Part of an ongoing series: Practical advice on Clause 9.2 of ISO 9001:2015
For whatever MSS you need to conduct internal audits, you have two basic approaches to choose from:
Option 1: do the minimum necessary to satisfy the Certification Body (CB) [or Accreditation Board (AB)] Auditors
Option 2: take best advantage of the opportunity the mandatory requirement offers.
You may well ask: Is it really worth my while putting time and effort into internal auditing, especially when I am going to meet resistance at every turn?
Here we’re going to consider both options and then you can decide which is best for your organization.
Option 1: Do the minimum to satisfy Clause 9.2 requirements
|Action||Benefit to the Organization|
|Focus on the basic performance and effectiveness of the management system (MS) from an impartial viewpoint (through choosing impartial internal auditors)||Satisfies a requirement of Clause 9.2|
|Ensure that planned arrangements have been completed, not forgetting to audit processes that do not have procedures associated with them (Clauses 4 and 5 in particular)||Satisfies a requirement of Clause 9.2|
|Ensure that the MS is effectively implemented and maintained.||Satisfies a requirement of Clause 9.2|
With Option 1 you’ll have done a good job. But at what cost in terms of lost opportunity?
Option 2: Take full advantage of the opportunity Clause 9.2 presents
|Action||Benefit to the Organization|
|(As with Option 1)||Satisfies a requirement of Clause 9.2|
|Develop an audit programme directed towards ensuring the performance and effectiveness of the MS.||The internal audit becomes part of monitoring the system to check progress towards achieving the Management System Objectives and KPIs chosen and prompting timely action to ensure that they are going to be successfully met.|
|Develop an Audit Schedule (as part of the audit programme) to conduct audits throughout the year (e.g. monthly, quarterly, or annually) and that differs for different areas or processes over the course of a year.||Audit activity provides an ongoing reminder to colleagues of the importance of the Management System and their contribution to its success. Reinforces any awareness training or similar provided.|
In developing the audit programme apply a risk-based approach to considering:
|Processes will be audited at suitable frequency with important/critical/failure-prone ones being audited most frequently. Early detection of failing processes will save time, money and reinforce customer and other stakeholders’ satisfaction.|
|Ensure that, in addition to the importance of the processes, the audit programme considers:
||Common sources of noncompliance with both CB and regulatory are addressed and the possibility of a major noncompliance are significantly reduced (self-preservation, perhaps?)|
|Plan and conduct audits according to the requirements of your Management System by project or process, rather than by the specific clauses in ISO 9001. Prepare an ISO 9001 Audit Checklist to address requirements not normally directly involved in operational processes (e.g. Parts 4 and 5).||Auditors find it easier and more natural to follow workflows, material flows and information flows with this approach. Consequently, a more thorough audit is conducted, and significant, disjointed steps in processes, procedures and methods are less likely to be missed.|
|Have internal auditors professionally trained to include interview, observational, sampling and information reviews skills.||With a variety of evidence collection methods in use the dependability of compliance and noncompliance findings is enhanced, as is management’s confidence in the Management System.|
|Ensure for each internal audit ISO 9001 or other Standard that, while interviewing, the auditors actively seek out improvement opportunities no matter how minor these may seem.||Large numbers of incremental improvements and corrections to processes and procedures will result, as well as the occasional major improvement opportunity. Remember innovative thinking is to be found at all levels and functions within the organization and often from those working with the issues day-in, day-out.|
|Follow-up on findings of good compliance and on the improvement opportunities identified.||Individual audit reports will consequently be balanced in their reporting of the state of compliance and will help ensure that internal audits are not perceived as ‘witch-hunts’. Instances of good compliance in one area may be an improvement opportunity for another.|
|In addition to evidence of non-compliance, present evidence of good compliance and of improvement opportunities identified to top management.||An ISO 9001 Audit Report presented at Management Review meetings that highlight the positives will confirm to management the usefulness of the Management System, and make it easier for you to secure additional resources for your Management System improvement projects.|
In our opinion Option 1 is 'what not to do' and Option 2 is 'what to do' and, if you are the Audit Programme Manager for your organization, we strongly recommend it to you as part of your ISO 9001 implementation and maintenance. Yes, it is a lot more work but the results will significantly benefit your organization (and mostly on the ‘bottom line’). It won’t do your career prospects any harm either.