Requirements and Guidance on Internal Audits

You’re probably familiar with the ISO 9001:2000 requirements for an internal audit program. But, have you thought about improving your internal audits by considering the extra requirements and guidance from the different industry sector schemes? Well, read on, because after a brief review of the ISO 9001:2000 audit requirements, you’ll hear about additional requirements (AS9100, TL 9000, ISO/TS 16949, ISO 13485, and ISO 14001) and guidance (ISO 9004, ISO 14004, ISO 90003, and ISO 19011) to consider for your internal audit program.

Audit Definition
According to ISO 9000:2000 (and ISO 19011:2002), an audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Audit Requirements

Clause 8.2.2 of ISO 9001:2000, states that the organization must conduct internal audits at planned intervals to determine whether the quality management system:

a) conforms to the planned arrangements, to the requirements of this International Standard, and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained.

An audit program must be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined. Selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process.
Auditors must not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records must be defined in a documented procedure.

The management responsible for the area being audited must ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities must include the verification of the actions taken and the reporting of verification results.

Audit Guidance – ISO 9004
Clause 8.2.1.3 of ISO 9004:2000 states that top management should ensure the establishment of an effective and efficient internal audit process to assess the strengths and weaknesses of the quality management system. The internal audit process acts as a management tool for independent assessment of any designated process or activity. The internal audit process provides an independent tool for use in obtaining objective evidence that the existing requirements have been met, since the internal audit evaluates the effectiveness and efficiency of the organization.

It is important that management ensure improvement actions are taken in response to internal audit results. Planning for internal audits should be flexible in order to permit changes in emphasis based on findings and objective evidence obtained during the audit. Relevant input from the area to be audited, as well as, from other interested parties, should be considered in the development of internal audit plans.

Examples of subjects for consideration by internal auditing include:

  • Effective and efficient implementation of processes,
  • Opportunities for continual improvement,
  • Capability of processes,
  • Effective and efficient use of statistical techniques,
  • Use of information technology,
  • Analysis of quality cost data,
  • Effective and efficient use of resources,
  • Process and product performance results and expectations,
  • Adequacy and accuracy of performance measurement,
  • Improvement activities, and
  • Relationships with interested parties.

Internal audit reporting sometimes includes evidence of excellent performance in order to provide opportunities for recognition by management and motivation of people.

Aerospace – AS9100
In addition to the basic ISO 9001:2000 requirements, AS9100B:2004 states that detailed tools and techniques must be developed, such as, checksheets, process flowcharts, or similar methods to support audit of the quality management system requirements. The acceptability of the selected tools will be measured against the effectiveness of the internal audit process and overall organization performance. Internal audits must also meet contract and/or regulatory requirements.

Telecommunications – TL 9000
TL 9000, Release 3.0, doesn’t add any requirements to those expressed in clause 8.2.2 of ISO 9001:2000.

Automotive – ISO/TS 16949
In addition to the basic ISO 9001:2000 requirements, ISO/TS 16949:2002 adds five sub-clauses:

8.2.2.1 Quality Management System Audit 
The organization must audit its quality management system to verify compliance with ISO/TS 16949 and any additional quality management system requirements.

8.2.2.2 Manufacturing Process Audit 
The organization must audit each manufacturing process to determine its effectiveness.

8.2.2.3 Product Audit 
The organization must audit products at appropriate stages of production and delivery to verify conformance to all specified requirements, such as, product dimensions, functionality, packaging, and labeling at a defined frequency.

8.2.2.4 Internal Audit Plans 
Internal audits must cover all quality management related processes, activities, and shifts, and must be scheduled according to an annual plan. When internal or external nonconformities or customer complaints occur, the audit frequency must be appropriately increased. Note: Specific checklists should be used for each audit.

8.2.2.5 Internal Auditor Qualification
The organization must have internal auditors who are qualified to audit the requirements of ISO/TS 16949.

Environment – ISO 14001
ISO 14001:2004, clause 4.5.5, is similar to ISO 9001:2000, clause 8.2.2, except:

ISO 9001 says the organization must conduct internal audits, while ISO 14001 states the organization must ensure they are conducted. ISO 9001 says to determine if the system has been effectively implemented, while ISO 14001 says to determine if the system has been properly implemented.

14001 leaves out that the management for the area being audited must ensure the actions are taken without undue delay to eliminate detected nonconformities and their causes (since addressed adequately by 4.5.3 in 14001 on Nonconformity, Corrective Action, and Preventive Action). Also, ISO 14001 leaves out coverage of follow-up activities for the verification of actions taken and the reporting of verification results.

ISO 14001:2004, A.5.5, states that internal audits of an environmental management system can be performed by personnel from within the organization or by external persons selected by the organization, working on its behalf. In either case, the persons conducting the audit should be competent and in a position to do so impartially and objectively. In smaller organizations, auditor independence can be demonstrated by an auditor being free from responsibility for the activity being audited.

Note: If an organization wishes to combine audits of its EMS with environmental compliance audits, the intent and scope of each should be clearly defined. Environmental compliance audits are not covered by ISO 14001.

Environment – ISO 14004

Clause 4.5.5 of ISO 14004:2004, EMS – General Guidelines on Principles, Systems, and Supporting Techniques, states that internal audits of an organization’s environmental management system should be conducted at planned intervals to determine and provide information to management on whether the system conforms to planned arrangements and has been properly implemented and maintained. They can also be performed to identify opportunities for improvement in an organization’s environmental management system.

An organization should establish an audit program to direct the planning and conduct of audits and identify the audits needed to meet the program’s objectives. The program should be based on the nature of an organization’s operations, in terms of its environmental aspects and potential impacts, the results of past audits, and other relevant factors.

Each internal audit need not cover the entire system, so long as the audit program ensures that all organizational units and functions, system elements, and the full scope of the environmental management system are audited periodically.

The audits should be planned and conducted by objective and impartial auditors, aided by technical experts, where appropriate, selected from within the organization or from external sources. Their collective competence should be sufficient to meet the objectives and scope of the particular audit and provide confidence as to the degree of reliability that can be placed on the results.

The results of an internal environmental management system audit can be provided in the form of a report and used to correct or prevent specific nonconformities, fulfill one or more objectives of the audit program, and provide input to the conduct of the management review.

Medical Devices – ISO 13485
ISO 13485:2003, Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes, doesn’t expand on the basic audit requirements of ISO 9001:2000.

Software – ISO 90003
ISO 90003:2004, Guidelines for the Application of ISO 9001:2000 to Computer Software, states that when software organizations separate their work into projects, audit planning should define a selection of projects and assess both the compliance of their project quality planning to the organization’s quality management system and the compliance of the project to the project quality planning. This selection should ensure coverage of all stages and all processes. This may necessitate auditing various projects at different stages of their product development life cycle, or auditing a single project as it progresses through various stages. Where the intended project changes its timescale, the internal audit schedule may be reviewed, either to change the timing of the audit, or to consider a different project. 

Other Sources – ISO 19011 and QE19011S
ISO 19011:2002 provides guidelines for quality and/or environmental management system auditing. It gives suggestions for conducting internal and external audits, as well as, on the competence and evaluation of auditors. Although supplementary guidance and examples are provided in ISO 19011:2002, the US decided additional guidance was necessary. Therefore, QE19011S:2004 was published with the ISO 19001:2002 text, plus extra guidance for first-party (internal) audits, second-party (external) audits, and small organizations.