Clause 9.2 Internal Audits (secrets revealed)

One of the most important clauses of ISO 9001:2015 and the backbone of your continual improvement activities is the internal audit function. An internal audit is referred to as a 1st-party audit and is performed by your internal staff. It’s important that your staff have been provided with comprehensive internal audit training. After a suitable training period, they will then audit certain processes and departmental functions to assess if everything is operating to the criteria requirements of ISO 9001:2015 and with your organisation’s own requirements.

They will either discover everything is operating successfully to the requirements or not. If errors are found, then a non-conformity is raised ready to feed into the corrective actions process. A word of caution, your intentions are poor if you begin an audit with the sole purpose of finding non-conformances. If we find non-conformances, then so be it. We record them ready for the audit report.

Non-conformity Is Not A Bad Thing

Let’s get something clearly understood; a non-conformity is not a bad thing. Read that sentence again if you must. I’ve been in countless meetings where the temperature is raised, managers are shouting and pointing the finger at one another over the issue of non-conformities. I have a name for these types of management meetings “Gunfight at the OK-Corral”.

What a shame, and what a wasted amount of stress-inducing energy. Surely, finding errors in your systems is a good thing so that you can fix them before the problem expands and gets worse. When a 3rd-party certification auditor finds a non-conformance, they have done you a favour because they’ve found something that you have missed. I hate to tell you this, but I’ve also found instances of staff being dismissed due to the number of non-conformances found during an internal audit, truly unbelievable.

In my experience as an auditor, I’ve found this negative attitude towards non-conformances to be a cultural issue within an organisation. If organisations are harbouring this old-fashioned view of non-conformances then this will filter throughout the entire organisation. This situation is quite common and such a shame. This highlights the need for effective internal auditor training delivered by an experienced auditor.

When working for BSI, we also offered a service called a ‘Management Briefing’. When booked, I would spend half a day with the top management briefing them on the basics of how the management system functioned in terms of continual improvement, and the relationships between various clauses. I would also spend time educating them on why finding non-conformances are a positive thing to do. This part of the day was often quite difficult when the cultural attitude towards non-conformances was negative.

Blame Culture

In some organisations, staff are reluctant to report process errors as they wrongly assume that they might get the process owner into trouble. Again, this tends to be a cultural issue, and as you are probably already aware, changing a culture can be quite difficult and certainly doesn’t happen overnight. This is a common problem of education, training and communication. Staff should be fully trained on the non-conformance process. Non-conformance report forms should be designed so that they don’t contain a reference to personal names. When performing an internal audit, let us remember that we are auditing the system and its processes, not the person. Of course, there may be many instances where errors in the process are caused by the person, but we will discuss that issue in more detail later.

The language you choose to adopt with your management system is entirely your choice. There is no requirement from ISO 9001:2015 for you to adopt any of its language. You don’t have to use the term ‘non-conformances’ and there is also no requirement for you to refer to them as being ‘major’ or ‘minor’. These terms are required to be used by 3rd-party auditors who are working from the ISO 17002 certification guidelines. Many organisations call a form that captures and records non-conformances an ‘Opportunity for Improvement’ (OFI) form. You might want to call it a ‘Quality alert Notice’ or something similar. What you call it is entirely your decision, but I would advise making it more friendly than a ‘Record of Non-conformance’.

At clause 9.2.1 you are required to:

• Conduct audits at planned intervals

How often might that be, I hear you ask? Well, the phrase ‘planned intervals’ is another of a great many phrases of ISO 9001:2015 that are subjective. Once again, the relevance of risk is of importance here. You might choose to audit the changing and disposal of ink cartridges in the photocopy machines once every 3 years. However, I’m assuming that you would audit processes operating within an explosive atmosphere on a very frequent basis. It’s generally accepted that certification bodies expect that you audit all of the management system requirements annually. Be sure to make your auditee aware of an impending audit.

Choosing to do this will depend upon how large and complex your organisation is. Let’s not forget, re-certification occurs on a 3-year basis and if you are confident that you have fully audited all of the management system requirements during that period, then feel free to do it that way.

Most audits are planned events and their function and frequency should be communicated to all interested parties. It’s considered quite unfair to perform an audit of a process/s in total surprise. Auditees should be notified of an impending, planned audit in advance of it occurring. The tools for planning and performing audits are the audit schedule and the audit plan.

Audit Schedule Vs. Audit Plan

Audit schedule; this describes the number, duration and frequency of planned audits over a period of time. This could be daily in environments such as aircraft manufacturing or annually in a low-risk office type environment. Audit schedules are commonly created and recorded across excel spreadsheets or by using bespoke management systems software such as Q-Pulse or similar.

Audit plan; this describes the activities and arrangements for a single audit. It records the details of the planned audit the most important of which are the scope, criteria and objective. It also describes the practical aspects of timings, locations and durations etc. It is provided ahead of time so that the auditee has time to plan for the audit.

There are three terms that are sometimes referred to as the holy trinity of auditing: scope, criteria and objective:

Scope, Criteria & Objective

Scope; this describes the extent and boundaries of an audit. The boundaries include both physical and virtual locations, functions, processes, tasks, organisational units and time periods.

Criteria; this describes the set of requirements against which your collected evidence is compared. For a management system audit, the criteria would be the requirements of the management system. The criteria could have nothing to do with management system requirements and might be your own organisation’s requirements, or those of a customer as stated within a contract.

Objective; what exactly is the audit trying to achieve? Are you trying to establish conformity, continual improvement, effectiveness, opportunities for improvement, achievement of objectives of the management system?

When teaching these concepts to a class of students, I would often use the following example, which many found extremely useful:

• Exercise; describe in terms of the scope, criteria and objective, taking your car for an MOT (UK). In this scenario, the scope of the audit is your car, the criteria for the audit is provided to the mechanic by the UK government, and the objective is to establish if your card is safe to drive on the road. I’ve found this to be a really effective way to teach the terms, feel free to use this example if you are a trainer.

Does your system conform to its own requirements?

Clause 9.2.1 you shall conduct audits to determine if your management system conforms to:

1. The organisations own requirements
2. The requirements of the standard
3. Is effectively implemented and maintained.

Your organisations own requirements; are your established, documented ways of doing things. They are your processes, tasks, and procedures. They are the requirements of customers, suppliers and contracts. They include the legal requirements of law and local regulators. All of these requirements are unique and individual to the context of your organisation. Who are the best people to understand and audit against these requirements? Your employees of course. You decide in your audit schedule which of these processes, tasks or procedures are to be audited. You then make specific plans for individual audits against the audit schedule.

The requirements of the standard; is where you are planning and performing audits to establish conformity against the requirements (shalls) of the standard. I’ve just performed a search of the ISO 9001:2015 document for the term ‘shall’ and the result was 136. This means that there are 136 requirements for you to check conformity against over the chosen time period for your audit schedule. I do hope reading that information has not sent you into a panic, but it’s always best to be informed.

Let’s be honest, the ISO standards are not authored in the friendliest of languages and can be very difficult to interpret. It’s for that reason that training courses and books like this are required. I once attended a lecture from an ISO representative who explained that the standard is translated into most languages across the world. Only certain ways of writing translate successfully into other languages, and this is the reason why they are often difficult to interpret.

Is effectively implemented and maintained; after all of the hard work of implementation and daily maintenance of the management system, are you achieving continual improvement? You can meet all of the management system requirements but still not be improving. As an auditor, I’ve found this situation is commonly caused by organisations who are simply implementing and running a management system as a tick-box exercise. This might be because they needed certification before they could bid for certain contracts.

This is such a great shame and a situation that is easily identified by an experienced auditor. You can measure your effectiveness by how you are retaining and acquiring new customers, the reduction of non-conformances, savings in costs due to reduced errors in production or service provision, the achievement of objectives and the results of your continual improvement processes.

9.2.2 (a) Plan, establish, implement and maintain an audit program.

An audit program should be designed for a specific time frame, and with the purpose of achieving specific audit objectives. An audit program is typically designed over the period of one year, but it could be of any duration. Individuals planning and managing the audit program should:

• Perform their duties honestly and ethically
• Only undertake activities if competent to do so
• Perform their work in an impartial manner
• Be sensitive to any influences that may be exerted on their judgement (Source ISO 19011:2018)

An audit program can address a single, or multiple management system (combined audit). One of the huge advantages of the high-level structure is that it enables and simplifies the design of combined audits. The nature of your audit programme will be dependent upon your levels of risk, complexity, context, geographical locations and maturity of your management system. Roles, responsibilities and authorities will need to be defined that describe clear responsibilities for maintaining and managing the audit programme.

Confidentiality

While planning your audit programme, you must fully understand your organisation context and consider:

• Information security and confidentiality; are you accessing sensitive data? Who will have access to this data when you distribute your audit report. Does your audit include accessing the data from external sources such as suppliers?

• The needs and expectations of relevant interest parties; is the output from your audit function important to a particular contract? Do the requirements of a local regulator depend upon the frequency of an audit? Do your own, internal requirements rely on audit results because they affect other important processes?

• Organisational objectives; is an audit required to help track the progress of objectives?

• Risk; your audit programme should be designed with a risk-based approach. Begin by auditing your high-risk processes first, and with more frequency. Then work backwards by auditing processes with decreasing levels of risk.

• Availability of resources; do you require specialist equipment? Can you allocate the required amount of time? Do you have enough sufficiently trained auditors?

• Changes affecting the organisation; is your audit programme flexible enough to account for changes that might occur. For example, if a new piece of machinery is installed, it’s a good idea to audit all of the processes and risk assessments etc, post-installation.

• Results from previous audits; did your previous audits reveal errors with a particular process? Was that process only audited once in the previous year? If so, after the corrective actions were implemented it would be a good idea this year to audit that particular process two, or three times.

9.2.2(b) Define the criteria and scope for audits.

An audit can be conducted against a range of criteria and will depend on the objectives of the audit. Audit criteria are a set of reference points used to compare objective evidence to. Think of the example I described earlier for the garage mechanic performing an MOT. The criteria he/she is auditing against are the safety checkpoints provided by the Governing body. Examples of audit criteria could include but are not limited to:

• Management system requirements.
• Requirements from interested parties such as suppliers or regulators.
• Requirements of contract.
• Management system processes, procedures, tasks, risk assessments etc.
• Codes of practice
• Corporate policies
• Legal requirements

9.2.2(c) Select auditors to ensure objectivity and impartiality.

Imparting personal opinions and personal views during an audit would be described as being subjective. This is definitely not the accepted practice when auditing. As an auditor, you must remain objective and totally impartial to the nature of the process being audited. If a non-conformance is identified, then you can offer subjective advice as part of the corrective action process. You must base your audit findings purely on collected evidence. Objectivity and impartiality can be achieved through correct audit training and by directing auditors to perform audits outside of their normal working department.

9.2.2(d) Ensure the results are reported.

The output from an audit is often the input to some form of management review. The results from the audit are analysed to ascertain if the audit objectives have been achieved and to consider any non-conformances, opportunities for improvement and areas of effective practice. In most instances, the audit results will also be given to the auditee. Understanding the line-of-sight between the audit function and the management system objective of continual improvement is key to realising the benefits of implementing a management system.

9.2.2(e) Take appropriate correction and corrective actions without delay.

So your audit identifies a non-conformance, and you are now required to make both a correction and a corrective action. What’s the difference between a correction and a corrective action I hear you ask? Let me explain by giving you the example that I teach to students in a class.

I walk into my kitchen on bare feet and step into a puddle on the floor. My first thought is to kick the cat, I then reach for the mop and clear up the mess. Don’t worry, I love my cat and would never kick her except, only when Man-United score! I walk into the kitchen the next morning and straight into another puddle in the same place. As I’m looking down at my feet, I feel a drop of water hitting the top of my head. I look up and find it’s dropping through the ceiling from the bathroom. I investigate the bathroom to find that it is coming in through the roof of the bathroom. I call a local roofer who fixes the missing slate and all is now good.

In the first instance, I made a simple correction by mopping up the puddle. In the second instance, I performed an investigation and followed it up by making a corrective (roof repair) action. A corrective action must always begin with a ‘root-cause’ investigation.

9.2.2(f) Retain documented information as evidence of implementation and audit results.

As I mentioned earlier, your audit programme schedule could be contained within an excel spreadsheet or managed using bespoke management system software. Audit results are the audit reports, management review records and associated corrective actions that will be retained as records post the audit activities. Other documented information you might retain is competence training for auditors, audit plans and audit notes created during the audit if you feel it is beneficial to keep them. I’m certain that you are already doing all of this, and so this requirement is happening by default in most organisations.

ISO 14001:2015

The requirements remain the same as those for ISO 9001:2015

ISO 45001:2018

The requirements remain the same as those for ISO 9001:2015 with some slight changes:

9.2.2(a) there is a mention of the word ‘consultation’ which does not appear in the equivalent requirement of ISO 9001:2015 or ISO 14001:2015. This additional word simply means that when planning your audit programme, some form of consultation with workers or the worker’s representative must be performed.

9.2.2(d) This requirement remains the same except that ‘relevant’ audit results are also reported to workers or the worker’s representative and ‘other’ interested parties. Interested parties might include insurance companies or regulatory authorities such as the HSE (UK) etc.

For auditors:

• Check for the existence of audit planning.
• Check for an audit programme and schedule.
• Check for audit plans and evidence of audit activity.
• Check for auditor competency training.
• Check for audit reports.
• Check management review minutes for evidence of audit report review.
• Check that corrective actions have been implemented where necessary.
• Check for roles, responsibilities and authorities concerning the audit programme.
  
  

Some further questions that I will be answering in future articles include:

• What is the difference between stage 1 and stage 2 audits?
• How do I audit an ISO 14001 checklist? Do we audit our audit programme?
• How do you conduct an internal audit?
• What is an internal audit checklist?
• What are the 4 phases of an audit process?
• What is auditor competency?