ISO 9001:2015 Internal Audit

The Committee Draft of ISO 9001:2015 has moved Internal Audit requirements from clause 8.2.2 in ISO 9001:2008 to a new clause 9.2. Internal audits must still be conducted at planned intervals to see if the quality management system conforms to the organization’s own requirements and those of the ISO 9001 standard.

However, clause 9.2 has dropped determining conformity with “planned arrangements”. It was never really needed in ISO 9001:2008, since planned arrangements are organizational requirements.

Clause 9.2 of ISO 9001:2015 still requires the audit program to consider the importance of the processes to be audited and the results of prior audits. The requirement to consider the status of the processes to be audited has been revised to consider the quality objectives.

A new requirement for planning the audit program is to consider the related risks. This refers to the risk that the audit program may not achieve its objectives, as well as, the risk of audits interfering with the auditee’s activities and processes.  It does not refer to risk-based auditing.

After clause 8.2.2 of ISO 9001:2008 covers audit program considerations, it states that the audit criteria, scope, frequency, and methods must be defined. Clause 9.2 of ISO 9001:2015 clarifies this requirement by stating the audit program is to consider the audit frequency and methods. It states the criteria and scope are to be defined for each audit.

In addition to including the audit frequency and methods in the audit program, clause 9.2 adds new requirements to include responsibilities, planning requirements, and reporting in the audit program.

Clause 8.2.2 requires “corrections and corrective actions” to be taken without undue delay to eliminate detected nonconformities and their causes. This requirement has been reworded in clause 9.2 to take the “appropriate action” without undue delay. A new clause 10.1, Nonconformity and Corrective Action, requires the action to control and correct a nonconformity, as well as, deal with its consequences. It also requires evaluating the need to eliminate the causes of the nonconformity so it does not recur or occur elsewhere.

The draft standard no longer requires a documented internal audit procedure. It simply says to retain documented information as evidence of the implementation of the audit program and the audit results.

In addition, clause 9.2 no longer requires follow-up activities to verify the actions taken and the reporting of verification results. Instead, it will rely on the requirements expressed in clause 10.1, Nonconformity and Corrective Action, to retain evidence of the results of any corrective action and to review the effectiveness of the corrective action.

Other internal audit changes may be introduced in the interim DIS and FDIS versions, as well as, the final published version of the ISO 9001:2015 standard.