Internal Audit - The ISO 9001 Standard Requirements


"What a headache" - that's surely what every employee think to himself when they receive the massage of an internal audit approaching. There is a reason why. They know that someone is coming to poke their deeds... The internal audit chapter is included under chapter 8.2 - Monitoring and measurement. So it is clear that the purpose of the internal audit is to perform Monitoring and measurement within the organization. Internal audits, sometimes called first-party, are conducted by, or on behalf of, the organization itself for internal purposes and can form the basis for an organization's self-declaration of conformity. The organization is required to conduct the audits within scheduled time frames to ensure that the quality management system is:
  • Maintained according to the ISO 9001 Standard requirements
  • Maintained according to the organization's requirements and audit's criteria
What are an audit's criteria? Set of policies, procedures or requirements used as a reference.
We believe that in the end of the day the internal audit is actually an internal inspection that the organization conducts upon itself. Within the organization structure, it is hard for the top management to view of what is going on down the organization. It's not enough to step down to the manufacture halls, logistic centers or service centers and view the employees or the goods on the shelves. It is necessary to sample processes and to examine whether they hold against pre defined criteria. Only high resolution sampling can provide with the real organization's status. What are the criterions? The ISO 9001 standard requirements, working procedures, quality plans, quality objectives - the characteristics of the quality management system.
Since the internal audit topic is very serious and wide, we would not include it all in one article. In this article we will focus with the ISO 9001 Standard requirements for maintaining internal audit system with reference to the ISO 19011 Standard - a guide line Standard for auditing quality or environmental systems. The Standard was published in 2002 and besides outlining guideline for conducting audits, it also refer to the auditor's skills and activities. Unfortunately, the ISO 9001 Standard sets requirements but it does not guide us how to conduct an effective audit - one that would not only apply the requirements but would also assist the organization. We would deal with that in another article (we just can't give you all the secrets in one article. Sorry. Company's policy).
The ISO 9001 requirements for internal audit interanl audit procedure
The ISO 9001 Standard requires that you maintain a documented procedure describing the method for conducting an internal audit process. This is not a recommendation but a requirement. The documented procedure must define:
  • Who must conduct the audit - who is responsible for executing the internal audit process.
  • What organizational units are under the scope - departments, specific processes, activities, sites, function, etc.
  • Describing the process itself - who meets with whom and where and what should everybody bring with them.
  • The supervision after the internal audit plan (don't get excited, we will go into details soon). Where the audit's evidence are documented.
It is possible to add as annex the audit's plan and all sort of forms and documentation regarding to the process.
The auditor
The auditor must be objective related to the organizational unit he is auditing. This is a hard thing to achieve, when the quality manager is the auditor. Then he is part of the organization. He will always conduct an audit to his colleagues (the ones he sits and eats lunch with, drinks coffee or smokes a cigarette). Besides that, the auditor must be skilled for conducting an audit and document the situation correctly. Remember, an audit is an emotional event where the employees are examined about the quality of their performance. The audit's approach is highly important for the audit's progressing. Beside his personal approach, the audit must have a minimum acquaintance with the field, in order to evaluate the processes and their quality beyond the working procedures (the documented criteria). That kind of knowledge can give him the ability and the consideration to evaluate the situation while he identifies any nonconformities or faults. Within the ISO 19011 Standard there is a specification for the auditor's qualities required:
  • Ethics - credibility, integrity and honesty.
  • Open minded - willing to listen, learn and accept new ideas.
  • Diplomatic - polite with high manners to his colleagues - after all he is working with people and he is the representative of the top management.
  • Observer - owns the ability to recognize what he sees and understand without interrogating.
  • Perspective - owns the ability to evaluate situations beyond appearance and with a wide systematic view of things - has the ability to understand the organizational consequences of his evidence.
  • Versatile - owns the ability to mobilize from one situation to another without losing direction.
  • Persistence - must be persistence with his objectives and to not stray away.
  • Decisive - ready to make decision
  • Independent - must have his own opinion of things and to not be influenced by the environment.
We also recommend an infinitive patience. During the audits people would try everything (but everything) to divert the auditor from the subject, from all sorts of reasons: they want to conceal their activities, they are afraid or just don't like when other people look through their draws. The auditor must remain patient and always wait until his question is answered. Mostly the audit clients answer completely other answers. Sometime things get out of hand and go into arguments and disputes. The auditor must remain cool, patient - we are use to say "business as usual" - the audit must make it clear; the audit is not for any arguments but a decision made by the top management. The auditor has one objective - to present with the top management the real status of the organization. He must not be concerned about time schedules as well. This is merely a tool and not the objective.
The audit's program
The organization must maintain a documented program for conducting the audits. The program must be documented according to the ISO 9001 requirement. This is not a recommendation but a requirement! The purpose of this program is to ensure that the audits are conducted as planned. So, first, you need a program. The ISO 9001 Standard requires performing the audits within scheduled and fixed time frames. This requirement ensures that employees would know that the audit is a part of the quality management system and not a momentarily capricious decision made by the top management. It is recommended to publish the audit schedules. And for "surprise" audits - you need to define the time frames, just don't publish them. The audits program must cover:
  • Quality plans for the products - For any requirement for product realization, you must evaluate if it is performed as planned. The best way is to sample. Pick the product, review its quality plan, and check whether the product was realized according to the plan. Document the results then.
  • The ISO 9001 Standard requirements -Including the documentation requirements (customer complaints, purchasing information, CAPA, training, etc). The examination must be conducted throughout the entire organizational units which related to product realization or are under the quality managment scope. Any unit must be examined at least once a year.
  • Processes and procedures - the audit must evaluate whether the processes that are related to the product realization are performed as required. It could be a correlated with quality plans. But generally an audit must sample processes and evaluate its performance.
  • Quality objectives - the audit must examine whether the organization is achieving his quality objectives. He evaluates the objectives - whether they are related to the product and evaluates the results. Where he revealed that the objectives are not fulfilled - he must be presented with reasons and measures.
It's not easy being an auditor. It also not so easy to maintain all of the above without some help.
Audit's evidences and findings
At the end of the audit the auditor must deliver a specific report about the audits evidences and findings. The report must specify:
  • Who were the participants - it is recommended to document who participated during the audit. The purpose is when top management would like to conduct its inquiry - they would know to whom they must approach.
  • The auditee - the organization or unit that were audited.
  • General detail to shed light upon the auditee: how many workers, special projects, special recent events - information that would support the evidences.
  • Reference to prior audits and prior findings - the auditor must verify that all nonconformities that were revealed during the last audit are eliminated the treatment was documented and most important, they are not repeated.
  • The audits findings according to the evidences - that mean what the auditor discovered and how is it referred to the criteria: good, requires improvement action or requires corrective action (we would not deal in this article with classification of findings). Actually this is the most important part of the report. It specifies what the auditor saw, and how it was. The auditor must document the evidences as accurate as possible.
  • Recommendations - for every finding the audit may pay his recommendation.
A sum of all nonconformities discovered during the audit - the purpose for that is: To gather all the nonconformities for the top management for review To trace the corrective action for the next audit This sum will become a corrective action report - but that is a whole different topic. Bear in mind - this report is designated for the top management and the function that is responsible for the auditee. That report is a tool for him to understand the status. Therefore it is recommended that the report would in a format that is easy for him to understand.
Summary
  • The purpose of the audit is to ensure that the quality management system is as required by the ISO 9001 Standard and appropriately maintained.
  • You are required to maintain a documented procedure specifying the process of the internal audit.
  • The auditor bears a lot of responsibility. Therefore he must be perspective to the environment that he is auditing, must own the skills for evaluating and examining, with a wide view of things.
  • The auditor must be polite with high manners, be patient and persistent. The audit is not an easy task to perform. The organization must maintain an audit program. The purpose of the program is to ensure that the audits are conducted as planned.
  • At the end of the audit the auditor must deliver a specified report about the audit. This report is designated to the function that is responsible for the auditee.

2 Responses to "Internal Audit - The ISO 9001 Standard Requirements"

  1. Excellent ISO certification Process and also provide ISO training ,best customer satisifaction Quality Services in singapore Qscert

    ReplyDelete

Orang Bijak Tinggalkan Jejak