ISO 9001:2015 Clause 9.2 Internal Audit Requirements
The standard stipulates some requirements to be followed if an organization is to get a certification in Quality Management Systems (QMS) or an organization that is already implementing the same system.
Organizations are required to undertake internal audits at planned intervals to provide information on whether the QMS
- Conforms to the organizations own requirements of QMS and the requirements of ISO 9001:2015
- Is effectively implemented and maintained.
The fact that the standard talks about planned intervals mean it cannot be done once in a year as Interval is defined as “a longer length of time that can be divided into a number of shorter periods of time, all of the same length” The minimum number of time, therefore, is twice a year.
When conducting internal audits, your objective is to check if both 1) and 2) above are being fulfilled. An important thing to remember is that it is a requirement of the International Standard that both statutory and regulatory requirements are adhered to.
Clause 9.2.2 a) requires the organization to plan, implement and maintain an audit program(s) that includes
- Frequency of the audits- This is where an organization stated the number of times they plan on doing an audit each year.
- Methods – The program should state the methods of audit which are to be employed during audits. i.e. interviews, observations, testing, etc
- Responsibilities– The persons who are going to be conducting the audits. This is where auditors are listed or a reference is made to the list of auditors if it is a separate document.
- Planning requirements– The resources to be utilized during an audit.
- Reporting– Giving the time frames of when audit reports are supposed to be handed over to the top management.
It is a requirement that the program takes into consideration the importance of the processes concerned- this can be achieved by scheduling the core processes to be audited more times than the non-core processes in an organization.
To show consideration of changes affecting the organization in an audit program- A process can be noncore but is scheduled to be audited twice because of a change that has been done in the organization or a core process, in that case, can be audited more than twice.
Consideration of previous audits can also be shown by scheduling processes that had nonconformities in the previous audit as priority audit areas by allocation more time to the areas and maybe more audits if it deems necessary.
Clause 9.2.2 b) – Requires an organization to define the criteria and scope of each audit. Criteria is a set of policies, procedures, or requirements used as a reference against which audit evidence is compared to while the scope is the audit boundary.
Clause 9.2.2 c) – Selecting auditors and conducting audits to ensure objectivity and impartiality of the audit process is achieved. Objectivity is an unbiased judgment from the auditors, ensuring that the audit findings are not compromised. Impartiality can be achieved by ensuring that no auditor audits their own work.
Clause 9.2.2 d) – Ensure that the results of audits are reported to the relevant management. These audit results form part of agendas for management reviews according to Clause 9.3.2 c) 6. When conducting an audit, they want to see when the final report of the audit was forwarded to the management, and if it is in line with the timelines stipulated.
Clause 9.2.2 e) – The organization is supposed to take correction and corrective actions without undue delay. If the procedures for audit stipulate that the corrective actions be done within 2 weeks, this should be adhered to. Remember, correction is short term action on nonconformities raised, whereas, corrective action is what is done to ensure long term measures are put in place.
Always ensure the Corrective Action Reports (CAR) forms are up to date as this is what auditors check to see if this requirement of the standard is being met.
Clause 9.2.2 f) – An organization is required to retain documented information as evidence of audit program implementation and the audit results. Remember, an audit is all about evidence.
