Organisations are required by ISO 9001:2015 to conduct internal audits at planned intervals to confirm that the management system conforms to both the organisations own requirements and the requirements of the standard, also ensure that the system is effectively implemented and maintained.

Organisations must also:

1. Plan, establish, implement and maintain an audit programme which includes the frequency, methods, responsibilities, planning requirements and reporting. The programme must also take into consideration the criticality of the processes concerned, any changes affecting the organisation, and the results of previous audits carried out.
2. Define the audit criteria, (EG: ISO 9001, organisations own management system and any applicable contractual or regulatory requirements) and scope (IE: extent and boundaries) for each audit,
3. When selecting auditors and conducting audits, ensure objectivity and the impartiality of the audit process,
4. Ensure that the results of audits are reported to relevant management,
5. Take appropriate and timely correction and corrective actions,
6. Retain documented information (records) as evidence of the implementation of the audit programme and the audit results. It is also noted that ISO 19011 (guidelines for auditing management systems) may be referred to.

Comment:

Note that the purpose of internal audits are not to determine whether the management system meets the organisations and ISO 9001 requirements, only to provide information as to whether this is the case. This is important because top management must review audit results as part of the management review process and take any necessary additional action if required IE: Be actively involved in the effectiveness of the management system. (See also article 5.1 Leadership and commitment and 9.3 Management Review.)

Although there is no longer a requirement under the 2015 update of the standard for the organisation to document an internal audit procedure, other than the smallest of SMEs, many organisations may wish to do so. In either case, documented information (records) must be retained to provide evidence of an effective audit programme and its outputs (including audit results and corrective action plans where required.)

Note also that “changes that impact on the organisation” is an important input into the planning of audit programme.

Step by step overview of the process:

1. Audit programme

By regularly reviewing the audit programme to ensure process criticality (risk), results of previous audits and changes affecting the organisation are taken into account when determining when and where to look, the best use can be made of the audit programme. The key is to add value, not a bureaucratic burden. An indicator of the latter approach is late or overdue or poorly executed audits. (External auditors are aware of this and will scrutinise audit plan execution as a result. - See Audit Check below.)

Note: Where changes are made to the management system, internal audits are an excellent tool to use in the change management process to validate that the changes have resulted in the intended outcomes. (See also article 6.3 Planning of changes.)

1. Audit criteria and scope

This needs to be established for each audit at the planning stage. IE what elements of the requirements are to be audited, what processes are to be reviewed and what are the boundaries? Checklist are commonly used as part of audit preparation, but beware of pre-prepared “master” checklists which need to be carefully managed to ensure they are current. Master checklists if not completely comprehensive, can also lead to elements of the management system being omitted routinely.

1. Objectivity and the impartiality

Job descriptions and organisational layout charts can be effective in larger organisations to demonstrate impartiality if dedicated auditors are not employed. This can be more of a challenge in small to medium sized businesses of course where personnel of necessity, are required to “multi-task”. One option is to out-source audits to a suitably qualified impartial service provider. (David Barker Consulting offers this as a service.) Note that there is no specified requirement for auditors to have attended formal external auditor training, but auditors must be able to demonstrate appropriate competence as they have a key role which affects the performance and effectiveness of the management system. (See article7.2 Competence.)

1. Reported to relevant management

The results of audits are an important required input to Management Review.

1. Appropriate and timely correction and corrective actions,

Other than late or poorly executed audits (see point 1,) lack of timely corrective action is the other key indicator that the management system may be being treated as a “bolt on” rather than integral part to how the business is run. It is important therefore that audit non-conformities are addressed promptly and thoroughly. Note also that audit observations can play a key role in an organisations ongoing improvement programmes, (an embedded requirement throughout the 9001 standard and referenced in several of these articles.)

1. Documented information (Records).

Records should not be a problem if the audit plan is planned appropriately, carried out to schedule, good auditing practices followed when executed, and appropriate follow up actions taken in a timely manner.

Audit Check:

Auditors should not expect a documented internal audit procedure to be in place. However, documented information must be available to evidence effective implementation and the outcomes of audits.

Note points 1 and 5 above: Execution of audits to plan and timely and effective corrective actions (and resultant follow up to confirm implementation.) are often scrutinised when auditing an organisations audits programme.

Auditors may also wish to confirm that organisational changes have been incorporated into the audit planning process