ISO 9001:2015, 9.2

This article provides a summary of the Internal Audit requirements as stated in the new ISO 9001:2015 standard. The internal audit differences from ISO 9001:2008 are identified.

9.2 Internal Audit

9.2.1 Conduct internal audits at planned intervals to provide information on whether the quality management system (QMS):

  • Conforms to the organization’s own requirements for its QMS
  • Conforms to the requirements of this international standard (ISO 9001)
  • Is effectively implemented and maintained

9.2.2 The organization must:

  • Plan, establish, implement, and maintain the audit program
  • Include frequency, methods, and responsibilities
  • Include planning requirements and reporting
  • Consider importance of processes concerned
  • Consider changes impacting the organization
  • Consider the results of previous audits
  • Define audit criteria and scope for each audit
  • Select auditors and conduct audits for impartial and objective audit process
  • Ensure results of audits are reported to relevant management
  • Take necessary correction and corrective actions without undue delay
  • Retain evidence of audit program implementation and audit results

Changes from ISO 9001:2008

1. Clause Numbers

The Internal Audit requirements of the draft standard are now stated in clause 9.2, instead of clause 8.2.2 as in ISO 9001:2008. The new standard has adopted the new Annex SL clause structure required for all new and revised management system standards, which places Internal Audit under clause 9, Performance Evaluation.

2. Planned Arrangements

Internal audits must still be conducted at planned intervals to see if the quality management system conforms to the organization’s requirements and those of the ISO 9001 standard. However, the additional requirement to determine conformity with “planned arrangements” has been dropped. It was not really needed in ISO 9001:2008, since planned arrangements are addressed as organizational requirements.

3. Planning the Audit Program

The new standard has added to the current requirement to plan the audit program, by stating it must also be established, implemented, and maintained. In addition to including audit frequency and methods in the audit program, clause 9.2.2 adds new requirements for including responsibilities, planning requirements, and reporting.

4. Planning Considerations

The new standard still requires the audit program to consider the importance of the processes to be audited and the results of prior audits. This planning has been expanded to also consider any changes affecting the organization.

5. Planning Each Audit

After requiring the audit program to be planned, clause 8.2.2 of ISO 9001:2008 states the audit criteria, scope, frequency, and methods must be defined. This placement of the requirement caused it to be unclear. Clause 9.2.2 of the new standard clarifies this requirement by stating the audit frequency and methods are considered in planning the overall “audit program”. It states the audit criteria and scope are to be defined for “each audit”.

6. Audit Reporting

Clause 8.2.2 of ISO 9001:2008 requires the reporting of audit results be addressed in the documented internal audit procedure. There is no longer a requirement for a documented procedure, so the new standard adds a requirement to ensure the results of audits are reported to relevant management.

7. Correction and Corrective Action

Clause 8.2.2 of ISO 9001:2008 requires the necessary corrections and corrective actions to be taken without undue delay to eliminate detected nonconformities and their causes. The phrase to “eliminate detected nonconformities and their causes” has been removed from the new standard.

The new clause 10.2, Nonconformity and Corrective Action, requires action to control and correct a nonconformity, as well as, deal with its consequences. It also requires evaluating the need to eliminate the causes of the nonconformity so it does not recur, or occur elsewhere.

8. Evidence of Audit Program and Audit Results

The new standard has reworded the requirement to keep records of audits and their results. The word “records” has been replaced by “documented information”, the new term used to refer to documents or records. It also adds that documented information is retained as “evidence” for both audit program implementation and the audit results.

9. Not Audit Own Work

The new standard has dropped the specific requirement that auditors “not audit their own work”. It continues to require that auditors be selected, and audits be conducted, to ensure an impartial and objective audit process.

10. Documented Procedure

The new standard no longer requires a documented internal audit procedure. It simply says to retain documented information as evidence of the implementation of the audit program and the audit results. Most organizations will likely choose to still document their audit process.

11. Audit Follow-Up The new standard no longer requires follow-up activities to verify the actions taken and the reporting of verification results. Instead, it will rely on the requirements expressed in clause 10.2, Nonconformity and Corrective Action, to retain evidence of the results of any corrective action and to review the effectiveness of the corrective action.