Management system guidance
9.0 Performance Evaluation
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
9.2 Internal audit
Internal Audit Programme
During the early stages of implementing ISO 9001:2015, or any other management system standard, the internal audit programme often focuses on ensuring that any compliance issues or non-conformities are discovered and rectified prior to the Certification Body assessment. However, once your organization becomes certified, the audit programme must evolve.
The focus of the internal audit programme should be re-directed, away from 'clause-based' compliance with ISO 9001:2015, to an audit strategy that considers the 'status and importance' of each process comprising the quality management system. This is one of the most disregarded aspects of ISO 9001:2015.
If your current internal audit programme been developed on an annual calendar that merely forecasts which aspects of your quality management system are going to be audited, you should stop!
Begin programming your internal audits by basing the audit frequency upon current process performance data, feedback from customers, etc., to ensure that you are focusing on the risks and issues that are, or should be, on Top management's radar.
When designing the audit programme you should ensure that customer feedback, organizational changes and risks and opportunities are brought into consideration. You should consider process importance as the degree of direct impact that process performance has on customer satisfaction; i.e. could the process provide the customer with a defective product?
You should consider process status in terms of maturity and stability; a more established, proven process will be audited less frequently than a newly implemented or recently modified. Conversely; processes which are not performing to the planned arrangements, should be audited more frequently.
Support processes should be given a lower ranking than the manufacturing/service provision processes. In addition, the results of previous audits should be considered too. Processes that have been audited recently that have shown effectiveness and improvement should be audited less frequently.
The audit frequency depends on the criticality of each process and the perceived need to audit, but all processes and areas are audited at least once every two years. Critical processes generally interact with the customer directly and are therefore audited annually, every six months, or more regularly as required.
Internal audit programmes that are based on risk and customer feedback will help your organization to embark upon new methods of compliance in which risk based thinking and continual improvement are the drivers, rather than something done simply for compliance.
Improving the internal audit programme in this manner will help to ensure corrective actions are regarded as important to process results and that management reviews of the quality management system become an integral way of managing risk. When applying risk-based thinking to select internal audits and their frequency, consider the following:
- Processes that are critical to product and service quality
- Complex processes that require close monitoring and control to ensure conformity
- Balance across operational and non-operational processes
- Processes that utilize qualified personnel
- Activities or processes that occur across multiple locations
- Processes impacted by human factors
- Introduction of new or changed processes
- Changes affecting the organization
- Statutory and regulatory issues
- Process performance, e.g. process conformity/non-conformity, escapes to the customer, complaints, previous internal/external audit results, identified risk (see 6.1 and 8.1)
When designing the audit programme you should ensure that customer feedback, organizational changes, and risks and opportunities have been brought into consideration.
Based on the audit process derived from ISO 9001:2015 and ISO 19011:2018, our audit checklists, internal audit programme, procedures and report templates help deliver meaningful results through effective audit planning, performance and reporting.
Types of internal audit
The internal audit checklist is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements. The checklist stands as a reference point before, during and after the audit, and will provide the following benefits:
- Ensures the audit is conducted systematically;
- Promotes audit planning;
- Ensures a consistent audit approach;
- Actively supports your organization’s audit process;
- Provides a repository for notes collected during the audit process;
- Ensures uniformity in the performance of different auditors;
- Provides reference to objective evidence.
We have provided you with three different audit checklists and each checklist allows you to determine the extent to which your management system conforms to the requirements by determining whether those requirements have been effectively implemented and maintained.
Within the sphere of internal auditing there are a number of methods for undertaking internal audits. The gap analysis will likely be your first ISO 9001:2015 audit. The Gap Analysis Checklist highlights the new requirements contained in ISO 9001:2015 but it not intended to cover all of the requirements from ISO 9001:2015 comprehensively.
The unique knowledge obtained about the status your existing quality management system will be a key driver of the subsequent implementation approach. Armed with this knowledge, it allows you to establish accurate budgets, timelines and expectations which are proportional to the state of your current management system when directly compared to the requirements of the standards.
The results of a gap analysis exercise will help to determine the differences, or gaps, between your existing management system and the requirements of ISO 9001:2015. Not only will the analysis template help you to identify the gaps, it will also allow you to recommend how those gaps should be filled.
The gap analysis output also provides a valuable baseline for the implementation process as a whole and for measuring progress. Try to understand each business process in the context of each of the requirements by comparing different activities and processes with what the standard requires.
At the end of this activity you will have a list of activities and processes that comply and ones that do not comply. The latter list now becomes the target of your implementation plan.
System audits are commonly referred to as a ‘first-party audit’ and are conducted by an organization to determine compliance to a set of audit criteria in the form requirements that arise from standards like ISO 9001:2015, as well as customer, or regulatory requirements.
The system audits are best undertaken using the Internal Audit Checklist. This type of audit focuses on the quality management system as a whole, and compares the planning activities and broad system requirements to ensure that each clause or requirement has been implemented.
The adoption of the ‘process approach’ is mandated by ISO 9001:2015 and is one of the most important concepts relating to quality management systems. Process auditing is about auditing your organization’s processes and their interactions, which together comprise the quality management system.
The process audit provides assurance that the processes have been implemented as planned and provides information on the ability of the process to produce a quality output.
Using the Internal Audit Checklist to undertake a clause-by-clause audit works very effectively for the initial audits in preparation for implementation, gap analysis or certification. However, once your management system is implemented, your organization is expected to develop a process approach to its auditing programme.
Use the Process Audit Template for conducting an in-depth analysis to verify that the individual processes comprising the management system are performing and producing outputs in accordance with the planned outcomes.
The process audit also identifies any opportunities for improvement and possible corrective actions. Process audits are used to concentrate on any special, vulnerable, new or high-risk processes.
The process approach is one of the core quality management principles, which is defined as a ‘consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system’.
A process is a set of interrelated activities that transform inputs, such as materials, customer requirements and labor, via a series of activities into outputs, such as a finished product or service. Various stages of the process must meet various applicable clauses of the standard. There are six characteristics to look out for when auditing a process:
- Does the process have an owner?
- Is the process defined?
- Is the process documented?
- Are links between other processes established?
- Are processes and their links monitored?
- Are records maintained?
As part of the process approach, the process audits must be scheduled according to the processes defined by your management system. The audit schedule should not be based on the clauses of the standard, but it should instead be based upon the importance and criticality of the process itself. The process approach to auditing should cover three vital stages:
- Preparing for the audit; (desk review)
- Auditing the process and its linkages;
- Preparing the summary and audit report.
An audit of each process should be conducted at planned intervals in order to determine whether the processes conform to planned arrangements in order to determine whether the process is properly implemented and maintained and to provide process performance information to top management.
Effective process auditing requires the auditor to identify and record audit trails that will make a difference to the organization. The audit should begin with the process owner in order to understand how the process interacts with the other process inputs, outputs, suppliers and/or customers.
What are ‘audit criteria’?
We’ve all heard the term ‘audit criteria’ but what exactly does it mean? As defined in ISO 19011:2018, audit criteria are used as ‘a reference against which conformity is determined’. It goes on to say that ‘The criteria may include one or more of the following:
- Policies, processes and procedures;
- Performance criteria including objectives, statutory and regulatory requirements, management system requirements;
- Information regarding the context and the risks and opportunities as determined by the auditee (including relevant external/internal interested parties’ requirements);
- Business sector codes of conduct or other planned arrangements.
Basically, all documented information that helps you to prove the consistency and compliance of your quality management system should be part of the scope for each individual audit. If you are auditing to verify that the requirements of ISO 9001:2015 are implemented, then the standard itself becomes the audit criteria.
If you are going to audit your quality management system documentation as per ISO 9001:2015, the audit criteria become ISO 9001:2015, and relevant quality management system documentation such as the quality manual, procedures, work instructions, standard operating procedure, and forms, etc.
If you are going to conduct a product audit against a production control plan, the audit criteria will be the control plan itself, or relevant parts of it. The same applies when auditing an operator to see whether they follow the Work Instruction, the audit criteria is the Work Instruction for that process and any applicable criteria.
Preparing an audit report
A good summary report is the final output of the audit and deserves an appropriate amount of attention and effort. As you moved through the audit, you should have noted the issues and improvements you saw. These should have been marked clearly so you are now able to quickly review and capture them as you write the audit report.
The findings and conclusions should be formally documented as part of the summary report. Too often, the audit report only recites back facts and data the managers already know. The value is in identifying issues and opportunities they do not know!
This summary should be reviewed first with the lead auditor, then the Process Owner and Management Team. Make final revisions and file the audit report and all supporting audit materials and notes.
The audit summary and the corrective action forms should be attached to the audit report, which now becomes the audit record. Only the summary report and corrective actions need be given to the Process Owner and a copy of the audit report should be given to Top management.
More information on PDCA
Free internal audit checklists
Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.
Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.