INTERNAL AUDIT OF QUALITY MANAGEMENT SYSTEM
K. R. Singhal
Conducting internal audit is a vital tool to assess organization’s quality management system. The organization gets information in a planned way by conducting internal audit from a variety of sources. The purpose of conducting internal audit is to find out the answers to following questions:
- Is quality management system of the organization conformed to the planning of product realization carried out in the organization?
- Is the quality management system of the organization conformed to the requirements of ISO 9001:2008 QMS Standard?
- Is the quality management system of the organization conformed to the quality management system requirements established by the organization?
- Is the quality management system of the organization effectively implemented and maintained?
An internal audit is a tool to monitor and determine the health of the quality management system of the organization. For an organization, a properly conducted audit is beneficial and we need to conduct value added internal audit that is useful to the organization, auditee department, management representative and top management.
Clause 8.2.2 of ISO 9001:2008 QMS Standard deals with internal audit requirements. As per requirements of ISO 9001:2008 QMS Standard, an organization needs to conduct internal audit at planned intervals. An audit process should include the following aspects:
- Planning of internal audit – such as planning of audit schedule, assignment of auditors, auditee area, and scope of audit, status and importance of processes, results of previous audits.
- Examining and reviewing the quality management system documentation of the organization,
- Examining and reviewing other relevant information of the organization, such as production reports, failure trends, customer complaints, customer survey reports etc.
- Examining and reviewing the quality management system procedures and processes by visiting the audit area spot, interviewing relevant personnel and looking to relevant processes.
- Reporting the internal audit results (including corrective action requests from auditors).
- Verifying corrective actions taken.
An organization should have a documented procedure for conducting internal audit that define and narrate the following aspects:
- Audit criteria
- Scope of the audit
- Frequency of audit
- Audit methods
- Responsibilities and requirements for planning and conducting internal audit
- Relevant audit records (including results of audit) to be established and maintained
- Reporting results of the audit.
Chandrakant Agrawal, Manager (Risk and Compliance team), points out the following to add the value of internal audit:
(i) One more item that would be added is usage of checklist as a tool to make sure all aspects are covered. Also focus on documentation and continuous improvement should be there.
(ii) The Corrective action log would be the most valuable source to support the focus on Quality from the team's perspective.
(iii) The team awareness on policies and procedures and the feel of Quality should also be part of the audit process.
(iv) Sharing of Best practices should also be output of audit so that all involved are benefited.
Conducting internal audit is a vital tool to assess organization’s quality management system. The organization gets information in a planned way by conducting internal audit from a variety of sources. The purpose of conducting internal audit is to find out the answers to following questions:
- Is quality management system of the organization conformed to the planning of product realization carried out in the organization?
- Is the quality management system of the organization conformed to the requirements of ISO 9001:2008 QMS Standard?
- Is the quality management system of the organization conformed to the quality management system requirements established by the organization?
- Is the quality management system of the organization effectively implemented and maintained?
An internal audit is a tool to monitor and determine the health of the quality management system of the organization. For an organization, a properly conducted audit is beneficial and we need to conduct value added internal audit that is useful to the organization, auditee department, management representative and top management.
Clause 8.2.2 of ISO 9001:2008 QMS Standard deals with internal audit requirements. As per requirements of ISO 9001:2008 QMS Standard, an organization needs to conduct internal audit at planned intervals. An audit process should include the following aspects:
- Planning of internal audit – such as planning of audit schedule, assignment of auditors, auditee area, and scope of audit, status and importance of processes, results of previous audits.
- Examining and reviewing the quality management system documentation of the organization,
- Examining and reviewing other relevant information of the organization, such as production reports, failure trends, customer complaints, customer survey reports etc.
- Examining and reviewing the quality management system procedures and processes by visiting the audit area spot, interviewing relevant personnel and looking to relevant processes.
- Reporting the internal audit results (including corrective action requests from auditors).
- Verifying corrective actions taken.
An organization should have a documented procedure for conducting internal audit that define and narrate the following aspects:
- Audit criteria
- Scope of the audit
- Frequency of audit
- Audit methods
- Responsibilities and requirements for planning and conducting internal audit
- Relevant audit records (including results of audit) to be established and maintained
- Reporting results of the audit.
Chandrakant Agrawal, Manager (Risk and Compliance team), points out the following to add the value of internal audit:
(i) One more item that would be added is usage of checklist as a tool to make sure all aspects are covered. Also focus on documentation and continuous improvement should be there.
(ii) The Corrective action log would be the most valuable source to support the focus on Quality from the team's perspective.
(iii) The team awareness on policies and procedures and the feel of Quality should also be part of the audit process.
(iv) Sharing of Best practices should also be output of audit so that all involved are benefited.
Internal Audits
An audit is simply another form of
inspection and testing – except that in this case the product being inspected
is the management system itself.
Like a product inspection, an audit simply compares how things actually are, to how we think they are and how they ought to be.
Audits help uncover areas that are in need of attention and they can be an opportunity to draw back from the day-to-day details and to take look at the whole process with fresh eyes. Despite being such a (potentially) positive tool in the management system toolkit, audits often induce the same kind of stress as end of year exams!
Obviously a great deal rides on a successful external audit so some anxiety is expected. However, a good Internal Audit process can reduce the stress, since you can uncover the problems yourself and resolve them before the external auditor begins.
We suggest you enrol in a professional development course before jumping into the role of Auditor. An alternative is to use an external consultant to perform your internal audits for you.
Quality, safety and environmental management standards all require audits to monitor and report on the effectiveness of the management system. This process is also one of the six documented procedures required by ISO 9001:2008.
Like a product inspection, an audit simply compares how things actually are, to how we think they are and how they ought to be.
Audits help uncover areas that are in need of attention and they can be an opportunity to draw back from the day-to-day details and to take look at the whole process with fresh eyes. Despite being such a (potentially) positive tool in the management system toolkit, audits often induce the same kind of stress as end of year exams!
Obviously a great deal rides on a successful external audit so some anxiety is expected. However, a good Internal Audit process can reduce the stress, since you can uncover the problems yourself and resolve them before the external auditor begins.
We suggest you enrol in a professional development course before jumping into the role of Auditor. An alternative is to use an external consultant to perform your internal audits for you.
Quality, safety and environmental management standards all require audits to monitor and report on the effectiveness of the management system. This process is also one of the six documented procedures required by ISO 9001:2008.
A documented procedure shall be
established to define the responsibilities and requirements for planning and
conducting audits, establishing records and reporting results.
What does an internal audit process look like?
Plan your Audit Programme
Internal Audits need to be scheduled
at planned intervals to check that the quality system conforms to requirements
and that the system is effective. ‘Requirements’ include the standard itself,
as well as the company’s own requirements (i.e., it’s own procedures and
policies).
You don’t need to audit every process all at one time. The External Audit may be like this, but internal audits can be spread out with different processes audited at different times – a series of ‘mini-audits’.
The standard does not set out a required audit frequency. Instead, it recommends that you consider how important the processes are, their risks, their prior history of problems, and also your quality objectives. With a series of ‘mini-audits’ you can set different audit frequencies for different processes.
If you are implementing a new management system, we recommend that you should have audited all the processes identified in your management system at least once prior to the initial Certification Audit.
You don’t need to audit every process all at one time. The External Audit may be like this, but internal audits can be spread out with different processes audited at different times – a series of ‘mini-audits’.
The standard does not set out a required audit frequency. Instead, it recommends that you consider how important the processes are, their risks, their prior history of problems, and also your quality objectives. With a series of ‘mini-audits’ you can set different audit frequencies for different processes.
If you are implementing a new management system, we recommend that you should have audited all the processes identified in your management system at least once prior to the initial Certification Audit.
Work out who will audit.
An auditor should be objective and
impartial. You cannot audit processes that you manage / control yourself. This
means you will need to have at least two internal auditors trained and
available. However, due to lack of resources, or sometimes with the crossover
of responsibilities that is common in small businesses, having two impartial
auditors may not be possible. In this case, you may need to consider using an
external resource.
Large organisations may use a team of auditors.
Large organisations may use a team of auditors.
Define the requirements for each audit.
The plan already identifies the area
you will audit, now you need to define what criteria you will audit against.
Sometimes this takes the form of a formal checklist with a pre-determined list
of questions. You can also use a copy of the procedure being audited and mark
this up with questions and points to verify. You’ll need to identify what
records should be checked to verify the process.
Any previous findings or issues related to the audit area should also be checked.
Even with pre-defined questions, an auditor will still need to ‘follow their nose’ if something is not quite right.
You can define the criteria for the audit prior to each audit rather than having to set this up at the planning stage.
These requirements (checklists, documents, records, etc) should be communicated to the auditee some time prior to the actual audit taking place. (Specify the time in your audit procedure – a week is reasonable)
Conduct the audit
An audit usually starts with an
opening meeting where the auditor meets the auditee(s), sets the expected
timetable and out how the audit will be conducted.
During the audit, the auditor will work systematically through the checklist or procedure, examining evidence that the process meets the criteria. It’s common to markup the checklist with notes and a quick finding result, e.g.,
During the audit, the auditor will work systematically through the checklist or procedure, examining evidence that the process meets the criteria. It’s common to markup the checklist with notes and a quick finding result, e.g.,
C = compliant,
NI – needs improvement,
NC – non-conformance,
When recording the audit, it is important to write down exactly what evidence was examined to establish the finding – regardless of the finding. e.g. auditing employee training records the auditor writes:
(Note that the date is an important part of the evidence).
Usually the auditor will discuss the finding with the auditee before recording it. This is to ensure the finding is understood and to confirm there is actually a problem, e.g. the auditee above may reveal that Joe Bloggs’ personnel folder includes a separate safety briefing record with the required signature. This can sometimes negate the finding, or just change it – i.e. the signature is there, but it is not following the procedure. In this example, the consequences of not following the procedure are minor and the audit finding should reflect that.
The audit will finish with a closing meeting where the lead auditor gives an overall summary of the audit and discusses each audit finding to ensure they are understood.
Document the Audit findings
An external certification auditor
will submit a formal written report on the audit to management several days
later and it’s common for an internal auditor to do the same. However, there’s
no requirement in the standard for a formal audit report. You simply need to
ensure the findings are recorded and communicated to management. You could just
record the findings and their details in your non-conformance form &
register (or as an ‘Issue’ in QSToolbox).
You will need to retain records of the audit which will typically include:
You will need to retain records of the audit which will typically include:
- Completed Audit Checklists and/or marked up procedures
- Notes on objective evidence examined, and personnel interviewed
- Audit Findings (cross referenced to your Nonconformance Register)
- Audit Report
Findings raised at both Internal and
External Audits need to be addressed with corrective actions. If the audit
reveals that we don’t do as we say, then we either change what we do, or change
what we say…
At the next audit, the auditor will verify that the corrective actions taken were effective in bringing the management system into compliance.
•
Documented Quality
System Audit
–Onsite audit of QMS
•Certification Audit
–Sample of business processes
•Process Audit
–Optional
1.
•
Final
Certification Audit
–Determines system’s effective implementation
•Continual Certification Audits
–After certification
–Ensure continued implementation
1.
Documented Quality System Audit – an on-site audit of the QMS
compared to the set ISO standards.
1.
Certification Audit – during the course of all of the audits,
everything included in the ISO 9000:2008 standard will be evaluated multiple
times to become certified. Then in three year cycles, all of processes in the
organization will be audited so as to keep the certification current.
1.
Process Audit – this audit is generally optional. It is an audit
focused on a set of processes within the organization chosen by the
organization to make sure procedures and specifications are adhered to during
production or service activities. (This is in addition to the processes audited
in the certification audit.) Because this audit is optional, it may be a good
way for the organization to see the registrar’s style of auditing.
2. Final Certification
Audit – the process of audits will lead to continued improvement in the
organization and a refinement of the QMS until it meets the ISO 9000:2008
standards. Once the documented QMS has met these standards, the registrar
conducts a final audit to determine the system’s effective implementation.
1.
Continual certification audits – Once the organization has
completed all of the audits and is ISO 9000:2008 certified, it does not mean
that everything is complete. The organization will continued to be audited on a
set schedule (usually every six or twelve months) to make sure that the QMS
continues to be in compliance with the ISO standards.
Managing Your Registrar's Audit
Tips for Success
by scott dawson
The purpose of the
registrar's audit is to assess the effectiveness of your Quality Management
System (QMS) by evaluating evidence of its performance. Their goal is to
determine conformance of your QMS to ISO 9001:2008 and your own internal
requirements.
Some examples of
evidence during an audit include:
·
Documentation - what
you say you do
·
Records - what you say
you did
·
Interviews - how you
explain what you do
·
Observations - how you
show what you do
The auditors will
record all evidence of conformances and nonconformances found. During the
audit, they are not looking for nonconformances per se but they will review
evidence of nonconformance when it is found during the audit. If they find
evidence of a nonconformance they will note the details and likely look more
closely at the issue in question to ensure there is an actual nonconformance.
If confirmed, this will result in a finding.
Audit findings can
results in one of three levels of nonconformance, each requiring a different
response:
1.
Major
Nonconformance - a neglect to
implement a significant requirement in the ISO standard (e.g. no working
internal audit program). ISO certification cannot be granted until after the
discrepancy is resolved and possibly re-audited.
2.
Minor
Nonconformance - a single incident
of nonconformance to ISO or internal requirements that does not indicate a
complete breakdown of the system, but only an isolated occurrence (e.g. an
incomplete management review). This will normally require submission of a
corrective action plan to eliminate the nonconformance.
3.
Observation - an incidental discrepancy or an opportunity
for improvement noted during the audit (e.g. a document numbering scheme that
is confusing or overly complicated). This does not require a formal response to
the audit but you may choose to implement the recommendation at your
discretion.
Following the audit,
you will be given a period of time to respond to nonconformances (typically 30
days). This usually requires completion of a Corrective Action form from the
registrar and may require including an example of a corrected document or other
appropriate evidence.
Preparing for the
Registrar's Audit
·
Any employee may be
audited so every employee must be prepared.
·
Notify all staff of
the dates of the upcoming audit.
·
All employees should
be prepared to:
o Discuss the quality policy and quality
objectives (not quoted verbatim but generally understood)
o Show procedures, work instructions and records
that pertain to their job.
o Answer the auditors' questions if asked.
·
Be sure that your
internal audit and management review has been completed and that corrective
actions have been issued for all nonconformances.
The Opening Meeting
·
Invite several key
staff to the opening meeting. This should include department heads and other
key individuals. You may want to invite the same group to the closing meeting.
·
The auditors will have
a prepared introduction to the audit to review the audit scope and objectives.
·
The top manager of
your organization should offer a "welcome" and introduction stressing
the organization's commitment to ISO and reminders to all staff to fully
participate in the audit if called upon and that this is an opportunity to
learn.
·
Review the audit
schedule and request changes to accommodate staff availability and other
potential conflicts. Notify all departments of the audit schedule, keeping in
mind that the schedule may change as the audit progresses.
·
Discuss the time and
arrangements for lunch. You would normally be expected to provide lunch and
should plan to join the auditors for lunch. This is a good time to get to know
your auditors and build the relationship.
·
Ask questions on
anything you don't understand.
During the Audit
·
Accompany the auditors
at all times. It is often best if this is the Management Representative or
Internal Auditors.
·
Take notes of all
actual and potential nonconformances. Use these notes when the auditors are
reviewing their findings at the end of the audit.
·
Help the auditors
determine who to speak to during the audit.
·
Offer clarification
for the auditors and auditees during the audit, as appropriate.
·
Do not let the
auditors look for documents or records on their own. The auditee should locate
and present what is requested.
·
If
the audit spans more than one day, ask for a short debrief meeting at the end
of each audit day to discuss what was seen that day. This will give you a chance to understand any
concerns the auditors has with what was found and possibly give you a chance to
explain further to avoid a nonconformance.
·
If something is found
that can be fixed quickly before the audit is complete, you can sometimes
present the fix to the auditors and avoid a nonconformance.
·
The auditors should
not offer their own opinion about how you run your organization. Their findings
and discussions should be limited to the documented requirements in ISO and
your internal documentation. If you believe something is being suggested that
is outside of the audit scope, you can ask, "Where does it say in the
standard that your suggestion is required?"
·
If you have not closed
a corrective action from an internal audit finding before the registrar's audit
and the same issue is found, you should produce the issued corrective action
from your audit for review by the registrar. This might avoid a nonconformance
finding by the registrar because you are showing that your internal process is
working.
·
It is normal for
auditors to find nonconformances during an audit and rare that none are found.
This is often because of the higher level of skill and experience they have in
auditing and the "fresh set of eyes" they bring to the
process.
The Closing Meeting
·
The auditors will need
an hour or two of private time to prepare for the closing meeting. You should
provide a work area or room for them to work.
·
The auditors will have
a prepared summary of their findings to review during the closing meeting that
will include positive things found as well as nonconformances.
·
All nonconformances
will be formally documented on a Corrective Action form.
·
Follow your notes
taken during the audit as the registrar's report is given. If there are details
they overlooked or misunderstood, you can offer clarification during the
meeting.
·
If it is not clear
what exactly is discrepant in your system vs. the ISO standard, ask for
clarification.
If You Disagree with a
Finding
·
During the closing
meeting, you should discuss any nonconformances reported by the auditors that
you do not believe are accurate. This might include something that the auditors
misunderstood during the audit or did not see all of the available evidence.
Keep in mind that this is not your last chance to address a finding you do not
agree with.
·
You may discuss
findings you do not agree with or understand, but avoid arguing with the
auditors.
·
Occasionally, auditors
may include a "suggestion" as a nonconformance rather than an
observation. A suggestion is something that might improve a process or simplify
something, but is not out of compliance with a documented requirement, whether
an ISO requirement or an internal requirement. In this case, you may be able to
convince the auditors to change the nonconformance to an observation.
Following the Audit
·
It is suggested that
you communicate with all auditees and perhaps all employees the results of the
audit, thanking everyone for their participation and reassuring them that
nonconformances (if any) will be responded to appropriately.
·
Keep in mind that a
nonconformance, even if major, is not the end of the world. You will always be
given a chance to correct anything that is found.
Responding to
Corrective Action Requests
·
Once the auditors
leave you should review each Corrective Action request and determine the proper
response. Evaluate each one based on its value and relevance to your
organization.
·
Keep in mind that the
corrective action you take is up to you. You might decide to change a
documented requirement (if it doesn't conflict with an ISO requirement) and
avoid the discrepancy altogether. You might decide to retrain staff. You might
need to rearrange a work area. But avoid actions that seem to only satisfy the
audit but add no value to your organization.
·
Call the registrar if
questions arise while you are developing your response.
·
Respond to the Corrective
Action requests within the required deadline.
·
Every registrar has an
"appeal" process you can use if you simply do not agree with a
finding and find it inappropriate.
No comments:
Post a Comment