What is the ISO 9001 audit program, and how does it work?

One of the most important tools that you have to make sure that your Quality Management System (QMS) meets the requirements that have been identified, and is effectively implemented and maintained, is the internal audit program. Internal audits are an integral part of any management system, and thus are included in the ISO 9001:2015 requirements as part of the requirements for performance evaluation of a QMS.

The internal audits that a company performs are one of the key items used by management to ensure that the business processes are carried out as they have been planned, and to ensure that any nonconformities are identified and have corrective action initiated to return to the planned arrangements of the process.

What is an internal audit?

In order to understand the program for internal audits, it is first important to know what an internal audit is. Quite simply, in an internal audit you will have a designated person look at a process, and compare the process outputs to the planned arrangements for that process, to make sure that they match. First, an audit checklist is created to define the planned arrangements that will be checked, often from review of a procedure or the ISO 9001 standard requirements, and then the auditor will review the process outputs to see if the identified details are occurring.

The audit will include looking at the records of the process, interviews with employees, and witnessing the process being performed to ensure that what is happening with the process is what was planned to happen. The auditor will look for the outputs to conform to the plan, but if they find that this is not the case, they will identify the problems found so that the process owner can find the root cause of the problem and apply corrective action to ensure it does not happen again.

Each audit needs to have its criteria and scope identified, auditors need to be chosen to be objective and impartial, results need to be reported to management, and action needs to be taken to address any nonconformities identified.

So, this is what an internal audit is, but what is an audit program?

For some details on creating checklists to perform internal audits, check out How to create a check list for an ISO 9001 internal audit for your QMS.


What does ISO 9001 require in the audit program?

The ISO 9001 requirements for the audit program ask that you plan, establish, implement, and maintain an audit program, meaning that you need to have an ongoing program in effect. The audit program relies heavily on a schedule of all audits, which can be as simple as a spreadsheet or calendar of the audits to be performed, but it is more than just an audit schedule – it is the entire procedure you will follow to maintain your internal audits. The audit program also needs to consider the following information that is particular to the company being audited:

  • Process importance – It is common to ensure that all processes are audited at least once a year, but for processes that you have identified as more critical to your organization, having more than one audit may be necessary to ensure continued conformance. For instance, if your control of non-conforming outputs is a critical part of your business, you may want to schedule this more than once in the year.
  • Changes affecting the organization – If you know of any changes for your QMS, such as new customer requirements or your efforts to change your QMS to ISO 9001:2015, these requirements need to become part of your audit program. Do you need to perform a gap analysis to see if you meet the new requirements? For more information, see this article on QMS change management in 7 steps.
  • Results of previous audits – Part of learning from your internal audits is making changes to your audit schedule as you gain information from your audits. For instance, if you complete an audit that has many non-conformities identified, you may want to add an additional audit to confirm the correction of the nonconformities found in the first audit.

What should be included?

Along with the above considerations, these elements are to be included in the program:

  • Audit frequency – How often will you audit each process? Will you audit a certain process more than the others? Your audit schedule should include the frequencies of the audits that are included.
  • Audit methods –Will you audit to a procedure that is in place, or witness the process to assess effectiveness? What records will you review to assess process conformance? This information may be captured in an audit checklist for each audit.
  • Responsibilities – Who is responsible for maintaining the audit program? Which employees will perform each audit? Remember that objectivity and impartiality of auditors is a necessity for a good internal audit program.
  • Requirements for planning – How far ahead are audit dates scheduled? Who is contacted to schedule the audit? Who needs to be at the opening and closing meetings for audits?
  • Audit reporting – When the audit is completed, how long can it take to issue the audit report? Who needs to issue the report, and who needs to review and approve it? How are the audit reports submitted to management review?

Internal audit program: Important for corrections and improvements

The first and most important task of the internal audit program is to ensure that all of your processes meet the planned arrangements, but it is also an important tool for finding improvements for your processes. By auditing different processes, your internal auditors can share best practices across the company so that you can gain improvements in your overall Quality Management System, saving time and money overall.

Using your internal audit program as an improvement tool will help you to work towards your commitment to continual improvement, and isn’t improvement one of the main reasons you implemented a QMS in the first place?

Use this free online training  ISO 9001:2015 Internal Auditor Course to prepare yourself for creating an internal audit program.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.