ISO 9001:2015, Clause 9.2

This article provides a summary of the Internal Audit requirements as stated in the recently published Draft International Standard (DIS) version of ISO 9001:2015. The DIS internal audit differences from ISO 9001:2008 are also identified.

ISO/DIS 9001:2015 Summary

9.2 Internal Audit
9.2.1

Conduct internal audits at planned intervals to provide information on whether the quality management system:

  • Conforms to the organization’s own requirements
  • Conforms to the requirements of ISO 9001
  • Is effectively implemented and maintained

9.2.2

The organization must:

  • Plan, establish, implement, and maintain the audit program
  • Include frequency, methods, and responsibilities
  • Include planning requirements and reporting
  • Consider quality objectives and importance of concerned processes
  • Consider customer feedback and changes impacting the organization
  • Consider the results of previous audits
  • Define audit criteria and scope for each audit
  • Select auditors and conduct audits for impartial and objective audit process
  • Ensure results of audits are reported to relevant management
  • Take necessary correction and corrective actions without undue delay
  • Retain evidence of audit program implementation and audit results


Changes from ISO 9001:2008

1. Clause Numbers

The Internal Audit requirements of the draft standard are now stated in clause 9.2, instead of clause 8.2.2 as in ISO 9001:2008. The draft standard has adopted the new clause structure required for all new and revised management system standards, which places Internal Audit under clause 9, Performance Evaluation.

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning for the quality management system
7. Support
8. Operation
9. Performance evaluation
10. Improvement

The DIS changed clause 6 from “Planning”, as identified in the earlier Committee Draft, to “Planning for the quality management system”.

2. Planned Arrangements

Internal audits must still be conducted at planned intervals to see if the quality management system conforms to the organization’s requirements and those of the ISO 9001 standard.

However, the additional requirement to determine conformity with “planned arrangements” has been dropped. It was not really needed in ISO 9001:2008, since planned arrangements are addressed as organizational requirements.

3. Planning the Audit Program

The draft standard has added to the current requirement to plan the audit program, by stating it must also be established, implemented, and maintained. In addition to including audit frequency and methods in the audit program, clause 9.2.2 adds new requirements for including responsibilities, planning requirements, and reporting.

4. Planning Considerations

The draft standard still requires the audit program to consider the importance of the processes to be audited and the results of prior audits. This planning has been expanded to also consider quality objectives, customer feedback, and changes impacting the organization. The requirement to consider the “status” of the processes to be audited has been dropped since it will addressed by these new considerations.

5. Planning Each Audit

After requiring the audit program to be planned, clause 8.2.2 of ISO 9001:2008 states the audit criteria, scope, frequency, and methods must be defined. This placement of the requirement caused it to be unclear. Clause 9.2.2 of the draft standard clarifies this requirement by stating the audit frequency and methods are considered in planning the overall “audit program”. It states the audit criteria and scope are to be defined for “each audit”.

6. Audit Reporting

Clause 8.2.2 of ISO 9001:2008 requires the reporting of audit results be addressed in the documented internal audit procedure. There is no longer a requirement for a documented procedure, so the draft standard adds a requirement to ensure the results of audits are reported to relevant management.

7. Correction and Corrective Action

Clause 8.2.2 of ISO 9001:2008 requires the necessary corrections and corrective actions to be taken without undue delay to eliminate detected nonconformities and their causes. The phrase to “eliminate detected nonconformities and their causes” has been removed from the draft standard.

The new clause 10.1, Nonconformity and Corrective Action, requires action to control and correct a nonconformity, as well as, deal with its consequences. It also requires evaluating the need to eliminate the causes of the nonconformity so it does not recur, or occur elsewhere.

8. Evidence of Audit Program and Audit Results

The draft standard has reworded the requirement to keep records of audits and their results. The word “records” has been replaced by “documented information”, the new term used to refer to documents or records.  It also adds that documented information is retained as “evidence” for both audit program implementation and audit results.

9. Not Audit Own Work

The draft standard has dropped the specific requirement that auditors “not audit their own work”. It continues to require that auditors be selected, and audits be conducted, to ensure an impartial and objective audit process.

10. Documented Procedure

The draft standard no longer requires a documented internal audit procedure. It simply says to retain documented information as evidence of the implementation of the audit program and the audit results. Most organizations will likely choose to still document their audit process.

11. Audit Follow-Up

The draft standard no longer requires follow-up activities to verify the actions taken and the reporting of verification results. Instead, it will rely on the requirements expressed in clause 10.1, Nonconformity and Corrective Action, to retain evidence of the results of any corrective action and to review the effectiveness of the corrective action.

Further internal audit changes may be introduced in the FDIS version, as well as, the final published version of the ISO 9001:2015 standard.