1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Help with Internal Audits based on ISO9001:2015

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by claudiogut, Mar 1, 2023.

  1. claudiogut

    claudiogut Member

    Joined:
    Aug 10, 2019
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    7
    The company I work for is being audited by a potential new customer and they want to see evidence of internal auditing of their processes, “as per ISO9001:2015”.

    Does that mean going down the standard and checking off what applies and what doesn’t and what we would take exemption to?

    For instance, we’re an industrial distributor and not actually manufacture or design anything. We just stock parts and ship them.

    What would be an internal auditing plan based on the 9001:2015 standard?
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This is always a cause for concern, because the customer isn't always clear what they mean. You could seek clarification from them, as well, since we can't really second guess their intent.

    But some background:

    Is your organization compliant and certified to ISO 9001:2015?
     
    tony s and John C. Abnet like this.
  3. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @claudiogut ;
    A couple of questions please, that will help us to better help you....
    1- May I ask, did your potential customer specifically indicated "as per ISO 9001:2015"?
    2- How are your organization's internal audits currently performed? (i.e. if being done appropriately, simply providing evidence of those audits should suffice).


    ISO 9001:2015 and auditing guide ISO 19011:2018 both emphasize the 'process approach' to utilization of a QMS, including internal auditing

    The intent is not to simply "...going down the standard and checking off what applies and what doesn’t and what we would take exemption to..." While internal audits should indeed verify that your organization is conforming to the requirements of ISO 9001, that verification should be done through review of your ORGANIZATION's processes, including the hand-off (interaction) between processes.

    For example, if your organization makes pizza, your defined processes may be ....
    * procure materials
    * store materials
    * assemble
    * bake
    * cut
    * package
    * deliver

    Internal auditing should verify that the goal and intent of these processes (performance) are being met. That leadership is aware of the performance of these processes and providing direction and resources when not as intended. That change to the processes and any governing documentation is managed as needed., etc..etc...

    My concern from your question is that possibly the organization does not have awareness and competence in regard to currently providing effective internal audits.

    Hope this helps.
    Be well.
     
  4. claudiogut

    claudiogut Member

    Joined:
    Aug 10, 2019
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    7
    @Andy Nichols and @John C. Abnet

    Thanks for your replies.

    My organization is currently not ISO9001:2015 certified. We're familiar with the standard since several of us have been in other organizations that were certified.

    The company is relatively new, so we haven't performed any internal audits yet. We were going to come up with some templates that just went down the standard and then checked off the corresponding areas but from your feedback, that's not necessarily the way to go about it.

    @John C. Abnet as per your last paragraph: "Internal auditing should verify that the goal and intent of these processes (performance) are being met. That leadership is aware of the performance of these processes and providing direction and resources when not as intended. That change to the processes and any governing documentation is managed as needed., etc..etc..."

    Don't we as a company reserve the right to prove this however we choose? Whether they're email chains or signed audit results, or something else?

    And yes, I requested some clarity from the potential customer and I'm currently waiting on an answer.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    OK, in which case, do you have a QMS in place?
    If the answer to my question above is "No", then I'd be questioning the customer as to why they are wasting their time/$$ doing an audit of something which doesn't exist. Who is asking for this audit? Purchasing? Is it in some contractual arrangement?
     
    John C. Abnet likes this.
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Good for you.
     
    John C. Abnet likes this.
  7. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @claudiogut
    The short answer is 'yes" !

    There is very little in regard to mandating HOW internal audits are managed (within ISO 9001:2015), beyond requirements to 'plan", "report"(input into management review/relevant management), maintain records, establish frequencies (utilizing risk as a driver), etc.... And since your organization is NOT ISO 9001 certified, then these requirements obviously do not apply.

    However, it sounds as if your potential customer may have expectations (requirements?). Your teams should ensure that those are well defined (contractual?) and understood.

    Hope this helps. Be well.
     
    RonR Quality Pro likes this.
  8. claudiogut

    claudiogut Member

    Joined:
    Aug 10, 2019
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    7
    So I found the attached checklist to go by for an internal audit based on ISO 9001:2015. My concern is that it's 27 pages and may take days. Does anyone here know of an abbreviated version of it? Or maybe a higher level checklist that would satisfy any auditor in the future that wants to see that we hold our internal audits as per the standard?
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It may be used for the very first Internal Audit before certification, but not really after that, for several reasons. If you are doing the preparation for a Stage 1 audit, prior to ISO 9001 certification, then it can be helpful. Also, a 3rd party Registrar/Certification Body auditor may accept it as a reasonable thing to do, since will identify any (obvious) gaps. Also, initially, your scope and criteria could well be the "whole QMS" and "ISO 9001".

    Not recommended thereafter, however.
     
    John C. Abnet likes this.
  10. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Why do we need to transform the statements in the standard into questions to have an audit checklist? An internal audit checklist should contain the set of requirements (NOT ONLY FROM THE CLAUSES) that are relevant to the process being audited. The following references can provide guidance in developing value-adding internal audit checklist:
    • 9.2.2 of ISO/TS 9002:2016: “As a best practice, the organization should plan and conduct audits according to the requirements of its quality management system, by project or process, rather than by the specific clauses in ISO 9001”;
    • IAF ISO 9001 Auditing Practices Group Guidance on Audit Planning: “Develop the plan around the processes – not the clauses of the standard”;
    • A.2 of ISO 19011:2018: “The use of a “process approach” is a requirement for all ISO management system standards in accordance with ISO/IEC Directives, Part 1, Annex SL”;
    • 9.2.1 of ISO/TS 9002:2016: “there is no requirement for every clause of ISO 9001, or process in the quality management system, to be evaluated during every audit”;
    • IAF ISO 9001 Auditing Practices Group Guidance on Checklist: “Generic checklists, which do not reflect the specific organization’s management system, may not add any value and may interfere with the audit”;
    • 9.4.5.3 of ISO/IEC 17021-1:2015: “A finding of nonconformity shall be recorded against a specific requirement”;
    • 3.7 of ISO 19011:2018: “Audit criteria - set of requirements used as a reference against which objective evidence is compared. NOTE 2: Requirements may include policies, procedures, work instructions, legal requirements, contractual obligations, etc.”;
    • 9.2.1a.1 of ISO 9001:2015: “The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system: conforms to: the organization’s own requirements for its quality management system.”
    Organizations, including auditors, with shallow understanding of the intent of the standard for having internal audits are, usually, attracted to “generic” checklist. The usual intention of accomplishing generic checklist is to demonstrate that all the clauses are covered, which is not, again, the intent of the standard.
     
    John C. Abnet and Andy Nichols like this.
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Party, because the model of internal auditing has, for the last 35 years, been based on that of a supplier audit (which morphed to a CAB audit) and used ISO 9001/2/3 as the audit criteria - because that is one of the things that SQA auditors are interesting in.

    Having set that train in motion, it came off the tracks a while ago and has been a slow-motion wreck ever since, due to the popularity of the Lead Auditor course, which many CABs promote, a lack of improvement in understanding of internal audits and so on. The reasons are numerous...
     
    tony s and John C. Abnet like this.
  12. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA

    Consistent with @Andy Nichols and @tony s ...good lord no.

    For example, if your organization makes pizzas (consistent with the example I provided in #3 of this thread), the example you were given considers none of the actual processes specific to the organization...i.e. does nothing to verify what your organization actually does and confirm that the organization's leadership's intent is actually being manifested.

    Your organization likely knows best what the content of a 'checklist' (if a checklist will be used) should be.

    Reminder- internal audits are to help your organization see if it's performing as intended ...NOT to simply "...satisfy any auditor..."
    Hope this helps.

    Be well.
     
  13. claudiogut

    claudiogut Member

    Joined:
    Aug 10, 2019
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    7
    So I ran the audit using the template I had attached up there. It was extremely thorough, more than necessary, but for a young company I think it was helpful.

    I'd like to tally it up and give a score per item and I was wondering if anyone knew where I could download a template in Excel where I can plug my results in to get a score? I can develop one from my Word document but an existing template would save me a lot of time and may have some fields I hadn't taken into consideration.

    Thanks in advance to anyone who can point me in the right direction.
     
  14. claudiogut

    claudiogut Member

    Joined:
    Aug 10, 2019
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    7
    I found a really cool scoring system spreadsheet (attached) but it's for ISO9001:2000! LOL!

    I guess I can modify it to match the 2015 standard but if anyone knows of a similar tool for 2015 it'd be a big help!
     

    Attached File(s): 1. Scan for viruses before using. 2. Report any 'bad' files by reporting this post. 3. Use at your own Risk.:

  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    DO NOT "SCORE" your internal audits! You will regret it. I have seen this sheet before and it misses several important facets of the 2015 standards. What you have here is out-moded and IMHO dangerous. It overlooks that "documentation" is the choice of "interested parties". It similarly overlooks anything more than simple compliance. You'd have so much work to tweak this to suit 2015 and, then, how do you ensure the criteria are appropriate? Would management agree?

    And then, having assigned a number why would a 79 be any less worthy than, say, an 80? People play games with scores. If we knew who did this in 2008, ask them if they are still using it - and if their management actually a) like it and b) use it...
     
    RonR Quality Pro and tony s like this.
  16. claudiogut

    claudiogut Member

    Joined:
    Aug 10, 2019
    Messages:
    31
    Likes Received:
    5
    Trophy Points:
    7
    OK, I agree with you, Andy. And FYI, this is not even for 2008... it's for 2000! hahaha

    How would a binary system of assessing the audit sound? Something like:

    YES- There's evidence of this or

    NO - There's no evidence of this

    Then just adding the YES and NO up and hoping that the YES win? After all, this is an internal audit and we can have any criteria for passing or not, right?

    If I'm way off base, can you suggest an alternate way of interpreting the results of this audit?
     
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It wasn't much of a change, really, but yes. now 23 years old!

    I guess it depends on your ideas or understanding of the purpose of IA. Some look at it as a stand-alone process and overlook the purpose described in the ISO requirements. I don't believe (internal) audit exists to stand alone. It is there to verify and provide information (per 9.2) - as an input to 9.3 Management's Review. In which case any "score, per se" is, like a game of football (soccer) not a meaningful descriptor of what happened. a (1-1) draw could have been a thrilling 90 minutes, with many attempts on goal by both teams similar possession time, etc etc.

    To understand how audits should work, it's important to know how management will understand the results of those audits.
     
  18. RonR Quality Pro

    RonR Quality Pro Active Member

    Joined:
    Sep 30, 2021
    Messages:
    54
    Likes Received:
    45
    Trophy Points:
    17
    Location:
    SW Ontario Canada
    I agree with Andy (at least, my interpretation of what he said). To add any kind of a 'scoring' system to the internal audits is (IMHO) of no real benefit. The audit is intended to assess the compliance of the QMS to the standard, to customer specific requirements, and to the companies OWN internal requirements. The system either conforms or doesn't. The only 'scoring' that I would consider using the the number of non-conformances identified in the course of the audit.
     
    Andy Nichols likes this.
  19. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    Please don't torture yourself with that checklist.

    The customer is likely interested in that you are controlling how their product is managed, and how you oversee that. Since you are not currently certified to ISO 9001, there is no requirement - unless they have specified one - that you have specific clauses covered.

    I do see that some are filled out, but what I see does not describe evidence, just what you would do/claim to do. Evidence is which documents were reviewed, which management reviews were reviewed, what the monitoring and measurement activities were, etc.

    If you are a distributor of my product, I would be interested in these subjects and how you oversee them:
    • Product preservation: physical integrity through sound facilities (not getting soaked from dripping roof, etc.).
    • Product preservation is also, if the product needs temperature controls, how you manage that. If you must keep product within certain temperature and/or humidity limits, monitoring and measurement is about how you know your facilities maintain within those limits. That also applies to trucks. Calibration needed? Evidence is that it is done.
    • If the product has shelf life, how you manage that (First In, First Out or FIFO)
    • Product traceability: how you know where things are, how many are on hand, how efficiently and effectively they are located - do you have to keep track of serial numbers? If so, how do you do that?
    • Personnel ability to perform their duties in support of your product preservation: forklift truck driver quals, packaging if you do any of that, etc.
    • How you maintain your fork trucks (infrastructure). Also, if you use lifting equipment besides fork trucks to transport product, how is that maintained? (PM schedules and their being accomplished, etc).
    • How your storage racks are maintained: are they getting hit by fork trucks? If so, they should be reviewed and repaired as needed before storing product again.
    • If you use software to maintain your product traceability, how is your data protected? This is infrastructure too. Evidence of backups completed, etc. are audit evidence.
    • If you contract services, including trucking, how do you oversee them? Supplier control. Evidence is how the process is fulfilled.
    I hope this helps.
     
    tony s likes this.
  20. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Actually, while these are some of the things an outsider might consider to be important, no-one can suggest specific things to make a priority for the internal audit programme. Although inventory accuracy etc may be critical to a distribution organization, if there is, for example, high turnover of warehouse staff, THAT should be the consideration for driving the audits.
    The requirements of ISO 9001 make the organization consider what's important etc. Those offer guidance should emphasize this.