Internal Audit 9.2.1a2

I infer that the requirement that internal audits provide retained documented information clearly evidencing on whether an organization's quality management system conforms to "the requirements of this International Standard" means all applicable elements, clauses, sub clauses, and letters.

If an organization outsources the internal audits every twelve months, then the entire QMS (all applicable elements, clauses, sub clauses, and letters) must be audited and evidenced in the audit records.

Where am I off?

Thanks everyone.
Phil

 

Thanks Andy. For this organization, assume that an annual internal audit is what they can afford and seems to be adequate.
My question meant to target whether the wording in 9.2.1a2 means each and every one of the standard's requirements must be audited with each annual internal audit.

I think it does, but I want to check my take on it.

Best regards,
Phil

 

I understand the planned intervals must be appropriate and effective, so I don't want to stray from the focus of my question.

Just so I'm crystal clear, assume the QMS is internally audited every quarter (and this planned interval is demonstrably appropriate and effective), does your response above, "a) ensuring compliance" mean that each year the four internal audits must have collectively (not necessarily individually) covered each and every requirement of the International Standard?

Thanks for your patience,
Phil

 

There is no requirement that the organization must demonstrate that ALL the applicable clauses/subclauses are audited. Audits (internal and external) are done on a sampling basis.

 

Thank you Andy and Tony for your insights. My biggest concern with interpreting 9.2.1.a.2 to mean internal audits must provide information, on a sample basis, on whether an organization's QMS conforms to the requirements of the International Standard is that registrar auditors will not see it that way. Is it possible that the sampling applies to the objective evidence and not on the applicable clauses/sub-clauses?

Phil

 

Good day @Phil Scott;
The summary of the good council you have received thus far provides an accurate response to your original question, which is "no".

The standard leaves much of the audit activity up to the organization. ...
- "...planned intervals"... (no specific time frame dicated)
- " ...plan...including frequencies..." (again, frequency is left for the organization to plan)
- "define the audit criteria and scope..."

Regarding your comment ...

It may help you here to remember that the standard requires us to use a Process Approach (sections 0.3 and 0.4 in the standard to a good job of describing this). Clause 5.1.1 requires leadership to promote the process approach. In short, this is a migration from the old method (consistent with your understanding which forward engineered via the
"...elements, clauses, sub clauses, and letters...") to the current Process Approach which now has us auditing the processes within your organization's scope (e.g. stamping, labeling, painting, etc..etc...) and looking back at the standard to ensure that the control methods for those processes are conformant to the applicable "...organization's own requirements..." and "...requirements of...standard."

Hope this helps.
Be well.

 

ISO/TS 9002:2016 - Guidelines for the Application of ISO 9001:2015 has these statements to answer the above question:

 

So, Andy how do you carry out each scheduled audit? Do you audit every "shall" on all organization's own and ISO 9001 requirements for every area/process? On each scheduled audit?

 

That's a very helpful reference Tony. Thanks!
Phil

 

Thanks to you all for your insights!
Phil

 

I was actually a fan of your "football". I've actually created my own visual metaphor using the football as the model. What I have is like this:

 

I think this is the most sensible, and appropriate approach. If management is concerned about one business unit / process - do a detailed audit, or audit more frequently.

If management is comfortable with how another process or business unit is operating, audit it less frequently and/or in less detail - ‘spot check’