1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

How will your internal audit programme change to meet 9001:2015?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Sep 16, 2015.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Since the "status and importance" requirement appears to have changed, how will organizations who now have to upgrade their management systems to ISO 9001:2015, change their internal audit programmes?
     
    Last edited: Sep 16, 2015
  2. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Well, they could always place a focus on risk levels, risk types and change. Oh, and since management is a larger part of active participation now, we could ask them too.
     
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Well, technically, risk should have been a consideration under "status and importance", IMHO. however, since few of the people I meet can talk to what those words mean and have defaulted to so schedule of audits, I was wondering what they might be doing differently in the future - or if it was even perceived as being necessary to do something differently!
     
    Ganesh Sundaresan likes this.
  4. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    I would consider "importance" to cover most risk, "status" may now need to include some specifics for departmental and quality objectives, but even that is mostly covered, just not explicitly. I suppose "importance" could mean different things to different people though, so it should be looked at in the RBT way.
     
  5. Sidney Vianna

    Sidney Vianna Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    127
    Likes Received:
    172
    Trophy Points:
    42
    ISO 9001:2015 9.2.2a) associated with 6.1 could lead to justified audit schedules which show some processes being audited at a very low frequency; i.e., once every 3 years (or even longer). Some external auditors, used to and comfortable with internal audit schedules showing all processes being audited once a year, will have a harder time rejecting some risk-based internal audit programs.

    The new revision of the standard gives organizations the chance to do the right thing, using risk-based thinking to properly focus internal audit resources in an intelligent manner. However, this latitude can also be misused by the organization to "explain" fewer or less frequent internal audits. As usual, good organizations will use the openness wisely, while non-serious ones will use the openness of the standard as loopholes to do even less, while maintaining the certificate in "good standing".
     
    MCW8888 and Tom Waite like this.
  6. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Never been in the shoes of External Auditors. But my feeling - Organizations exploiting the loopholes and fixing higher Internal audit frequency shouldn't really be a matter of concern for External Auditors. If Organizations cheat, results will show up and if results do not show up, there isn't anything to question the factual (May be risk based) approach adopted by the Organization. And as far as I understand, "planned intervals" of the current version does provide loopholes too.
     
  7. Ganesh Sundaresan

    Ganesh Sundaresan Active Member

    Joined:
    Jul 31, 2015
    Messages:
    66
    Likes Received:
    36
    Trophy Points:
    17
    Sorry read that "lower"o_O
     
  8. Raffy

    Raffy Member

    Joined:
    Nov 5, 2015
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    2
    Location:
    Philippines
    Hi Jennifer,
    Good day!
    With regard to risk, how to create a corrective and preventive action report form which includes risk levels and risk types? Please advice.
    Best regards,
    Raffy
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Raffy: Why are you still pursuing "Preventive Action"? It's been removed from the ISO 9001:2015 standard because a) no-one did a good job and b) the whole QMS is supposed to be about preventive action...
     
  10. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Hi Raffy,

    With 2015 it is not about creating corrective and preventive action reports. It is about creating operational controls that help address risk, and corrective action when that fails.