Preparing for ISO 9001: 2015 using your QMS - Part 5: Internal Audits
The current draft (DIS) version of ISO 9001:2015 makes the “process approach” and consideration of “risk” throughout the development and implementation of a Quality Management System much clearer. For some organizations, this will herald a new era with the way in which the internal audit program is established and implemented.
Often, in the early phases of implementation of an ISO 9001–based Quality Management System, the focus of the internal audit program is to ensure that no significant issues are found during the Certification Body assessment and all aspects of the Quality Management System are often treated equally. The only consideration to “risk” may be the risk of a major non-conformity being found!
However, once found in compliance, the internal audits should be scheduled to ensure that their focus gives more value to the organization than just compliance to the ISO standard. The ISO 9001:2008 requirements for internal audits (8.2.2) give us guidance on what to consider when establishing an audit schedule, also called an audit program. It states, in part, “An audit program shall be established taking into consideration the status and importance of the processes to be audited”.
An internal audit program considers that all processes are not created equally and some might need to be audited as a priority and possibly more frequently than others DIS ISO 9001:2015 has moved the requirement for internal audits to section 9 which is entitled “Performance Evaluation”. There is a strong indication as to the purpose of internal audits within the context of the management system. 9.2.1, Internal audit, has a preamble which is very similar to 8.2.2.
The subsection 9.2.2 goes on to be more detailed. Instead of “an audit program shall be planned, taking into consideration the status and importance…”, the new text includes, in part, “…the organization shall: a) plan, establish, implement and maintain an audit program(s)…which shall take into consideration the quality objectives, the importance of the processes concerned, customer feedback, changes impacting on the organization…”. The results of previous audits are also to be considered per the current requirement.
Let’s consider what’s meant by the text “importance of the processes concerned”.
Importance might include something being new and/or changed, performing below or above the expected quality objectives. Having something new or changed associated with the following is frequently associated with causing problems, including new or changed:
- Customers and requirements
- Process requirements
- Materials, equipment etc.
These are normally considered to be risks to the business, which, as we know is a recurring theme of the proposed 2015 version of ISO 9001.
Likewise a process not performing to expectations, causing scrap, rework, and downtime – in fact any kind of waste - is also a risk to the achievement of those quality objectives. Got a process which exceeded its goal? Better find out why, particularly if the customer noticed! Once the reason has been discovered, it could be used to improve other similar processes.
In some cases these are planned situations - including the new and changed aspects - some, like poor performance, are unplanned. What could be done to give a priority to an audit of a new, changed or poorly performing process? This is where the importance of that process must be considered. We have to ask ourselves, is the process important to meeting:
- Customer needs and expectations
- Regulatory compliance
The importance of the process to the customer or other aspects of business can be considered as the impact of that process on the business.
It is common for internal audit programs to be developed on an annual calendar which predicts which aspects of the quality management system are going to be audited. Often the objectives for developing the schedule are to ensure all the system is audited in that year, or to ensure all the ISO requirements are covered, etc. However, since there is no requirement to perform audits in that way, these internal audits often miss critical processes when they become an issue.
An annualized calendar which schedules audits of processes (or worse, elements of the standard) in this manner, often doesn’t consider managements’ input and, as a result will not help to identify what contemporary actions need to be taken to improve things. No wonder then, that in many organizations, the internal audit program is not well supported! Internal audits should be scheduled using current process performance data, feedback from customers, etc., to ensure that auditors are focused on what is on management's ‘radar screen’.
Internal audit management programs, scheduled based on risk and customer feedback can help usher in a new era, synonymous with risk assessment and continual improvements, rather than something done simply for compliance. Furthermore, the role of auditor becomes elevated to a strategic one, rather than a job of simply checking compliance. Improving the internal audit program in this manner will help to ensure corrective actions are seen as important to process results and that management reviews of the quality management system become an integral way of managing the business.
You will need to prepare for change and adapt your quality management system to meet the new requirements and transitional timelines, but don't worry this is a partnership and we will help you to understand the changes, interpret the new concepts and act on the implications.