Home Resources Blog April 2015

Internal Audit Expectations - A Refresher

15 April 2015
As we approach the transition from ISO 9001:2008 to ISO 9001:2015 it may be a good time to take stock of our expectations for the Internal Audit programs. We should make sure we have not lost focus on the expected methodology, outcomes and content of the audit records.

As we approach the transition from ISO 9001:2008 to ISO 9001:2015 it may be a good time to take stock of our expectations for the Internal Audit programs. We should make sure we have not lost focus on the expected methodology, outcomes and content of the audit records.

Internal Audit Requirements

Have we lost focus on the expectations of Internal Audits? Are Registrar Auditors and Internal Auditors both becoming complacent? If complacency sets in, the benefits of Internal Audits disappear. If this important cornerstone of the Plan-Do-Check-Act cycle has become weak, the entire system is weak. In this article I intend to explore the basics to serve as a reminder on how to conduct Internal Audits.

Let’s review ISO 9001:2008 clause 8.2.2, we will find similar wording in ISO 9001:2015. This clause requires the organization to conduct internal audits to determine whether the four core aspects of a quality management system are in conformance and continue to be effectively implemented.

The Four Core Aspects

  1. the planned arrangements for providing services or products
  2. ‚Äčthe applicable requirements of ISO 9001 (clauses 4, 5, 6, 7, and 8), and
  3. the documented quality management system
  4. the entire Scope of registration

ISO 9001:2008 Clause 8.2.2 requires records of the internal audits. Records of Internal Audits will have evidence that all applicable requirements of ISO 9001 are being met, that the organization follows the planned arrangements for delivering goods and services as required by their customers, and that the organization continues to follow the documented management system.

Internal Audit Expectation

The expectation is for audits to be based on a review of the processes (documented and not documented) providing evidence of compliance with ISO 9001, not necessarily based on the clauses of ISO 9001. The organization must conduct Internal Audits to the depth and breadth necessary to provide sufficient evidence of a review of the effectiveness of the entire management system. It also requires the Internal Audits be conducted by trained, competent auditors independent of the area under review.

The philosophy of Internal Audits is that the certified organization will have conducted Internal Audits to ensure the entire QMS continues to meet the requirements of ISO 9001.

  • That the organization continues to adhere to all processes, documented and undocumented.
  • That the system ensures customer requirements are being met all of the time. 
  • That all process descriptions remain current and accurate.
  • That all records required by ISO 9001:2008 and the QMS are maintained and are accurate.
  • To show the entire scope of the certificate has been audited.

Some of the complacency seen by the registrar auditors has resulted in Minor and, in some extreme circumstances, Major non-conformances at organizations with long standing certificates. The following is a short list of the weaknesses in the organizations’ Internal Audits that have resulted in the issuance of NCRs by the registrar auditors:

  • Use of untrained internal auditors
  • Not auditing the entire scope of the certificate
  • Not auditing all clauses of ISO 9001 and thus not auditing all processes
  • No actual evidence of which documents or persons were the subject of the audit and failure to take timely correction and/or corrective action to non-conformances identified in the Internal Audits.

The Registrar Auditor’s role is to sample the processes and records of the organization to ensure compliance, identify potential weaknesses in the system, show the entire scope of the certificate has been audited, and ensure the overall intent of driving customer satisfaction is met. Registrar Auditors, by necessity, pay particular attention to the organization’s Internal Audit Reports, Management Review Meeting Minutes, and Corrective Action process. These three sources of information, when reviewed as an integrated set of processes, can help the Internal Auditor and the Registrar Auditor identify and correct complacency in the overall Plan-Do Check-Act process.

The Result

Taking stock of the effectiveness of the Internal Audit Programs as we move through the Transition to ISO 9001:2015 could result in faster, smoother and easier transitions.