce learning, as well as a live, practice audit. If you are looking to meet the ISO 9001:2015 internal audit requirements and to “raise the bar” for your internal audit program then this is the course you should consider.
Q: How do you perform an audit for Clause 9.2 of ISO 9001:2015?
A: For Clause 9.2, an Audit Checklist should cover these areas:
– Has the organization conducted internal audits at planned intervals?
– Has the organization audited all sections/processes of their QMS within a twelve (12) month period?
– Have the audits determined whether their QMS conforms to their own requirements?
– Have the audits determined whether their QMS conforms to the requirements within the ISO 9001:2015 Standard?
– Have the audits determined whether their QMS has been effectively implemented and maintained?
– Has the organization planned, implemented and maintained the internal audit program? Has it included frequency, methods, responsibilities, planning requirements/reporting?
– Has the organization taken into consideration the importance of the processes being audited?
– Has the organization taken into consideration changes that have occurred in the processes?
– Has the organization taken into consideration the results of previous audits?
– Has the organization defined the audit criteria and scope of each audit?
– Has the organization selected auditors and conducted audits to ensure objectivity and impartiality?
– Has the organization ensured that audit results are reported to relevant management?
– Has the organization taken appropriate correction and corrective actions, on the audit results, without undue delay?
– Has the organization retained documented information as evidence of audit program implementation? …and of the audit results?
(Make sure to interview more than one person and obtain examples for the items listed above)
Until next time…
Helping Business Professionals Reduce Risk and Remove Waste!