Audit Requirements

If you conduct internal audits of an ISO 9001-based quality management system, what steps are you taking to improve the audit program and its results? In addition to getting feedback from your auditors and the audited areas, you should consider adopting some of the extra audit requirements contained in other management system standards.

After reviewing the ISO 9001 internal audit requirements, I will cover the extra requirements that were thought to be necessary beyond the basic audit requirements of ISO 9001.

Audit Definition According to ISO 9000:2005 (and ISO 19011:2011), an audit is a “systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.”

Quality – ISO 9001 Clause 8.2.2 of ISO 9001:2008, states that the organization must conduct internal audits at planned intervals to determine whether the quality management system:

a) conforms to the planned arrangements, to the requirements of this International Standard, and to the quality management system requirements established by the organization, and b) is effectively implemented and maintained.

An audit program must be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined. Selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process. Auditors must not audit their own work.

The responsibilities and requirements for planning and conducting audits, establishing records, and reporting results must be defined in a documented procedure.

The management responsible for the area being audited must ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities must include the verification of the actions taken and the reporting of verification results.

Aerospace – AS9100
The only addition to the internal audit section of AS9100C is a Note that explains the “planned arrangements” mentioned in 8.2.2.a includes “customer contractual requirements”.

Automotive – ISO/TS 16949
In addition to the basic ISO 9001:2008 requirements, the automotive standard ISO/TS 16949:2009 adds five sub-clauses: Quality Management System Audit The organization must audit its quality management system to verify compliance with ISO/TS 16949 and any additional quality management system requirements. Manufacturing Process Audit
The organization must audit each manufacturing process to determine its effectiveness. Product Audit
The organization must audit products at appropriate stages of production and delivery to verify conformity to all specified requirements, such as, product dimensions, functionality, packaging, and labeling, at a defined frequency. Internal Audit Plans Internal audits must cover all quality management related processes, activities, and shifts, and must be scheduled according to an annual plan. When internal or external nonconformities or customer complaints occur, the audit frequency must be appropriately increased. Note: Specific checklists should be used for each audit. Internal Auditor Qualification The organization must have internal auditors who are qualified to audit the requirements of ISO/TS 16949.

Environment – ISO 14001
The environmental standard ISO 14001:2004, clause 4.5.5, is similar to ISO 9001:2008, clause 8.2.2, except:

ISO 9001 says the organization must conduct internal audits, while ISO 14001 states the organization must ensure they are conducted. ISO 9001 says to determine if the system has been effectively implemented, while ISO 14001 says to determine if the system has been properly implemented. ISO 14001 also adds that information on the results of audits are to be provided to management.

14001 leaves out that the management for the area being audited must ensure the actions are taken without undue delay to eliminate detected nonconformities and their causes (since it is addressed adequately by 4.5.3 in 14001 on Nonconformity, Corrective Action, and Preventive Action). Also, ISO 14001 leaves out coverage of follow-up activities for the verification of actions taken and the reporting of verification results.

Health and Safety – OHSAS 18001
The audit requirements of the occupational health and safety standard OHSAS 18001:2007, clause 4.5.5, are almost the same as those in clause 4.5.5 of ISO 14001. The OHSAS 18001 standard adds that internal audits are to ensure the management system is effective in meeting the organization’s policy and objectives. It also adds that audits are to be planned based on the results of risk assessments of the organization’s activities.

Environment – ISO 14001 Annex
ISO 14001:2004, Annex A.5.5, states that internal audits of an environmental management system (EMS) can be performed by personnel from within the organization or by external persons selected by the organization, working on its behalf. In either case, the persons conducting the audit should be competent and in a position to do so impartially and objectively. In smaller organizations, auditor independence can be demonstrated by an auditor being free from responsibility for the activity being audited.

Annex A.5.5 also includes a Note that if an organization wishes to combine audits of its EMS with environmental compliance audits, the intent and scope of each should be clearly defined. Environmental compliance audits are not covered by ISO 14001.

Medical Devices – ISO 13485
ISO 13485:2003, Medical Devices – Quality Management Systems – Requirements for Regulatory Purposes, doesn’t expand on the basic audit requirements of ISO 9001:2008.

Information Technology – Service Management – ISO 20000-1
Clause of the IT services management standard ISO 20000-1 adds that nonconformities must be communicated, prioritized, and responsibility allocated for actions.

Information Technology – Information Security – ISO 27001
Clause 6 of the information security standard ISO 27001:2005 adds that audits must be conducted to determine if the control objectives, controls, processes, and procedures conform to the requirements of the standard and relevant legislation and regulations, as well as, perform as expected.

Petroleum, Petrochemical, and Natural Gas – ISO/TS 29001
The ISO/TS 29001:2010 standard is based on ISO 9001:2008 and adds two sub-clauses for internal audits: Internal Audit – Supplemental Internal audits must be scheduled and conducted at least annually by personnel independent of those who performed or directly supervised the activity being audited. Response Times – Supplemental Response times must be identified for addressing detected nonconformities.

Audit Guidance – ISO 9004
In addition to looking at the extra requirements of other management system standards, we should also examine the guidance provided by ISO 9004:2009, Managing for the Sustained Success of an Organization – A Quality Management Approach.

Clause 8.3 of ISO 9004 states that internal audits are an effective tool to determine the conformity of an organization’s management system against given criteria and to provide valuable information for understanding, analyzing, and continually improving the organization’s performance. Audits should be conducted by people who are not involved in the activity being examined, in order to give an independent view on what is being performed.

Internal audits should assess the implementation and effectiveness of the management system. They can include auditing against more than one management system standard, such as ISO 9001 and ISO 14001, as well as, addressing specific requirements relating to customers, products, processes, or specific issues.

To be effective, internal audits should be conducted in a consistent manner, by competent personnel, in accordance with an audit plan.
Internal auditing is an effective tool for identifying problems, risks, and nonconformities, as well as, for monitoring progress in closing previously identified nonconformities (which should have been addressed through root cause analysis and the development and implementation of corrective and preventive action plans).

Verification that the actions have been effective can be determined through an assessment of the improved ability of the organization to meet its objectives. Internal auditing can also be focused on the identification of good practices (that can be considered for use in other areas of the organization), as well as, on improvement opportunities.

The outputs of internal audits provide a useful source of information for:

  • Addressing problems and nonconformities
  • Benchmarking
  • Promoting good practices
  • Increasing understanding of interactions between processes

The results of internal audits are usually presented in the form of reports containing information on conformity against given criteria, nonconformities, and improvement opportunities. Audit reports are also an essential input for management reviews. Top management should establish a process for the review of all internal audit reports to identify trends that can require organization-wide corrective or preventive actions.

Software – ISO 90003
Although ISO 90003:2004, Guidelines for the Application of ISO 9001:2000 to Computer Software, has not been updated for ISO 9001:2008, it provides useful guidance. It states that when software organizations separate their work into projects, audit planning should define a selection of projects and assess both the conformity of their project quality planning to the organization’s quality management system and the conformity of the project to the project quality planning.

The project selection should ensure coverage of all stages and all processes. This may necessitate auditing various projects at different stages of their product development life cycle, or auditing a single project as it progresses through various stages. Where the intended project changes its timescale, the internal audit schedule may be reviewed, either to change the timing of the audit, or to consider a different project.

Quality – ISO 9001:2015
What about future internal audit requirements? All new and revised management system standards, including ISO 9001:2015, will provide common text for internal audit requirements at clause 9.2, and add discipline-specific requirements as necessary.

9.2 Internal Audit The organization shall conduct internal audits at planned intervals to provide information on whether the XXX management system:
a) conforms to the

  • organization’s own requirements for its XXX management system
  • requirements of this International Standard;

b) is effectively implemented and maintained.

The organization shall:
a) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the importance of the processes concerned and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management, and
e) retain documented information as evidence of the implementation of the audit program and the audit results.