ISO 9001:2000

Ten Tips For Internal Auditing

Q
U
A
L
I
T
Y

M
A
N
A
G
E
M
E
N
T

S
Y
S
T
E
M
S
1. TRAIN YOUR INTERNAL AUDITORS
ON THE NEW STANDARD
ISO 9000:2000 defines an auditor as a person with
the competence to conduct an audit. Competence
is further defined as the demonstrated ability to
apply knowledge and skills.
New internal auditors should attend a three-day
RAB accredited internal auditor class to learn good
practices and how to interpret ISO 9001:2000
requirements.
The internal auditor course explains the new
concepts and terms associated with the
ISO 9001:2000 standard and ensures consistent
interpretations of its requirements. Since you will
need evidence your auditors are competent,
remember to keep records of their training (along
with their required education, skills, and
experience).
It is also important to educate all staff about the
benefits of internal auditing and about the
significant impact it can have on the organization
when used in a positive and constructive manner. If
the organizational culture is set right, and
management commitment is given to undertake
effective internal auditing, the benefits gained are
unlimited.
An RAB accredited ISO 9001:2000 Internal
Auditor course is available through BSI
Management Systems. Please visit
www.bsiamericas.com/trainingor call
1.800.862.4977 for course locations and dates.
If you are setting up or modifying your
internal audit program for ISO 9001:2000,
we offer these ten tips for auditing to the
standard. But first, what is an audit?
According to the ISO 9000:2000
Fundamentals and Vocabulary standard, an
audit is:
A systematic, independent, and
documented process for obtaining audit
evidence and evaluating it objectively to
determine the extent to which audit
criteria are fulfilled.
So, internal audits are formal, planned,
and organized assessments. They are
conducted in an impartial and objective
manner following a documented
procedure. Audits are used to gather facts
and determine the degree to which
requirements are being met.
Using the tips in this booklet should help
you achieve these audit objectives.
Q
U
A
L
I
T
Y

M
A
N
A
G
E
M
E
N
T

S
Y
S
T
E
M
S
2 3
3. INTERNAL AUDIT CHECKLISTS
Although checklists are not required by ISO 9001:2000,
most organizations use them to ensure their internal
audits address all the stated requirements. Auditing
courses promote the use of checklists and provide
practice in creating them.
As interview tools, checklists should help audits
proceed effectively and provide valuable feedback
on the results of the quality management system.
Checklists, if developed and used properly:
Promote planning for the assigned audit
Ensure a consistent audit approach
Act as a sampling plan and time manager
Serve as a memory aid and confidence builder
Provide a repository for noting the evidence
Checklists do have some drawbacks. Relying
repeatedly on a canned checklist not tailored for the
audit will result in poor coverage. Restricting
interview questions because of the checklist will
cause it to be viewed as a limited survey instead of a
valuable audit guide. And, if the checklist doesnt
reflect the requirements and process focus of
ISO 9001:2000, it will need to be altered, so that it
does.
Internal auditors should have an open mind, ask
open questions and stay objective. Use of common
methods should be encouraged, but consistency will
not be achieved by restricting interviews to a set of
predetermined questions. The audit outcome should
not be viewed as simply a completed checklist.
Auditors should use it as a planning tool for their
assignment and be willing to pursue other areas of
investigation.
A checklist for ISO 9001:2000 should guide auditors
through the system flow from quality policy, to
objectives, to processes, to measurements, to results,
to actions, and eventually to continual improvement.
In fact, the checklist could identify a simple set of
criteria to be covered instead of trying to develop
specific, detailed questions.
2 REVISE YOUR INTERNAL AUDIT
PROCEDURE
Even if you already have an internal audit
procedure, you must ensure that it addresses the
requirements stated in ISO 9001:2000 clause 8.2.2
for Internal Audit.
Although ISO 9001:1994 required an internal audit
procedure, ISO 9001:2000 spells out that the
procedure must define responsibilities and
requirements for:
Planning audits
Conducting audits
Reporting results
Maintaining records
Prior audit results must now be considered when
planning the audit program (schedule), in addition
to considering the status and importance of the
areas to be audited. However, most audit programs
were already addressing this as part of the status
requirement.
ISO 9001:2000 also requires the audit criteria,
scope, frequency and methods to be defined. Most
auditors know to do this based on their training,
but now it is stated as a requirement in clause
8.2.2.
ISO 9001:1994 stated that the auditor must be
independent of those with direct responsibility for
the audited activity. ISO 9001:2000 clarifies that the
auditor must be impartial and objective, and that
auditors cannot audit their own work. This change
will give small organizations more latitude in
assigning auditors.
As well as meeting the conformity requirements
of ISO 9001:2000, much value can be added to an
organization by making use of internal audits to
gather other valuable information during the
audit process. Much can be learned about the
overall performance of an organization by simply
having a listening ear and sounding people out
on other issues and ideas. The message is to not
limit internal audits simply to conformity issues.
4 5
So, an audit to see if quality objectives have been
planned, implemented, monitored, and improved
will consider requirements from multiple clauses.
Use of an electronic version of the standard can
help identify important cross-references.
ISO 9001:2000 requires your processes to be
identified (4.1.a) and their sequence and
interaction to be determined (4.1.b). Clause 4.2.2.c
states that these process interactions must be
described in your quality manual.
Audit planning should identify process linkages and
ensure these audit trails are followed for more
effective evaluations of your quality management
system.
5. FOCUS ON THE NEW AND CHANGED
REQUIREMENTS
Market research firms often track the use of certain
key words in newspapers and trade magazines to
determine the general level of interest and
acceptance of new topics.
If we look at the word counts in ISO 9001:2000
compared to ISO 9001:1994, we see a dramatic shift
in emphasis for some important areas:
The word Customer is now used 48 times instead
of 18 times
Customer Satisfactionappears 8 times compared
to only once
The words Plan, Planned, and Planningoccur 32
times versus 20 times
Quality Objectivecan be found 11 times instead
of only twice
Improveand Improvement are included 21 times
instead of only once
Since the auditors working for registrars have been
through transition training on the new standard,
they will naturally focus on the new and changed
requirements when they assess your system.
Therefore, your own internal auditors should also
pay special attention to these areas when judging
conformance to ISO 9001:2000.
There are four basic sources of requirements to
consider when preparing a checklist:
1. Standards: (such as ISO 9001:2000 requirements)
2. Customer: (as expressed in orders and contracts)
3. Organization: (as expressed by internal
documents)
4. Legal: (such as statutory and regulatory
requirements)
Checklists for ISO 9001:2000 should focus on the
effectiveness of the system. Internal auditors may
spend more time preparing for their audits, but
they will gather more valuable information.
Hopefully, the areas being audited will recognize
that the auditors are looking more for process
performance and less at simple conformance.
4. ADOPT A PROCESS APPROACH TO
INTERNAL AUDITS
The intent of ISO 9001:2000 is to encourage the
adoption of the process approach to manage an
organization. As a result, internal audits of your
quality management system need to adopt a
similar approach.
An activity that uses resources to transform inputs
to outputs can be considered a process. The output
from one process may become the input to the
next process. To function well, organizations have
to identify and manage numerous interacting
processes.
The Process Approach involves the systematic
identification and management of these process
interactions within an organization. For effective
audits, you have to understand the process nature
of the system and follow the appropriate audit
trails.
For example, auditing to the requirements for
quality objectives requires considering clause 5.4.1,
quality objectives, as well as, related clauses that
refer to quality objectives (4.2.1.a, 5.1.c, 5.3.c,
5.4.2.a, 5.6.1, 6.2.2.d, 7.1.a, and 8.5.1).
6 7
7. REMIND AUDITORS HOW TO VERIFY
CONFORMITY
Internal auditors often rely just upon documents
and records as evidence of process conformity and
dont adequately interview personnel and observe
operations.
After determining the audit criteria (requirements),
objective evidence should be gathered in four
different ways for more complete and effective
audits:
1. Interview personnel
Based on your audit planning and checklist
questions, ask employees about their jobs. Listen
to what they tell you. See if their explanations
match the defined process. Use open-ended
questions to elicit more complete responses. Do
not be afraid to challenge and probe or follow
an audit trail to see where it leads you. Talking to
people is the best possible way to test their
understanding and knowledge about the
processes and sub-processes in which they are
involved.
2. Observe operations
Aid your own understanding of the process by
watching it be performed. See if the observed
practices comply with requirements. You will
discover the persons being interviewed are more
relaxed when you let them demonstrate their
jobs. In addition, internal audits will be less
disruptive since work is actually being completed.
6. EVALUATE THE EFFECTIVENESS OF
THE SYSTEM
Most auditors find it relatively easy to assess the
conformance of a defined or documented process
to the requirements of the standard. They even
find it relatively easy to see if the actual practice
matches the defined or documented process.
However, auditors often struggle with, or even
overlook, assessing how well the practice is actually
performed.
Every audit situation should be examined from
three perspectives:
1. Intent: Have you said what you do?
Do the defined or documented processes
adequately express your approach?
2. Implementation: Have you done what you
said?
Do the observed and recorded practices show
conformance with the stated intent?
3. Effectiveness: Have you done it well?
Do the results of the process indicate the desired
outcomes have been achieved? ISO 9000:2000
defines effectiveness as the extent to which
planned activities are realized and planned
results are achieved. In other words, to judge
effectiveness you look not only at the
conformance of a process, but also at its results
compared to its objectives.
However, please note that ISO 9001:2000 requires
an effective system, not necessarily an efficient
one. Efficiency, the relationship between the result
achieved and the resources used, is only addressed
in the ISO 9004:2000 Guidelines for Performance
Improvement. It is worth noting that internal
auditors will benefit greatly by having a thorough
understanding of ISO 9004:2000. This is an
excellent standard and should not be overlooked.
Speaking of improvement, dont overlook it. A
process may be defined, deployed, and effective,
yet still need to be improved for better results and
more business success.
8 9
8. KNOW HOW TO AUDIT AN
UNDOCUMENTED PROCESS
ISO 9001:2000 only specifically requires six
procedures. Those required procedures by clause
are:
4.2.3 - Control of Documents
4.2.4 - Control of Records
8.2.2 - Internal Audit
8.3 - Control of Nonconforming Product
8.5.2 - Corrective Action
8.5.3 - Preventive Action
ISO 9001:2000 clause 4.2.1.d states that other
documents needed for effective process planning,
operation, and control must also be included.
Therefore, organizations should only develop the
level of documentation they need based on the
process complexity, personnel competence, and
organization size.
With the requirement for fewer documented
procedures, auditors will have to improve upon
their interviewing techniques to understand and
take notes on the defined process. Ask the
manager of the area if any documents exist to
guide the people in their assigned activities. If not,
ask the manager to explain the process and how
people are trained. Confirm your understanding
and use the managers defined process as the audit
criteria.
Auditors should always substantiate the evidence
before making conformity judgements. This is
especially important with an undocumented
process. Review how the process is planned, people
are trained, practices are deployed, conditions are
controlled, results are achieved, records are
maintained, the process is improved and how
performance and improvement information is fed
back to management for consideration and
possible action.
3. Review documents
Ask the persons being interviewed what
documents are used in their work. You may find
documents and forms beyond those identified in
your audit planning. See if the documents are
adequately controlled and available for use.
Refer to the documents to help you follow the
work being shown. Verify the records described
in the documents are being properly collected
and controlled. Also, challenge the need for
documentation and try always to find better and
more effective ways of managing and
controlling the processes being audited.
4. Examine records
When you interview people and observe
operations, you are determining how the process
is currently being performed. However, you also
want to verify the process has been in
conformance since the last audit. The best way
to evaluate prior practices is to examine the
records from past operations. Also test out what
lessons, if any, can be learned from the data and
information contained within such records. Make
sure this data and information is being positively
used to the benefit of the organization.
The facts uncovered using these methods should be
carefully recorded in your audit notes. Analyze this
evidence to report the degree of conformity (or
nonconformity).
Auditors cannot interview every person, observe
every activity, look at every document, and
evaluate every record. You should strive for
representative samples that allow you to make
informed judgements. Since audits are limited due
to sampling, nonconformities may continue to exist
in the system beyond those identified and
reported. However, with time and well planned
audits the probability of unearthing problems on
future audits are greatly enhanced.
10 11
Have training sessions with your auditors to go
over previously written nonconformity statements
and identify what clause references would have
been used for ISO 9001:2000. Suggest to your
auditors that they follow these 6 Cs for well-
written statements:
1. Complete include the specified requirement
and objective evidence
2. Correct take care to accurately and correctly
convey the information
3. Concise express the statement as briefly and
succinctly as possible
4. Clear use easy to understand and familiar
words and terminology
5. Categorized if used, identify its severity (major,
minor, or concern)
6. Confirmed verify the information needed for
corrective action is stated
Of course, internal auditors must prepare audit
forms and reports as prescribed by their own audit
procedure. Remind them to audit for conformity
(not nonconformity) and to share some positive
comments in their reports to encourage improved
conformance.
9. IMPROVE YOUR CURRENT INTERNAL
AUDIT PRACTICES
Organizations with an existing internal audit
program should review their results to ensure audit
objectives are being met and to identify
opportunities for improvement.
Ask yourself the following questions:
Are our internal audit plans and schedules being
met?
Do our plans focus on customer satisfaction?
How well are departments meeting their
requirements?
Are we identifying the root cause of the
problem?
Are our internal auditors writing good audit
reports?
Are nonconformities written clearly and simply
to be easily understood?
Are we giving compliments for good practices?
Are we identifying opportunities for
improvement?
How long is it taking to close audit corrective
actions?
What feedback are we receiving about our
audits?
Use the update of your internal audit process as an
opportunity to take corrective and preventive
actions and find the root cause of the problem.
Look at past audit reports and see if you are
satisfied with current practices and auditor
consistency.
12 13
Another method of auditing is to trace customer
orders downstream (or shipping notices upstream)
through the flow to assess department interfaces
and process handoffs. Audits can also be scheduled
for a specific contract or project to only assess the
involved areas.
Remember that key business processes tend to flow
across the organization and hence may touch on
many activities and departments. Other processes
may flow more vertically within the organization. For
this reason alone it is very important to understand
the interfaces within your business processes and
sub-processes and plan your audits accordingly.
Remember that ISO 9001:2000 requires audits to be
planned based on the status and importance of the
areas being audited, as well as, the results of prior
audits. Internal audits of critical areas or poorly
performing ones must be scheduled more frequently.
If the scope of your system has recently changed
based on permissible exclusions (see clause 1.2) or
outsourcing (see clause 4.1), make sure your
internal audits are scheduled and planned to
provide full coverage of the system.
TIPS AND GUIDANCE
Formal management systems audits are planned and
conducted using the principles of ISO 19011:2002
Guidelines for quality and/or environmental
management systems auditing. This standard can
also be used to help you streamline your internal
audit process and follow best practice as it contains
the following:
1. An explanation of the principles of management
system auditing (Clause 4)
2. Guidance on the management of audit programs
(Clause 5)
3. Guidance on conducting internal or external
audits (Clause 6)
4. Advice on the competence and evaluation of
auditors (Clause 7)
ISO 19011:2002, the ISO 9000:2000 series and other
management system standards are available to
purchase from www.bsiamericas.com
10. SCHEDULE YOUR INTERNAL
AUDITS DIFFERENTLY
The purpose of an internal audit program
(schedule) is to plan the type and number of
audits, as well as, to identify and provide the
necessary resources to conduct them.
The Plan-Do-Check-Act model can be applied to the
management of internal audits:
Plan: Define the audit program
Do: Implement the audit program
Check: Review the audit program
Act: Improve the audit program
The auditors need to understand how
ISO 9001:2000s clause structure and requirements
will affect their audit plans. Instead of auditing by
clause, the organization may decide to audit by
functional area, or by process.
An earlier tip described the need to look at
requirements from multiple clauses to fully assess a
particular activity. Organizing audits by clause may
limit the evaluation to just a subset of the
planning, doing, checking, and acting requirements
for a process.
Scheduling audits by functional area will promote
an examination of all the applicable requirements
(clauses) for the specific process scope. If audit
results indicate problems with a particular clause
across multiple areas, a supplemental audit can be
scheduled.
14 15