ISOM QUALITY INTERNAL AUDIT GUIDE
g
A GUIDE TO THE INTERNAL AUDITING OF ISO 9001:2000 QUALITY MANAGEMENT SYSTEMS
[email protected]
1
ISOM QUALITY INTERNAL AUDIT GUIDE
First edition March 2002
Copyright 2002 Isom Ltd.
This document may be reproduced by the purchaser for the sole purpose of implementing the purchaser's own quality system. Requests for reproduction for other purposes should be sent to Isom Ltd at the address below. Isom Ltd 9 Patford Street Calne Wiltshire Tel: 01249 812343 Fax: 01249 816963 www.isom.co.uk e-mail:
[email protected]
[email protected]
2
ISOM QUALITY INTERNAL AUDIT GUIDE
CONTENTS Page No CONTENTS
3
SECTION 1 INTRODUCTION 1.1 Purpose of the Guide 1.2 Aim of Internal Audit 1.3 Requirements for Internal Audit 1.4 Terminology
4 4 4 5 6
SECTION 2 DEVELOPING INTERNAL AUDIT PROCEDURES 2.1 General 2.2 Responsibilities 2.3 Planning and Preparing Internal Audit Procedures 2.4 Documenting Internal Audit Procedures
7 7 8 8 12
SECTION 3 PREPARING FOR AND CARRYING OUT INTERNAL AUDITS 3.1 Pre-Audit Preparation 3.2 Opening Meeting 3.3 Carrying Out the Internal Audit 3.4 Closing Meeting
16 16 17 18 20
SECTION 4 POST AUDIT ACTIVITIES 4.1 Reporting to Quality Manager 4.2 Follow-up Action 4.3 Reporting to Top Management
21 21 21 22
APPENDIX 1
23
[email protected]
Example Audit Check/Record Form
3
ISOM QUALITY INTERNAL AUDIT GUIDE
SECTION 1 INTRODUCTION
1.1 Purpose of the Guide Organizations operating Quality Management Systems (QMS) approved to ISO 9000 standards are required to carry out periodic Internal Audits of those systems. These audits are also known as First Party Audits. Note that although references within this guide are primarily to the ISO 9001:2000 standard, the guidance is also applicable to internal audits for QMS to earlier versions of the standard (ISO 9001, 9002 and 9003 of 1994). The purpose of this guide is to provide information and assistance to enable an internal audit system to be set up with the minimum of expenditure. The guide is also intended to provide guidance to an organization’s appointed internal auditors in the preparation for and carrying out of those audits. The information provided is based upon our experience as a small technical writing company awarded registration to BS 5750 (the British standard for quality systems at that time) on first assessment. Isom achieved the award by using its professional technical writing skills to prepare all the necessary QMS documentation for registration in-house, seeking assistance from a consultant only when necessary. In taking this course of action, the outlay in gaining registration was considerably reduced. Subsequently, Isom’s QMS, including our Internal Audit procedures, has been successfully updated in-house to meet the requirements of ISO 9001:1994 and, more recently, ISO 9001:2000.
1.2 Aim of Internal Audit The Internal Audit should ascertain the level of control that the organization has over its quality systems and the effectiveness of those systems. Ideally (and hopefully), you are confirming that your
[email protected]
4
ISOM QUALITY INTERNAL AUDIT GUIDE
organization is operating according to its documented QMS procedures and that the organization is in control of the QMS, its implementation, maintenance and improvement.
1.3 Requirements for Internal Audit The mandatory requirements for Internal Audits are defined in clause 8.2.2 of the ISO 9001:2000 standard. In summary, the organization is required to conduct Internal Audits at planned intervals to determine whether its QMS:
•
conforms to the requirements of the standard;
•
conforms to the organization’s planning for product realization;
•
conforms to the QMS requirements previously established by the organization;
•
is being implemented and maintained effectively.
Planning of an internal audit programme should take into account the status and importance of the processes or activities to be audited and should also consider the results of previous audits. The standard requires the audit to be an objective and independent examination of the quality activities - auditors should not have been involved in the process or activities being audited. The ISO 9001:2000 standard is usually issued as a set complete with the following related standards: • ISO 9000:2000: Quality management systems - Fundamentals and vocabulary. This standard includes definitions of the terminology used throughout the series of standards (see 1.4 Terminology below). • ISO 9004:2000: Quality management systems - Guidlines for performance improvement. This standard includes guidelines for g1improving a QMS beyond the requirements of ISO 9001:2000. Guidelines relevant to internal audit are found in clause 8.2.1.3.
[email protected]
5
ISOM QUALITY INTERNAL AUDIT GUIDE
1.4 Terminology Generally, terminology within this guide is the same as used with the ISO 9001:2000 standard (and defined within the ISO 9000:2000 standard). For example, ‘organization’ is used to denote a company, corporation, firm, enterprise, business, etc. Of particular importance for internal audits, ‘nonconformity’ is defined as: ‘non-fulfillment of a requirement’
[email protected]
6
ISOM QUALITY INTERNAL AUDIT GUIDE
SECTION 2 DEVELOPING INTERNAL AUDIT PROCEDURES
2.1 General ISO 9000:2000 defines an audit as a: ‘systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled’ In the context of a QMS, systematic means that: •
audits are carried out according to a plan;
•
the whole QMS is audited within a pre-determined period;
•
the audits are carried out according to documented procedures;
•
the audit findings are formally reported and recorded;
•
effective post-audit action is taken where required.
The complexity of your Internal Audit procedures will depend to a large extent on the size and complexity of your organization and of your QMS. Due to the size of our organization and the nature of our business, Isom is fortunate in that our Internal Audits are conducted by one auditor carrying out one documented procedure. A large, multidepartment, organization may need to develop several different Internal Audit procedures, each one tailored to the needs of a particular department, or even a particular process area. In each case, however, the aim of the audit is the same and the procedures should all follow the same principles.
[email protected]
7
ISOM QUALITY INTERNAL AUDIT GUIDE
2.2 Responsibilities Overall responsibility for planning and conducting Internal Audits, reporting results and maintaining records lies with top management. In all but the smallest organizations these responsibilities will be delegated to a Quality Manager. The Quality Manager may head a separate Quality Department, which includes designated auditors, or may operate without their own staff, relying on auditors co-opted from other parts of the organization on an as-needed basis. Managers of departments or areas audited are responsible for ensuring that follow-up actions, particularly regarding any detected nonconformities and their causes, are carried out without undue delay. Where necessary, the follow-up actions should be verified and the verification recorded.
2.3 Planning and Preparing Internal Audit Procedures When planning an Internal Audit System, you need to make the following decisions: •
how many individual internal audit procedures are required;
•
how often should the internal audits be carried out;
•
what should be included in the procedure for each internal audit;
•
who should carry out the internal audits;
•
what are the responsibilities of auditors.
Requirements for individual internal audits The first stage in planning procedures is to determine how many individual internal audits will be required. It is possible to audit small organizations with one procedure and in one operation. Larger organizations will require individual audits for separate departments, e.g. Finance, Stores, Drawing Office, etc., or even for separate work areas, e.g. Calibration Control of measuring/checking instruments. There are no hard and fast rules, you should be guided by your experience, knowledge of the organization and common sense - each
[email protected]
8
ISOM QUALITY INTERNAL AUDIT GUIDE
audit should be capable of a being carried out by a single auditor in a reasonable time frame. When planning audits for individual departments arrange for them to cross bridges between related departments/work areas - e.g. between Stores and Receipt and Despatch, or between Stores and Goods Inward. Do not leave gaps that may remain un-audited and consequently hide potential problems. Frequency of audits The ISO 9001:2000 standard requires only that internal audits are conducted at ‘planned intervals’ - there is no guidance as to what those intervals should be. Certainly, the internal audits should be carried out no less than once per year. More meaningful results will be obtained if they are carried out more often. Obviously, the higher the frequency of the internal audits, the greater need for auditing resources and the greater the interruption to day-to-day operation of the organization. In Isom’s case, we considered every six months to be a reasonable compromise. It should also be noted that it is perfectly acceptable to audit some activities at a higher frequency than others Where a number of individual audits are required an audit schedule should be prepared. This schedule should show which department, work area, etc. is audited and when. It should also show which, if any, activities are audited more often than others and that the complete QMS is audited within the pre-determined period. Content of Internal Audit procedure What to include in a procedure for Internal Audit will to a large extent depend upon your own QMS. However, there are some fundamental questions to be answered which will provide a basis for your audits, these are: •
has the nature of the product and/or process changed since last audited, i.e. do the QMS procedures, work instructions, etc. reflect current practice and are they still relevant?
[email protected]
9
ISOM QUALITY INTERNAL AUDIT GUIDE
•
are staff aware of the organization’s quality policy and are the quality procedures and objectives relevant to their work?
•
does the quality of the organization’s product(s) reflect that staff are adequately and appropriately trained, skilled and competent?
•
are the relevant documented procedures being followed?
•
are appropriate records being kept?
The procedure should be structured to provide answers to the above questions as applied to your QMS. Further information on this subject is given in 2.4 Documenting Internal Audit Procedures. Assigning personnel for auditing Depending on the structure of your organization, the required auditors may be part of a dedicated Quality department or may be temporarily seconded from other activities. The standard does not include specific requirements for the source of internal auditors. However, it does state that the selection of auditors should ‘ensure objectivity and impartiality of the audit process’ (ISO 9001:2000 clause 8.2.2). Neither does the standard include a requirement for specially trained internal auditors, although it does include a general requirement that staff performing specific tasks affecting quality should be assigned on the basis of appropriate education, training, experience and competency (ISO 9001:2000 clause 6.2.1). These points should be considered when selecting and assigning auditors. It is suggested that a good auditor will have most of the following personal qualities: •
be objective and analytical with reasoned judgement;
•
be mature and self-motivated;
•
be a good communicator (both written and oral);
•
be tenacious;
•
be tactful, diplomatic and patient;
[email protected]
10
ISOM QUALITY INTERNAL AUDIT GUIDE
•
be open minded and flexible.
Quite a tall order and obviously very much the ideal auditor. Responsibilities of individual auditors Generally organizations will utilize an audit team comprising several auditors under the control of a lead auditor. The audit team being under the overall control of the Quality Manager. Overall, an audit team are responsible for: •
complying with the requirements of the audit;
•
communicating and clarifying the requirements of the audit to other management and personnel;
•
carrying out the audit in accordance with the documented Internal Audit procedures;
•
recording the audit results and safeguarding audit documents;
•
verifying that corrective actions are carried out effectively;
•
ensuring that confidential and ‘privileged’ information is treated with due respect and discretion;
•
bringing audit observations and recommendations to the attention of management.
Principal responsibilities of a lead auditor are: •
assisting with selection of auditors;
•
control and representation of the audit team;
•
control of the complete audit;
•
final decisions on: conduct of the audit; the audit report, observations and recommendations.
Individual auditors are responsible for:
[email protected]
11
ISOM QUALITY INTERNAL AUDIT GUIDE
•
supporting and co-operating with the Lead Auditor:
•
planning and carrying out assigned audit tasks;
•
documenting observations during the audit;
•
reporting audit results to the Lead Auditor;
•
assisting the Lead Auditor to compile the audit report.
Obviously, if only one auditor is used, their responsibilities will be a combination of all the above.
2.4 Documenting Internal Audit Procedures The procedures for Internal Audit must be documented and can be included in the organization’s Quality Manual or in a separate Quality Procedures Manual or even as separate stand-alone procedures. There is no set down format within the ISO standard; it is a matter of choice. Isom chose to present these in a separate Quality Procedures Manual, mainly to keep the Quality Manual from seeming ‘cluttered’. Choose what best suits your organization. However, if the procedures are not included in the Quality Manual there must be references to them within that manual. The audit documentation usually consists of a combination of text describing internal audit policy and management responsibilities (which will be included in the Quality Manual and/or associated Quality Procedures Manual) and separate working procedures for the auditors. These working procedures are most usefully presented in the form of check lists with ‘tick’ boxes (or YES/NO boxes) for ease of completion. Points to consider when compiling these procedures/check lists are: •
decide audit objective(s) linked to specific requirements of the standard;
•
identify aspects of the QMS documented procedures which are relevant to the department/work area being audited;
•
identify relevant process inputs, outputs, interfaces (e.g. with other processes), inspection points, hold points and any feedback loops;
[email protected]
12
ISOM QUALITY INTERNAL AUDIT GUIDE
•
follow a logical sequence to avoid unnecessary return visits to areas or personnel already audited.
Taking Isom’s documentation as an example, text in the Quality Manual combines a statement of the organization’s responsibilities with a broad outline of the procedure and is as follows:
Internal Audit (ISO 9001:2000, Clause 8.2.2) To ensure that the organization’s QMS is being operated correctly and effectively, the Quality Manager shall organise a system of internal audits. At least one audit must be carried out in every six month period. Any higher frequency of audits is at the discretion of the Quality Manager. The Quality Manager may assign any suitably trained personnel to carry out the audit but must ensure that the personnel assigned has not been involved in the activities being audited. The results of audits will be analysed in Management Review (refer to SECTION 2). Internal Audits shall be carried out using QMS Form 6. Procedures for Internal Audits are described in 1.3 INTERNAL AUDIT in SECTION 1 of the organization’s Quality Procedures Manual.
As can be seen, this text refers to the more detailed procedures included in the associated Quality Procedures Manual as follows:
[email protected]
13
ISOM QUALITY INTERNAL AUDIT GUIDE
1.3
INTERNAL AUDIT (ISO 9001:2000, Clause 8.2.2)
In compliance with SECTION 5 of the Quality Manual, the Quality Manager shall organise a system of internal quality audits. At least one audit shall be carried out on a six-monthly basis. Any higher frequency of audits is at the discretion of the Quality Manager. The Quality Manager may assign any suitably trained personnel to carry out the audit but must ensure that the personnel assigned have not been involved in the activities being audited. The audits shall be carried out by using QMS Form 6 (refer to Appendix F) and are designed to ensure the following: (1) That quality system documentation adequately defines the needs of the organization. (2) That the documented procedures are practical, understood and followed. (3) That training is adequate. (4) That customer satisfaction can be measured and monitored (refer to SECTION 5 of the Quality Manual and Appendix L of this manual). The results of the audit shall be recorded on QMS Form 6 (refer to Appendix F) and shall indicate the following: (1) The deficiencies found. (2) The corrective action required. (3) The time agreed for corrective action to be carried out. (4) The person responsible for carrying out the corrective action. (5) The recommendations for improvements as necessary. QMS Forms 6 shall be filed with other Quality Records by the Quality Manager and shall be made available when Management Reviews are carried out.
This text defines the responsibility for organizing the audits, their planned frequency and the criteria for assigning auditors. The text also gives a summary of what the audit should achieve and what should be included in its record - in Isom’s case this also refers to our QMS Form
[email protected]
14
ISOM QUALITY INTERNAL AUDIT GUIDE
6 which is used to carry out and record the actual Internal Audit (refer to text below). Note that the Isom text refers to ‘... suitably trained personnel ...’ (see 2.3 Planning and Preparing Internal Audit Procedures). The auditors’ procedures/check lists should enable them to: •
ensure that the appropriate QMS procedures are being followed correctly;
•
ensure that process/product inspections are being carried out correctly;
•
ensure that any required documentation (e.g. forms) has been completed correctly;
•
ensure that the required QMS records have been completed and filed;
•
identify nonconformities with the organizations QMS.
Isom’s Internal Audits are carried out using the QMS form mentioned above. This is an integral part of the procedure and is used as an enhanced check list. A copy of the form is reproduced as Appendix 1 to this guide. Notes on the use of the form are included as italic text in grey boxes.
[email protected]
15
ISOM QUALITY INTERNAL AUDIT GUIDE
SECTION 3 PREPARING FOR AND CARRYING OUT INTERNAL AUDITS
3.1 Pre-audit Preparation Depending upon the organization's structure, size and its QMS, some or all of the following preparatory actions may need to be carried out by the audit team, or auditor, prior to the audit: •
review the scope and size of the audit, determine size of audit team;
•
obtain audit check lists (procedures) and ensure they are up to date and complete;
•
obtain details (work carried out, personnel, management structure) of the department(s) or process area being audited;
•
obtain copies of relevant work process flow charts or work instructions;
•
prepare audit programme and agree programme with auditees;
•
obtain details of any restrictions that may apply to the audit (e.g. restricted access to certain areas on security or safety grounds);
•
arrange for departmental guide(s) or escort(s) for the auditor(s), these guides should: have a good knowledge of the activities carried out by the department or work area being audited; know the names, titles, etc. of department personnel; be capable of understanding audit observations.
The mutually agreed audit programme formalizes the audit and should: •
inform those involved (the auditees) about what will happen during the audit;
[email protected]
16
ISOM QUALITY INTERNAL AUDIT GUIDE
•
enable the audit to be carried out efficiently;
•
enable the audit to be carried out with the minimum of disruption to the auditees’ work;
•
ensure that a complete audit will be carried out.
The lead auditor should assign specific tasks to each team auditor before the opening meeting.
3.2 Opening Meeting The internal audit should start with an 'Opening Meeting' with the head of the department/work area being audited. The objectives of the opening meeting are: •
to confirm arrangements for the audit; to introduce the audit team;
•
to meet key participants in the audit;
•
to confirm specific details (of the department/work area);
•
to brief the departmental management/work area supervisors and to answer any questions raised;
•
to gain information about the working of the department/work area;
•
to verify that nothing has changed since pre-audit contact;
•
to allow clarification of any aspect of the audit.
The audit team should arrive together and at the agreed time. The meeting should be controlled by the lead auditor who should endeavour to maintain the initiative at all times. Other auditors within the team should contribute to the meeting when invited to do so. The meeting should be kept as short as possible; time wasting should be avoided. If considered necessary, a brief familiarization tour of the department/ work area being audited may follow the opening meeting.
[email protected]
17
ISOM QUALITY INTERNAL AUDIT GUIDE
3.3 Carrying Out the Internal Audit The precise actions of an auditor during an internal audit will, of course, depend upon the documented procedure/check list. There are, however, definite right and wrong ways to conduct an audit. The following are generally considered to be good auditing practice: Behaviour of auditors •
the auditor should show a friendly but formal approach to auditees;
•
the auditor should be observant and understanding;
•
the auditor should strive to achieve good communication and recording during the audit;
•
the auditor should be aware of their ‘body language’, e.g. do not display aggression, do not point fingers at auditees, etc.
Interviewing auditees •
use the procedures/check lists as guides, do not be inhibited by them;
•
wherever possible, ask only open-ended questions’, e.g. ‘How do you monitor the ...?’ not ‘Do you monitor the ... by ...?’;
•
allow the auditee time to answer your question fully, do not lead their answers;
•
do not let the departmental guide or escort answer for the auditee;
•
observe the auditee’s body language, are they: looking uncomfortable; looking too comfortable/acting too confidently; passing ‘secret messages’ (by means of gestures, facial expressions, etc.) to other auditees;
•
wherever possible use the ‘feedback loop’ method of checking, i.e.: ask questions (open-ended) to provide information; observe what is happening;
[email protected]
18
ISOM QUALITY INTERNAL AUDIT GUIDE
check the relevant documented instructions provided, records generated and interfaces for compliance; record positive or negative ‘objective’ evidence. •
do not criticise auditees at the work place (see also ‘When nonconformities are discovered’ below).
When nonconformitiess are discovered •
DO NOT: criticise the employee; tell them that you are going to raise a nonconformity; write out the nonconformity notes at the auditee’s workplace.
•
DO: thank the auditee for their time and attention; discuss the nonconformity in private with the auditee’s manager or supervisor.
Grading nonconformitiess in a QMS Any nonconformitiess found should be graded as follows: Critical - This is a nonconformity that is likely to result in an unsafe product or in unsafe conditions for people using that product. The required corrective action should be given the highest priority and completed as soon as possible. Major - Although not critical, this grade may result in failure of, or seriously reduce the use, of a product. A failure to meet a requirement of the standard, or a nonconformity having a significant effect on efficiency or cost should also be graded as Major. Minor - Any nonconformity that, although not desirable, will not seriously affect the use of the product should be graded as Minor. Correction of items in this grade will result mainly in improvements to the QMS.
[email protected]
19
ISOM QUALITY INTERNAL AUDIT GUIDE
Before leaving the audit site •
find a quiet location to gather your thoughts and organize the paperwork;
•
allocate significance to your findings;
•
write up the appropriate section(s) of your report.
3.4 Closing Meeting For the closing meeting, the audit team should report back to the people (appropriate managers, supervisors, etc.) that attended the opening meeting. The following protocol should be observed during this meeting: •
address comments to the manager or other senior person present;
•
do not criticise any of the auditees;
•
confine the discussion to the relevant features of the QMS and product realization process(es);
•
do not try to tell the managers/supervisors how to do their jobs:
•
include the positive findings of the audit;
•
invite agreement on the audit findings, try not to close the meeting with disagreements outstanding - it may be better for the audit team to back-down on some contentious findings;
•
reach agreement on nonconformitiess, the associated corrective action required and the timing of that action;
•
invite suggestions for actions:
•
answer all queries;
•
produce a (hand written) summary of the meeting and get it signed by the manager/supervisor before closing the meeting.
[email protected]
20
ISOM QUALITY INTERNAL AUDIT GUIDE
SECTION 4 POST AUDIT ACTIVITIES 4.1 Reporting to Quality Manager Following the closing meeting, the audit report should be finalised and completed. The report should then be submitted to the Quality Manager. The Quality Manager should be briefed on any nonconformitiess found and the associated corrective action(s) and timing agreed with the auditees. Depending upon your findings, the Quality manager may decide that a complete re-audit is required; any such decision should be communicated without delay to the department.
4.2 Follow-up Action On completion of the original audit and after discussion with the Quality Manager (see 4.1. above), the actions detailed below should be carried out: •
arrange the time and programme for recheck or re-audit, as appropriate, with the department manager or supervisor;
•
on the recheck/re-audit, concentrate on the nonconformities previously reported or the improvements suggested and agreed. Ensure that the underlying causes of the nonconformities have been corrected;
•
when all corrective/preventive action is complete, finalise the audit report and submit it to the Quality Manager for archiving.
Note that any corrective/preventive action to be completed before the next audit should be clearly identified.
[email protected]
21
ISOM QUALITY INTERNAL AUDIT GUIDE
4.3 Reporting to Top Management Your organization’s procedures may require that you also report audit findings to top management. In this case it is likely that the report is made jointly by the auditor and Quality Manager. Management are likely to see any recommendations for improvement as probable costs to the organization and are likely to resist them. These are probably best presented visually as a cost/benefit impact matrix in which the cost is shown is shown in relation to the benefits. As an example, the audit may well have highlighted a particular QA procedure that is not being carried out well because the associated documentation (e.g. work instruction) is poorly laid out and not easily understood. As a result the rejection rate from this part of the process is unnecessarily high. Revising the documentation to improve its layout and make it readily understandable will be low in cost but should be high in benefit due to decreased rejection rates. This is shown on the example matrix:
High
Cost
Low
n Revise documentation
Low
Benefit
High
Management will show great enthusiasm for Items in the bottom right of the matrix; items in the top left hand will be of no interest whatsoever!
[email protected]
22
ISOM QUALITY INTERNAL AUDIT GUIDE
APPENDIX 1 - EXAMPLE AUDIT CHECK/RECORD FORM
Isom has basically one production process which outputs a product tailored to suit different clients needs. The project number identifies the client and thus the variation.
These questions are asked of the organization as a whole. The Deficiencies/Recommendations/ Remarks can refer to the whole organization or to specific projects.
[email protected]
23
ISOM QUALITY INTERNAL AUDIT GUIDE
These questions refer to specific QMS processes or to stages in the production process.
[email protected]
24
ISOM QUALITY INTERNAL AUDIT GUIDE
These questions are intended to highlight any problems with particular disciplines or the skills of individuals and thus pinpoint training and development needs.
[email protected]
25
ISOM QUALITY INTERNAL AUDIT GUIDE
The initials will be those of the person responsible for carrying out the necessary corrective action(s) and are intended to signify that persons agreement to taking that action.
The Quality Manager (or other designated responsible person) will sign-off the audit and file it in the QMS records system.
[email protected]
26