ISO 9001 Clause 9.2 Internal Audit

This article covers clause 9.2 Internal audit. This clause is going to be broken down and turned into something you can all understand and implement in your own organization or industry. Keep on reading as I can show you just how easy this is!

This clause starts off with sub-clause 9.2.1 stating:

The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:

a) conforms to:

1) the organization's own requirements for its quality management system;

2) the requirements of this International Standard;

b) is effectively implemented and maintained.

This subclause is spelling out what our internal audits should be against – which is normally referred to as the criteria. Your planned audits should ensure that there are two criteria areas that you audit against, and will look something like this:

• The 'criteria' level is ISO 9001;
• The 'system' level is your own quality management system;
• And the 'operations' level is where you can see it all in action.

We then move on to the second subclause of 9.2.2, which states that:

The organization shall :

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

Fantastic! This is pretty clear that we are required to develop an audit programme (sometimes referred to as an audit schedule). The audit programme should be for all of the audits planned over a period of time – normally within businesses you see this over a period of 12 months.

For myself, as a certification auditor, my audit programmes for clients are over three (3) years as this ties in with the 3-year certification cycle. It is up to the business to determine what timeframe the audit programme is developed for. The audit programme should include some key areas, which are:

• frequency – so when are the audits conducted? Which months? Or weeks? And how often?
• methods – this may include a reference to a procedure or a report template to be used for the audit
• responsibilities – who is conducting which audits
• planning requirements and reporting – again, this may reference a separate procedure that internal auditors are to follow when preparing, planning, conducting and reporting on an audit
• taking into account risk - or as this clause says, take into consideration the importance of the processes concerned and changes affecting the organization.

This audit programme might have the organization's processes and activities listed and when they are to be audited and by whom.

A major part of this is determining which procedures should be audited first or more often as they are high risk. This could be new procedures or procedures related to a new process or location or product.

You can see that this audit programme should be a risk-based tool that you use to monitor key parts of the business with a focus on the high-risk areas. It is more important to conduct audits on areas of higher risk than auditing absolutely everything, even the areas that are low-risk and have never had any issues or changes.

And then finally, when developing your audit programme, you should consider;

• the results of previous audits. If there were nonconformances raised in an audit this month for example, then this should prompt a review of the audit programme, to ensure that this process or area that attracted the nonconformance is included in the audit cycle again. This ensures that high-risk areas (those that have had previous nonconformances) are picked up and reviewed or revisited sooner, rather than later.

Make sure that your audit programme is a living, breathing tool that you use to benefit your business.

Before I move on to point b) I want to skip ahead to the final point which states to:

f) retain documented information as evidence of the implementation of the audit  programme and the audit results.

This clause requirement confirms that we need a documented audit programme – it can’t just be in your head. So that is everything I have talked about so far regarding an audit programme, is in documented form, whether it’s hard copy, electronic, or a software programme.

Then we also require documented information to be retained as evidence of the audit results. This means we need to see documented evidence (which is what retain means) of the outcomes of the audits conducted. This could be as simple as an audit report which you need to ensure includes as per point:

b) define the audit criteria and scope for each audit.

In your audit report you would include a field to document the audit criteria, which is WHAT you are auditing against, which could be a particular ISO clause or even a specific activity or procedure, and then also include a field for the scope of the audit. The scope of the audit is the extent and boundaries. So, this could be specific locations, activities, departments, and so on.

Then finally we have points:

c) select auditors and conduct audits to ensure objectivity and the impartiality of the            audit process;
d) ensure that the results of the audits are reported to relevant management;
e) take appropriate correction and corrective actions without undue delay.

To summarise these three final points:

• don’t audit your own work - so, if you generate the evidence within the scope of the audit, then you shouldn’t be auditing that area. You need to ensure another auditor who is impartial and has no conflict of interest is assigned to that audit in your audit programme.
• and then once you have completed your audit report, ensure that it is provided to relevant management within the business and relevant to the scope of the audit conducted.
• finally, ensure that you follow your corrective action process when nonconformances are identified as a result of the audit. To understand what is required for your nonconformance and corrective action process, be sure to refer to the videos for clauses 8.7 and 10.2.

Now that you have a better understanding of these requirements, it's time to take action and implement them in your own organization and ISO 9001 quality management systems.

If you prefer watching over reading, head to our ATOLTV ISO 9001 playlist on YouTube. And if you're interested in becoming an ISO 9001 specialist, check out our range of ISO 9001 quality management systems courses and qualifications today.