In the aims to ensure that the Quality Management System (QMS) in Organization is established, implemented and maintained in accordance with ISO 9001:2008 Standard and stated quality policy, Organization shall schedule, conduct, and continual improve the internal quality auditing within the organization.
Internal auditing, when effectively implemented, can arguably be considered the most important tool in the quality system “tool box.” The output from internal auditing is critical to the growth of the QMS – identification of system ineffectiveness, corrective action and ultimately continual improvement.
However, when internal auditing is poorly deployed, its ineffectiveness leads to increased, nonvalue-added costs, many hours of wasted resources and an eventual, inevitable QMS breakdown. The ineffectiveness internal auditing process leads to fail to effectively identify and eliminate QMS nonconformances points.
How the internal audit process is managed, is a key factor to ensuring the effectiveness of a quality management system.
So, how to continual improve the internal quality auditing process?
ISO 9000 – Quality management system
In accordance with ISO 9000 – 2005, Clause 3.2.3, that Quality Management System is Management System to direct and control an organization with regard to quality.
The ISO 9000 family addresses various aspects of quality management and contains some of ISO’s best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved.
There are many standards in the ISO 9000 family, including:
- ISO 9001:2008 – sets out the requirements of a quality management system
- ISO 9000:2005 – covers the basic concepts and language
- ISO 9004:2009 – focuses on how to make a quality management system more efficient and effective
- ISO 19011:2011 – sets out guidance on internal and external audits of quality management systems
ISO 9001:2008 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). It can be used by any organization, large or small, regardless of its field of activity. In fact ISO 9001:2008 is implemented by over one million companies and organizations in over 170 countries.
Certification – the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements.
A company may decide to seek ISO9001 certification for many reasons, as certification may:
- be a contractual or regulatory requirement
- be necessary to meet customer preferences
- fall within the context of a risk management programme, and
- help motivate staff by setting a clear goal for the development of its management system.
Quality audit is the process of systematic examination of a quality system carried out by an internal or external quality auditor or an audit team.
Checking that the system works is a vital part of ISO 9001:2008. An organization must perform internal audits to check how its quality management system is working.
Quality audits are typically performed at predefined time intervals and ensure that the institution has clearly defined internal system monitoring procedures linked to effective action. This can help determine if the organization complies with the defined quality system processes and can involve procedural or results-based assessment criteria.
With the upgrade of the ISO9000 series of standards from the 1994 to 2008 series, the focus of the audits has shifted from purely procedural adherence towards measurement of the actual effectiveness of the Quality Management System (QMS) and the results that have been achieved through the implementation of a QMS.
Audits are an essential management tool to be used for
- verifying objective evidence of processes,
- to assess how successfully processes have been implemented,
- for judging the effectiveness of achieving any defined target levels,
- to provide evidence concerning reduction and elimination of problem areas.
- For the benefit of the organisation, quality auditing should not only report non-conformances and corrective actions, but also highlight areas of good practice (positive audit findings). In this way other departments may share information and amend their working practices as a result, also contributing to continual improvement.
Requirements and guidance
ISO 9001 clause 8.2.2 states as follows:
8.2.2 Internal audit
“An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits”
Quality Audit Type & Difference
- First Party Audits
- Second Party Audits
- Third Party Audits
Internal or First Party Audits
- An organization auditing its own systems, a self-assessment
- Used to measure the strengths and weaknesses against requirements, and an organizations own standards.
Second Party Inspections /Audits of Other Facilities
- One organization auditing another with which it either has, or is going to have, a contract or agreement for the supply of goods or services
- Supplier audit will include the Quality Management System involved in the items or service provided
Third Party Audits
- Independent of the organization being audited
- Used to certify, register or verify
Writing Audit Reports
Clause 1.1 of ISO 9001 states that an organization needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements. The audit report is an important tool in demonstrating that the organization satisfies the requirements of ISO 9001.
ISO/IEC 17021:2006 “Conformity assessment. Requirements for bodies providing audit and certification of management systems” outlines the minimum requirements for reporting, but does not define a specific format for ISO 9001 management systems reports. However some sector schemes may require the use of specific report formats. The format and content of an audit report may be varied depending on the size and nature of the organization being audited. It also depends on the objectives and scope of the audit (e.g. whether it is a Stage 1, Stage 2, or Surveillance audit, etc.)
For more detail, please read “ISO 9001 Auditing Practices Group – Guidance on: Writing Audit Reports”.
Assessing the internal audit process by third-party auditors
When examining internal audit processes, third-party auditors should evaluate:
- the competencies that are needed for and applied to the audit
- the risk analysis performed by the organization in planning internal audits
- the degree of management involvement in the internal audit process
- the guidance provided by ISO 19011 (note that ISO 9001 does not require the organization to use ISO 19011)
- the way audit outcomes are used to evaluate the effectiveness of the quality management system and to identify opportunities for improvements.
A third-party auditor needs to evaluate the organization’s approach to identifying critical areas, as well as other parameters. For example, has the organization identified processes that:
- are critical to product quality
- need special attention
- need to be validated
- need qualified personnel
- need close monitoring of parameters
- occur across multiple locations or are labour intensive.
Auditors should also ask if the organization has established process performance indicators that define effectiveness measures, and if these measures align with the organization’s overall goals and objectives. After identifying these elements an auditor needs to examine whether the organization uses such information when establishing audit frequency.
A third party auditor needs to:
a) evaluate the organization’s approach to identifying critical areas as well as other parameters;
b) evaluate the competence of the organization’s internal auditors and audit teams;
c) evaluate the planning of audits;
d) look for evidence that the organization has implemented an effective internal audit programme.
For further information, please refer to the paper: “ISO 9001 Auditing Practices Group – Guidance on: Auditing the effectiveness of the internal audit”.
How to add value during the audit process?
How can we ensure that an audit is useful to an organization in maintaining and improving its QMS? (We should recognize, however, that there may be other perspectives that need to be taken into consideration.)
In order to “add value”, a third-party audit should be useful:
- to the certified organization
- by providing information to top management regarding the organization’s ability to meet strategic objectives
- by identifying problems which, if resolved, will enhance the organization’s performance.
- by identifying improvement opportunities and possible areas of risk
- to the organization’s customers by enhancing the organization’s ability to provide conforming product
- to the certification body, by improving the credibility of the third party certification process.
The most common pitfalls to ineffective internal auditing
The following lists some of the most common pitfalls to poor and ineffective internal auditing deployment:
- Pitfall #1: Not understanding the definition of, and not basing audits on, status and importance
- Pitfall #2: Ineffective internal audit scheduling
- Pitfall #3: Internal auditors not effectively utilized
- Pitfall #4: The internal audit/corrective action process is not timely
- Pitfall #5: Internal audits do not reflect a process based approach.
Continual Improvement of the Internal Quality Auditing
“Quality culture” refers to the degree of awareness, commitment, collective attitude and behaviour of the organization with regard to quality.
For an organization that has a mature “quality culture”, and has been certified to one of the ISO 9000 series of standards for a significant period of time, the expectation of how an audit might add value will be the most challenging for an auditor / Quality Assurance (QA) Team.
In these case, herein I would like to share the continual improvement the internal auditing process based on PDCA approach (See Picture-1), the effectiveness of Internal Auditing in Organization will be significantly raised and also to promote the Quality Culture.
Feedback from Readers will be used to improve this posting.
References / Read more / Related links:
- ISO 9000 – Quality management (http://www.iso.org/iso/iso_9000)
- Certification to ISO management system standards (http://www.iso.org/iso/home/standards/certification.htm)
- Quality audit (http://en.wikipedia.org/wiki/Quality_audit)
- Improving the Effectiveness of Internal Auditing – Steps to Quality Management System Success (http://www.tuv.com/media/usa/aboutus_1/pressreleases/press_release_pdf/MSC_Internal_Auditing_Article_Improving_Effectiveness.pdf)
- Internal audit effectiveness (http://www.irca.org/en-gb/resources/APG-papers/audit-effectiveness/)
- ISO 9001 Auditing Practices Group – Guidance on: Writing Audit Reports (http://isotc.iso.org/livelink/livelink/fetch/-8835176/8835194/3541460/APG-WritingAuditReports.doc.pdf?nodeid=7978416&vernum=-2)
- ISO 9001 Auditing Practices Group – Guidance on: How to add value during the audit process (http://isotc.iso.org/livelink/livelink/fetch/-8835176/8835194/3541460/APG-HowtoAddValue.doc.pdf?nodeid=3553372&vernum=-2)
- ISO 9001 Auditing Practices Group – Guidance on: Auditing the effectiveness of the internal audit (http://isotc.iso.org/livelink/livelink/fetch/-8835176/8835194/3541460/APG-InternalAuditEffectivness.doc.pdf?nodeid=4299775&vernum=-2)