Conducting Internal Audits

Internal audits are a requirement of ISO 9001.   They are a critical component of any quality management system (QMS).  They let management know whether or not the QMS is compliant with ISO 9001, and will indicate any significant non-conformances to the QMS or the standard.

There should be an audit schedule.  The QMS must be in compliance with the schedule.  The external auditor will review random audits for completeness and for the quality of the audit performed.  A typical audit schedule might look like:

Process	Audit Frequency	Audit Month
Purchasing	annual	May
Design	annual	June

 An internal audit is compliant if it has a list of the questions asked and whether or not the QMS was in compliance with the question.  However, meeting these basic requirements does not necessarily mean that a quality audit was performed.

When creating an audit checklist, first study the process or document.  Form questions designed to understand whether the process is in compliance.  When forming the questions, consider requirements that go beyond the basic process requirements of the process.  For example when auditing a manufacturing process, it is natural to ask questions that determine whether or not the process is being followed.  In addition though, other questions such as ‘Are the technicians trained to perform these tasks?’ or ‘Are production records stored in the supervisors office?’ addresses other questions related to ISO 9001 that go beyond the basic process steps.

Collect objective evidence that the response is or is not in compliance with the process.  Since audits will be reviewed later, it’s important to show how the answer to an audit question was achieved.   This is especially important if the process is not in compliance with a question because a corrective action is required when noncompliance is uncovered.  The process owner will want to see the objective evidence to know how noncompliance was determined and to respond to the CA.

Objective evidence may take many forms.  An employee interview indicating who was spoken to and what questions were asked is one form of evidence.  Copies of records, or the record type examined and the record’s document number is another.  The number of records examined need not be large.  Five records of a record type are enough in most cases.  More records might be required if a significant noncompliance is uncovered.  In this case the auditor should be able to show whether the noncompliance is an isolated incident or a systemic problem.

In larger structured companies it is important to schedule audits with the audited organization in advance.  I like to audit without providing advanced notice, but this is not always possible.

Some people get uncomfortable when an audit is being conducted.  It is important to make those

audited comfortable with the audit.  I like to start an interview by explaining that I’m conducting a process audit, what process I’m auditing and that the audit is just a routine audit.  I point out that there are no wrong answers to the questions I’m going to ask.

Finally, keep in mind that the output of an audit is a record, and as such must meet the requirement of 4.2.4 Records.  I bring this up only to remind readers that audits must be legible and retrievable.