ISO 9001 audit

"What a headache" - that's surely what every employee think to himself when they
receive the massage of an internal audit approaching. There is a reason why. They
know that someone is coming to poke their deeds... The internal audit chapter is
included under chapter 8.2 - Monitoring and measurement. So it is clear that the
purpose of the internal audit is to perform Monitoring and measurement within the
organization. Internal audits, sometimes called first-party, are conducted by, or on
behalf of, the organization itself for internal purposes and can form the basis for an
organization's self-declaration of conformity. The organization is required to conduct
the audits within scheduled time frames to ensure that the quality management system
is:

• Maintained according to the ISO 9001 Standard requirements

• Maintained according to the organization's requirements and audit's criteria

What are an audit's criteria? Set of policies, procedures or requirements used as a

reference.

We believe that in the end of the day the internal audit is actually an internal
inspection that the organization conducts upon itself. Within the organization
structure, it is hard for the top management to view of what is going on down the
organization. It's not enough to step down to the manufacture halls, logistic centers or
service centers and view the employees or the goods on the shelves. It is necessary to
sample processes and to examine whether they hold against pre defined criteria. Only
high resolution sampling can provide with the real organization's status. What are the
criterions? The ISO 9001 standard requirements, working procedures, quality plans,
quality objectives - the characteristics of the quality management system.

Since the internal audit topic is very serious and wide, we would not include it all in
one article. In this article we will focus with the ISO 9001 Standard requirements for
maintaining internal audit system with reference to the ISO 19011 Standard - a guide
line Standard for auditing quality or environmental systems. The Standard was
published in 2002 and besides outlining guideline for conducting audits, it also refer
to the auditor's skills and activities. Unfortunately, the ISO 9001 Standard sets
requirements but it does not guide us how to conduct an effective audit - one that
would not only apply the requirements but would also assist the organization. We
would deal with that in another article (we just can't give you all the secrets in one
article. Sorry. Company's policy).

The ISO 9001 requirements for internal audit interanl audit procedure

The ISO 9001 Standard requires that you maintain a documented procedure
describing the method for conducting an internal audit process. This is not a
recommendation but a requirement. The documented procedure must define:

• Who must conduct the audit - who is responsible for executing the internal
audit process.
 • What organizational units are under the scope - departments, specific
processes, activities, sites, function, etc.
• Describing the process itself - who meets with whom and where and what
should everybody bring with them.
• The supervision after the internal audit plan (don't get excited, we will go into
details soon). Where the audit's evidence are documented.

It is possible to add as annex the audit's plan and all sort of forms and documentation
regarding to the process.

The auditor

The auditor must be objective related to the organizational unit he is auditing. This is
a hard thing to achieve, when the quality manager is the auditor. Then he is part of the
organization. He will always conduct an audit to his colleagues (the ones he sits and
eats lunch with, drinks coffee or smokes a cigarette). Besides that, the auditor must be
skilled for conducting an audit and document the situation correctly. Remember, an
audit is an emotional event where the employees are examined about the quality of
their performance. The audit's approach is highly important for the audit's
progressing. Beside his personal approach, the audit must have a minimum
acquaintance with the field, in order to evaluate the processes and their quality beyond
the working procedures (the documented criteria). That kind of knowledge can give
him the ability and the consideration to evaluate the situation while he identifies any
nonconformities or faults. Within the ISO 19011 Standard there is a specification for
the auditor's qualities required:

• Ethics - credibility, integrity and honesty.

• Open minded - willing to listen, learn and accept new ideas.
• Diplomatic - polite with high manners to his colleagues - after all he is
working with people and he is the representative of the top management.
• Observer - owns the ability to recognize what he sees and understand without
interrogating.
• Perspective - owns the ability to evaluate situations beyond appearance and
with a wide systematic view of things - has the ability to understand the
organizational consequences of his evidence.
• Versatile - owns the ability to mobilize from one situation to another without
losing direction.
• Persistence - must be persistence with his objectives and to not stray away.
• Decisive - ready to make decision
• Independent - must have his own opinion of things and to not be influenced by
the environment.

We also recommend an infinitive patience. During the audits people would try
everything (but everything) to divert the auditor from the subject, from all sorts of
reasons: they want to conceal their activities, they are afraid or just don't like when
other people look through their draws. The auditor must remain patient and always
wait until his question is answered. Mostly the audit clients answer completely other
answers. Sometime things get out of hand and go into arguments and disputes. The
auditor must remain cool, patient - we are use to say "business as usual" - the audit
must make it clear; the audit is not for any arguments but a decision made by the top
management. The auditor has one objective - to present with the top management the
real status of the organization. He must not be concerned about time schedules as
well. This is merely a tool and not the objective.

The audit's program

The organization must maintain a documented program for conducting the audits. The
program must be documented according to the ISO 9001 requirement. This is not a
recommendation but a requirement! The purpose of this program is to ensure that the
audits are conducted as planned. So, first, you need a program. The ISO 9001
Standard requires performing the audits within scheduled and fixed time frames. This
requirement ensures that employees would know that the audit is a part of the quality
management system and not a momentarily capricious decision made by the top
management. It is recommended to publish the audit schedules. And for "surprise"
audits - you need to define the time frames, just don't publish them. The audits
program must cover:

• Quality plans for the products - For any requirement for product realization,
you must evaluate if it is performed as planned. The best way is to sample.
Pick the product, review its quality plan, and check whether the product was
realized according to the plan. Document the results then.
• The ISO 9001 Standard requirements -Including the documentation
requirements (customer complaints, purchasing information, CAPA, training,
etc). The examination must be conducted throughout the entire organizational
units which related to product realization or are under the quality managment
scope. Any unit must be examined at least once a year.
• Processes and procedures - the audit must evaluate whether the processes that
are related to the product realization are performed as required. It could be a
correlated with quality plans. But generally an audit must sample processes
and evaluate its performance.
• Quality objectives - the audit must examine whether the organization is
achieving his quality objectives. He evaluates the objectives - whether they are
related to the product and evaluates the results. Where he revealed that the
objectives are not fulfilled - he must be presented with reasons and measures.

It's not easy being an auditor. It also not so easy to maintain all of the above without
some help.

Audit's evidences and findings

At the end of the audit the auditor must deliver a specific report about the audits
evidences and findings. The report must specify:

• Who were the participants - it is recommended to document who participated

during the audit. The purpose is when top management would like to conduct
its inquiry - they would know to whom they must approach.
• The auditee - the organization or unit that were audited.
• General detail to shed light upon the auditee: how many workers, special
projects, special recent events - information that would support the evidences.
 • Reference to prior audits and prior findings - the auditor must verify that all
nonconformities that were revealed during the last audit are eliminated the
treatment was documented and most important, they are not repeated.
• The audits findings according to the evidences - that mean what the auditor
discovered and how is it referred to the criteria: good, requires improvement
action or requires corrective action (we would not deal in this article with
classification of findings). Actually this is the most important part of the
report. It specifies what the auditor saw, and how it was. The auditor must
document the evidences as accurate as possible.
• Recommendations - for every finding the audit may pay his recommendation.

A sum of all nonconformities discovered during the audit - the purpose for that is: To
gather all the nonconformities for the top management for review To trace the
corrective action for the next audit This sum will become a corrective action report -
but that is a whole different topic. Bear in mind - this report is designated for the top
management and the function that is responsible for the auditee. That report is a tool
for him to understand the status. Therefore it is recommended that the report would in
a format that is easy for him to understand.

Summary

• The purpose of the audit is to ensure that the quality management system is as
required by the ISO 9001 Standard and appropriately maintained.
• You are required to maintain a documented procedure specifying the process
of the internal audit.
• The auditor bears a lot of responsibility. Therefore he must be perspective to
the environment that he is auditing, must own the skills for evaluating and
examining, with a wide view of things.
• The auditor must be polite with high manners, be patient and persistent. The
audit is not an easy task to perform. The organization must maintain an audit
program. The purpose of the program is to ensure that the audits are conducted
as planned.
• At the end of the audit the auditor must deliver a specified report about the
audit. This report is designated to the function that is responsible for the
auditee.