Key Steps in Implementing ISO 9001 Step 5: Internal Audits
The basic premise behind ISO 9001:2008 is the “Plan, Do, Check, Act Cycle” (PDCA), attributed to two “grandfathers” of modern Quality, Drs. Demming and Shewhart. In previous newsletter articles, we’ve taken a look at the “Plan” and “Do”Phases of implementing an ISO 9001-based Quality Management System. This article, takes a look at the “Check” phase, which is represented by the Internal Audits of the Management System.
The Auditor Is Here to Help!
Organizations are generally familiar with financial, customer or regulatory audits and there are many myths and legends which surround them. These types of audits have, historically speaking, been viewed in a somewhat unfavorable light, causing people to even make jokes about them:
“What are the 3 lies of auditing? The Auditor says, “I’m here to help you”, the Organization says “We’re happy to have you here”. Then, when the Audit is over and the Auditor is leaving, the Organization says “Come back soon!”
The good news is that Internal Quality Audits of the Quality Management System, as required by section 8.2.2 of ISO 9001:2008, are required to be performed for a very different purpose to those “external” audits. Fortunately for organizations coming new to ISO 9001 implementation, there’s a whole ISO document devoted to guidance on the subject of Quality and Environmental Systems Audits and Auditing: – ISO 19011.
Furthermore, (RABQSA) accredited auditor training, available in the USA, is usually modeled after the guidance outlined in the ISO 19011 standard.
You Can Run, But You Can’t Hide!
Since ISO 9001 was originally written before the advent of Registrar or Certification Body Compliance Audits, the inclusion of the Internal Audit requirement must have had a purpose other than the organization preparing for and maintaining Certification. The organization has to do them, whether certified or not, to remain in compliance. So, what was the purpose of including them? A look at the glossary section of ISO 19011 shows an audit to be defined thus:
3.1 Audit
systematic, independent and documented process for obtaining audit evidence (3.3) and evaluating it objectively to determine the extent to which audit criteria (3.2) are fulfilled
To help us we also need two other definitions:
3.2 Audit Criteria
set of policies, procedures, or requirements.
3.3 Audit Evidence
records, statements of fact or other information, which are relevant to the audit criteria (3.2) and verifiable
We can take it therefore, that Internal Audits are there (in part) to report on whether the Quality Management System:
- Is implemented as defined by the organization’s policies, procedures or other QMS documentation, and/or other requirements, which may include meeting:
- Customer needs and expectations
- Regulatory requirements
- Managements’ requirements (other than the QMS) such as qualityobjectives, process performance targets, product performance, etc.
- ISO 9001 requirements.
However, the ability of the Quality Management System to ‘deliver’ to these requirements can also be indicated through the (typical) process and product measurements that ISO 9001 also requires including:
- Customer Feedback, including complaints
- Non-conforming product data
- “First time through” data
- Overall Equipment Efficiency (OEE)
- Inventory Turns
- Lead Time/Time to Market
So, why would Internal Audits be important, when so much performance data is already available? The key word in the glossary definition which gives most weight to the need for Internal Audits is ‘independent’.
Since the organization’s management will have performance data, the idea of anindependent verification of the achievement of those results becomes a powerful tool. Just as a financial audit confirms what the organization claims it is worth in terms of assets, work in progress, etc., so a Quality Management System Internal Audit can confirm that the performance results were achieved through its people implementing the Quality Management System. Internal Audit reports become very helpful when considered as a key input to the “Management Review” of the QMS.
Consider this Management Review Presentation scenario:
Process Owner |
Process Results |
Audit Findings |
Action Required |
Process A | Meets Objectives | People following defined process | Process Improvement |
Process B | Meets objectives | People NOT following defined process | Improve process in line with practice |
Process C | Doesn’t meet objectives | People following defined process | Corrective action |
Process D | Doesn’t meet objectives | People NOT following defined process | Corrective action |
By using Internal Audits in this way, it can be seen as a valuable tool to assist with Management’s approach to Continual Improvement, by focusing on the role the Quality System has in achieving results, rather than simple compliance with ‘ISO’ requirements. Audit results can, therefore, play a key part in feeding the next and final part of the ‘P,D,C,A’ Cycle; that is the need for Action, taken to improve product and process. This will be covered in a later Newsletter article.
The next issue, we’ll take a closer look at when Internal Audits should be performed, to get the most benefit from them.
Author: Andy Nichols