Thursday, February 4, 2010

ISO Stuff-Internal Audit

In this series I will talk about sections of the ISO 9001 standard that I have seen organizations struggle with. This week is Internal Audit.

Internal Audit is part of those requirements that deal with the need for us to monitor the performance of our Quality Management System. As such, you'll find the requirements for Internal Audit under section 8 of the ISO 9001 standard, where monitoring & measurement requirements are laid out.

The purpose of Internal Audit is to ensure that the QMS conforms to planned requirements and is effectively implemented.

Internal audit has two key interactions with other parts of the ISO 9001 standard, one is Corrective and Preventive Action. Internal audits result in identification of issues that require corrective action. Management for the audited area is responsible for taking action in a timely manner on results of audits. The other key interaction is with Management Review. Internal audit results are a key input to management review activities. Think of Internal Audit as the "Eyes and Ears" of management with regards to the integrity of the Quality Management System; its intended to tell management how things are going and where things need to be improved.

Lets cover the requirements for internal audit in detail. The requirements for internal audit are few but there are some critically important points. Here's the requirements:

Internal Audits should be;

1. Process Based
2. Scheduled and conducted according to the status and importance of the process to the overall Quality Management System (QMS).
3. Conducted by personnel not responsible for the work of the process
4. Acted on my management for the area.

Process based. This is a key requirement because it encompassed a sweeping change in audit philosophy with the 2000 revision to ISO 9001 from a clause based audit approach to a process based approach. The intent is that internal (and external) audit activites should focus on the process(es) being audited and let the auditor determine what clauses of the ISO 9001 standard are in play. This approach makes much more sense from the viewpoint of the way the business operates.

Scheduled & conducted according to the status and importance of the process. This requirement has broad, meaningful implications to audit programs everywhere. No longer are Quality Managers required to audit everything in a yearly cycle, now the Quality Manager can assess the status and importance of a process relative to other processes and decide how often to look at that process. There are many different logical strategies that can be employed to make this assessment using everything from a Failure Modes & Effects Analysis (FMEA) type of approach to a simple assessment of business results through dashboard metrics to enable decision making about what to audit and how often.

Conducted by personnel not responsible for the work of the process being audited. This is simple. Auditors can not audit their own work. It ensures an unbiased assessment of the process.

Acted on by management for the area. We've covered this already above. Internal audits find things that need to be corrected, management that is responsible for the process being audited must act on the finding to correct the issues discovered.
As you can see, the requirements for internal audit are not prescriptive. There is no detailed "how to" in the requirements. This generic approach leave the Quality Manager alot of room to interpret how they chose to address the requirements in a way that is effective to their QMS.

One final point about internal audit. Internal audit is NOT intended to be a "gotcha" process, where we "trick" people into revealing the skeletons in the closet. It is intended to be a unbiased assessment of compliance with the planned activities of the QMS. Auditors should be looking equally for best practices and improved processes as they are for non-compliance with planned requirements.


Eternal Lizdom said...

I've been the subject... er, victim... er, interviewee for our ISO aduits on several ocasions (I work in procurement). While any audit is nerve wracking, I've always felt I went into it more relaxed than I'd perviously seen co-workers... co-workers who spent a week preparing and double checking files and documents and setting things up to be right.

I always went into it as a demonstrator. I'm just here to show you what we do and how we do it.

What always struck me as funny was these folks, when they were the one being audited, would go to great lengths to have exact documents exactly right... but when I was audited, I was rarely asked about my own work! Our auditor had already spent time in other areas and usually had part numbers and purchase orders already selected that needed to be reviewed.

I was just the demonstrator, taking requests.

Jim said...


Thanks for the comment. You have a great perspective on this. You're correct, most people approach it as a dog and pony show as opposed to an opportunity to show what they really do. Auditors, for the most part, can pick up on the well rehearsed person pretty easily and appreciate people with your approach much more.


Anonymous said...


I read this post 2 times. It is very useful.

Pls try to keep posting.

Let me show other source that may be good for community.

Source: ISO 9001 history

Best regards

kousalya said...

Thanks for sharing, I will bookmark and be back again

Management Audit

Inzinc Consulting India said...

Very informative and useful blog.
ISO 9001 Consultants in India and ISO 9001 Consultants in Bangalore

James jones said...

Howdy! I simply want to give a huge thumbs up for the nice info you will have here on this post. I will be coming back to your weblog for extra soon. medical device quality engineering