ISO9001 in 2021 Week by Week - Week 49 - 9.2 Internal Audit

This is a 52 week discussion of ISO9001:2015. Each week, we discuss a specific clause of the ISO9001:2015 standard in detail and look for ways to trim the fat. (As a member of TAG/TC176, the committee responsible for review and revision of ISO9001, (possible revision in 2023), I’ll keep you posted on what I learn all year!)

(It is strongly recommended that you purchase a copy of ISO9001:2015  for reference).  And, be sure to do your homework!

9.2 Internal audit

Before we dive in this week, I want to highlight that this week’s entry offers the MOTHER LODE of freebies!  So, this click will definitely be worth it!

Internal audits are one of the most underutilized tools in management systems.  Let’s just review some of the reasons that people avoid the whole internal audit notion altogether.

• Being audited can invoke fear of judgment (or discovery) where issues exist,
• The audit process can be undervalued:
  • Auditors don’t prioritize scheduling their audits (they see it as a nuisance)
  • Auditees don’t prioritize participating (they see it as a nuisance)
• Auditors may be poorly trained and therefore not confident, collaborative or cooperative,
• Management may ignore the internal audit process resulting in lack of interest (or conversely….)
• Management may improperly tie incentives/punishments to audit results

The most important thing is creating an internal audit system which creates a culture of encouragement and cooperation is key.  The second most important thing is to carefully construct an audit program which is easy to use by the auditors, convenient for everyone, and delivers actionable results to improve the quality system.  Sounds simple?  Then, why do so many organizations struggle with this?

Let’s review the first part of the requirements.

“9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:” 

Stopping right here, this is a question I see a lot.  “How often do we have to do audits?”  The first hint is in this sentence, where it includes “at planned intervals”.  The organization must plan its internal audit program.  Moving on:

“a) conforms to:

1.  the organization’s own requirements for its quality management system;” 

The first thing to review with internal audits is the organization’s performance with regard to its own management system.  This is very important so that the internal audit process is not a simple do-over of the third-party registration or surveillance audits.

A more important point is to remember that everything that exists in your quality management system is at your organization’s discretion.  There are only 21 things identified in the entire ISO9001 standard that are required as “documented information”, and most of those are not procedures – they are merely records (confirmation) that something occurred.  And if the workflows or forms themselves can suffice as “instructions”, duplicate procedures or work instructions are not required. 

And just as a final tieback, if it’s a part of your quality management system, it should be audited.  (Insert big, lean, lightbulb moment here….)

“2. the requirements of this International Standard;”  This is where the standard comes in.  In addition to the organization’s own requirements, the system should be assessed to its conformance to the ISO9001 standard.

Here’s a link back to Week 23 7.5.1 Documented Information (and there’s a FREE download to a list of the Required Documents for ISO9001!). 

Do your organization’s “own” requirements go overboard?  The litmus test should be, “does ISO9001 required it?” AND “does my organization need a component of the quality management system to impart the necessary knowledge to ensure that a key process/step/method is followed?”  That, and only that, should be the bedrock of your quality management system.

“b) is effectively implemented and maintained.” 

This is an important bullet point.  Many internal audits omit the addition of effective implementation.  I like to include three questions for consideration for each area audited – “where is it described in the quality system (documentation)?”, “what is the evidence (records)?” and “how is it working (assessment of effectiveness)?”.  NOTE:  One caveat to remember, is that unless ISO9001 requires documented evidence, valid evidence can also be consistent testimony, obvious evidence that something is happening, etc.

“9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;” 

The frequency of audits is at the discretion of the organization and should include the items listed above.  One notable area is “changes affecting the organization”.  Where there are changes to the management system, a follow up internal audit is a great way to validate the change, as well as verify implementation of the change.

“b) define the audit criteria and scope for each audit;”  Many organizations use a checklist to meet this requirement.  It may be a master checklist or subset checklists to make the audit program more manageable, but it can be anything, really.  You might follow a process map with a review of “where it’s described”, “what is the evidence” and “how is it working”?  Any objective review of the components of the quality system to validate it is working as intended and achieving its results will work. 

“c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit programme;”  This should be specifically described in the audit process.  Tools such as job descriptions, training and competence assessments and audit feedback surveys can be used to ensure objectivity is maintained.  (Auditors must not audit their own areas of responsibility).

“d) ensure that the results of the audits are reported to relevant management;”  This is a required input to Management Review, so there is a second requirement in the standard that these be tied together.  Reporting audit results to management is key to ensure the continued effectiveness and continual improvement of the management system.  It is the whole purpose for having the internal audit program.

“e) take appropriate correction and corrective actions without undue delay;”  Many companies issue “corrective actions” for significant findings from internal audits.  It is very important to ensure the corrective actions are completed (and the actions verified!) in a timely manner.  They should receive the same scrutiny that a product nonconformance corrective action and should be dealt with in an appropriate manner and timeline.  You needn’t have different tools for nonconformances.  If you have a simple nonconformance and corrective action system that works, consider simply adding this type of nonconformance and treating it the same.  Or, if you like to keep your internal audit findings separate, have at it.  Just be sure that all types of nonconformance are reported and dealt with. 

“f) retain documented information as evidence of the implementation of the audit programme and the audit results.”  This is an area where records or documented information IS required.  Lack of internal audit records will result in noncompliance.

NOTE: See ISO19011 for guidance

(All the notes in ISO9001 which refer to other standards are optional, but do provide helpful additional information and clarity.)

THIS WEEK’S HOMEWORK

Take a look at your internal audit process and documentation.  Is the audit plan adequate?  Does your audit ask “where is it described in the quality system (documentation)?”, “what is the evidence (records)?” and “how is it working (assessment of effectiveness)?”.  When changes are made, is there an audit to assess the implementation and effectiveness of the change? 

Is your internal audit team engaged?  Well trained?  Are they completing their scheduled internal audits?  Is your audit program on track? 

Review your previous audit results for clues about where you might be able to make improvements to get the most from your internal audit program.  Good luck!

And if you realize you need help, this is one of my strongest areas.  I can help you create an amazing and simple program that will get you the results you want!  Connect with us today and we can help you build a system that will get your 2022 off on the right foot!  Never struggle with internal audits again.

Or maybe your internal audit program itself is fine, but your internal audit teams needs some additional tools!  Watch this 3-minute video about an affordable and simple course that will be invaluable to your internal auditors.   Get the self-directed, on demand, online learning series  ISO9001 in Plain English, today and you'll get:

• A clear understanding of the requirements of ISO9001:2015
• Proven tips to build a robust quality system that's easy to use
• Ways to reduce documentation and paperwork (yes, really!!)

Each video is about 15 minutes and targets a specific element of ISO9001, (with over 6 hours of total content!).  We translate all the gobbledegoop into Plain English you can understand and leverage the requirements to get maximum VALUE from your quality efforts. 

For a deeper dive into the process side of your quality system, get Tribal Knowledge - The Practical Use of ISO, Lean and Six Sigma Together, a simple guide to UNITE ISO9001, lean and Six Sigma to create a robust quality system with better results.  Read what ASQ American Society for Quality – Quality Progress Magazine had to say about it. 

Or for targeted, personalized support and coaching, let’s partner together to talk through your issues, learn more about specific tools and applications and enrich your personal development through professional coaching.  Available weekly, monthly or whatever best suits your needs!

We look forward to continuing this YEAR LONG journey with you.  SUBSCRIBE today and the series will come to you weekly to get you off to a great start and your quality system reinvigorated. 

And join me on my journey to always keep improving!