9.2 Internal audit (9.2.1, 9.2.2)
This week is a double feature to include the entire 9.2 Internal audit clause. Internal audits are one of the most underutilized tools in management systems. The whole notion of internal audits can invoke fear for the auditees, and nuisance work for auditors. This is one of the most important issues to address with the implementation of internal audits. Creating a system which is easy to use for the auditors, and an audit team style of encouragement and cooperation for the auditees is key.
Let’s review the first part of the requirements.
“9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:” Stopping right here, this is a question I see a lot. “How often do we have to do audits?” The first hint is in this sentence, where it includes “at planned intervals”. The organization must plan it’s internal audit program. Moving on:
“a) conforms to:
1. the organization’s own requirements for its quality management system;” The first thing to review with internal audits is the organization’s performance with regard to its own management system. This is very important so that the internal audit process is not a simple do-over of the third-party registration or surveillance audits.
“2. the requirements of this International Standard;” This is where the standard comes in. In addition to the organization’s own requirements, the system should be assessed to its conformance to the ISO9001 standard.
“b) is effectively implemented and maintained.” This is an important bullet point. Many internal audits omit the addition of effective implementation. I like to include three areas for consideration for each area audited – where is it described in the quality system (documentation), what is the evidence (records) and how is it working (assessment of effectiveness).
“9.2.2 The organization shall:
a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;” The frequency of audits is at the discretion of the organization and should include the items listed above. One notable area is “changes affecting the organization”. Where there are changes to the management system, a follow up internal audit is a great way to validate the change as well as verify implementation of the change.
“a) define the audit criteria and scope for each audit;” Many organizations use a checklist to meet this requirement. It may be a master checklist or subset checklists to make the audit program more manageable.
“b) select auditors and conduct audits to ensure objectivity and the impartiality of the audit programme;” This should be specifically described in the audit process. Tools such as job descriptions, training and competence assessments and audit feedback surveys can be used to ensure objectivity is maintained.
“c) ensure that the results of the audits are reported to relevant management;” This is a required input to Management Review, so there is a second requirement in the standard that these be tied together. Reporting audit results to management is key to ensure the continued effectiveness and continual improvement of the management system. It is the whole purpose for having the internal audit program.
“d) take appropriate correction and corrective actions without undue delay;” Many companies issue “corrective actions” for significant findings from internal audits. It is very important to ensure the corrective actions are completed (and the actions verified!) in a timely manner. They should receive the same scrutiny that a product nonconformance corrective action and should be dealt with in an appropriate manner and timeline.
“f) retain documented information as evidence of the implementation of the audit programme and the audit results.” This is another area where records or documented information is required. Lack of internal audit records will result in noncompliance.
NOTE: See ISO19011 for guidance
THIS WEEK’S HOMEWORK
Take a look at your internal audit process and documentation. Is the audit plan adequate? Does your audit ask “where is it described in the quality system (documentation), what is the evidence (records) and how is it working (assessment of effectiveness)”? When changes are made, is there an audit to assess the implementation and effectiveness of the change? Review your previous audit results for clues about where you might be able to make improvements to get the most from your internal audit program. Good luck!