By Denise Robitaille
There are some organizations that I’ve audited whose internal audit schedules never change. Year in and year out, it’s always the same. Some companies don’t even bother to put together a schedule. They just have a line in their internal auditing procedure stating that they conduct an audit of the entire system once a year—or similar verbiage reflecting either lack of understanding or a cavalier disregard for the intent of the process.
There are requirements relative to planning the audit program found in both ISO 9001:2015 Quality Management system systems—Requirements and ISO 19011:2011 Guidelines for auditing management systems as well as in other texts on the subject.
I’d like to take a look at the internal audit requirements found in ISO 9001:2015 since it’s the premier quality management system standard and several sector-specific QMS standards are based upon it.
Here’s a summary of the requirements found in the newly released ISO 9001:2015.
It starts out by stating: “The organization shall conduct internal audits at planned intervals…”
This is the first part of the requirements. Stating that an organization conducts audits once a year may fit the most minimalist intent of the standard, but it really doesn’t reflect effective implementation of the concept of planned intervals. Plans generally have more detail than saying, “We’re going to do this once sometime during the year.”
Subclause 9.2.2 of ISO 9001:2015 goes on to say:
“…plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits…”
The audit has to be planned. And, there are three basic criteria that go into the decision-making process relative to frequency:
- The importance of processes
- The change affecting the organization
- The results of previous audits
Let’s take each of these criteria in turn.
The first one deals with the importance of processes. What could change in the organization that would warrant changing the audit schedule? The organization could have a design process that has lain dormant due to the production of legacy products. The only real work has been in minor design changes. The design program could be re-ignited as the organization decides to venture into new markets. This elevates the importance of the design process, especially since the output will be directly relevant to the strategic direction of the organization.
Similarly, with the introduction of a new product line involving new technology and reengineered processes, there would be a more-than-compelling reason to increase the frequency of audits for the manufacturing processes.
The second criterion deals with changes affecting the organization. The transition to the newest version of ISO 9001 is an obvious example of a change that affects the whole organization. Modifying your schedule to assess the implementation of newly introduced concepts could pay large dividends if gaps are found by internal auditors prior to the certification body coming in for the re-certification or transition audit. Other examples of changes could involve relocation, acquisition of another company, or a major re-organization of manufacturing cells.
Finally, frequency should be adjusted based upon the results of previous audits (including certification body, regulatory, and customer audits) or any other reports or corrective actions that suggest a heightened level of risk. For example, if a nonconformance was cited during the previous audit, there’s already a need to return to verify that corrective taken has been effective. It’s inappropriate to wait an entire year to see if the problem has been eliminated or ameliorated. So, an increased frequency is advisable. Conversely, an audit report might suggest that there has been substantial improvement in a process and a decreased frequency is warranted.
The bottom line is that things change and internal audit schedules should reflect that reality. By providing the flexibility inherent in periodically revisiting and revising the audit schedule, organizations increase the effectiveness of the process and the value of the results.
About the author
Denise Robitaille is the author of numerous books on various quality topics. She is an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. Denise is an active member of U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is also an Exemplar Global-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of the ASQ.
Denise’s latest book The (Almost) Painless ISO 9001:2015 Transition will be published by Paton Professional in late December.
Denise – good article, touches on a lot of good areas. However, I think one thing is missing, and its as old as the standards themselves. Some companies (i.e. upper management) simply do not see value in the internal audits, and do not provide the resources (time) necessary for good audits. The company performs internal audits in a perfunctory manner, with emphasis on getting the audits done so that the auditors can go back to their real jobs. No doubt, some of this is simply my failure to persuade companies of the value of internal audits, but the problem occurs so often that I am sure there is more to it than that. I would be interested in any comments you have in this regard. Have you found a good line of reasoning to persuade companies to provide more management support for audits?
Thanks
Dave Moody
davemoody24@yahoo.com