Sample ISO 9001 Internal Auditing Procedure

1. PURPOSE
The purpose of this procedure is to define the steps that follows in planning, performing, reporting, recording, and following up on internal audits.
conducts internal audits to determine whether the quality management system:
- Conforms to planned arrangements, to the requirements of ISO 9001 and to the quality management system requirements established by (QMS Manual policies, procedures, work instructions, and forms)
- Is effectively implemented and maintained.

2. SCOPE
This procedure applies to all company personnel who are responsible for planning, development, use, and maintenance of the quality management system.

3. DEFINITIONS
None

4. REFERENCES
4.1 Quality Manual,
5. ASSOCIATED DOCUMENTS
5.1 Audit Check List,
5.2 ERC/ERO Procedure,
5.4 Audit Schedule,
5.3 Audit Notebook

6. PROCEDURE
NOTE 1: This procedure is typically initiated about four weeks prior to the execution of an internal audit as called for by ’s audit schedule. The audit schedule is established and maintained by The Quality Assurance Manager.
NOTE 2: Every element in the quality system is audited on a regular basis and at minimum of once per year. Activities are audited more frequently if there are significant changes taking place (i.e., many new hires/high turnover of personnel, modified procedures and work instructions, etc.) or if there is a history of problems in that area.
NOTE 3: Only qualified personnel may perform internal auditing activities. These qualified personnel are classified as internal auditors and have received the following training as a minimum: 1 day training on internal auditing techniques, 1 day training on the ISO 9001 Standard, this training may be performed by previously trained internal auditors.

6.1 AUDIT PLANNING, COORDINATION, AND PREPARATION
6.1.1 The Quality Assurance Manager defines the specific criteria, scope, methods, and objectives for the upcoming internal audit based on the status, maturity, and importance of specific elements in ’s quality system.
Audits shall be carried out to a defined scope and shall be as follows,
a) Planned: as per the internal audit plan
b) Unplanned: arising as a result of,
- Customer complaints
- Following the implementation of actions defined in a corrective action report
- Following the identification of additional or amended procedures for products
NOTE 4: In planning the particular audit, these activities include determining the extent and boundaries of the audit (locations, activities, processes); set of policies, procedures and/or requirements to be audited against; auditing methods; and audit objectives.
6.1.2 The Quality Assurance Manager selects the appropriate auditor to ensure objectivity and impartiality of the audit process.
6.1.3 The Quality Assurance Manager and the auditor review the proposed audit program to ensure that it is consistent with and effective for the defined audit criteria, scope, methods, and objectives.
6.1.4 Prior to the audit date, auditor reviews the appropriate quality system documentation, records of completed corrective and preventive actions, and past audit findings for the activities to be audited, and then develops a checklist covering the quality system elements and activities to be audited.

6.2 INTERNAL QUALITY AUDIT INVESTIGATION

6.2.1 The auditor will contact the personnel in the area being audited at the time indicated on the audit program, and briefly review the audit criteria, scope, methods and objectives with them.
NOTE 5: The checklists only serve as a guide to the auditors, and other areas may be investigated as deemed necessary by the auditors or as requested by the auditee.
6.2.2 When a nonconformance is identified, the auditor presents the nature of the nonconformity and the evidence to the personnel involved for verification, clarification, and addresses any questions or concerns that the personnel may have, as well as to give advice, when requested, regarding any problems which are uncovered.
6.2.3 If the nonconformance is confirmed, then go to step 6.2.5.
6.2.4 If the possible nonconformance requires further clarification the auditor will discuss the situation with the Quality Assurance Manager.
6.2.5 After the facts of the nonconformity are verified (or modified), the auditor either drafts nonconformance statement or documents the necessary information for writing one later.
NOTE 6: The nonconformance statement includes the nature of the nonconformity, the actual evidence obtained, and the nature of the requirement that is not being complied with (i.e., the appropriate ISO 9001 clause number, the appropriate quality system document section/page/paragraph, what the personnel says is the normal practice, contract requirements, statutory regulations, current standards, and any other relevant requirements).

6.3 REPORTING AND FOLLOW-UP
6.3.1 Within 2 weeks of completing the internal audit program, the auditor prepares a brief internal audit report and submits it to The Quality Assurance Manager for review and approval.
NOTE 7: The audit report includes the audit’s criteria, scope, methods and objectives, the names and titles of the audit team members, a summary of general observations (i.e., general degree of compliance and any significant problems encountered), all statements of nonconformities, weaknesses, and/or opportunities for improvement, and verification results for follow-up activities performed during the audit.
6.3.2 The Quality Assurance Manager reviews and approves the internal audit report, and then distributes copies of the report to senior management and the personnel of the audited areas that were directly involved in the audit.
NOTE 8: Any additional comments or observations of the Quality Assurance Manager can be attached to the report, but the auditor’s observations be will not be deleted or modified by The Quality Assurance Manager.
6.3.3 The Quality Assurance Manager request a Engineering Change Request for any nonconformity listed in the Internal Audit Report and for any weaknesses and “opportunities for improvement” identified and documented.
6.3.4 The Quality Assurance Manager updates and maintains the long-range audit schedule based upon the documented results of the audit and the planned corrective and preventive actions.
6.3.5 The Quality Manager shall maintain an audit notebook detailing all internal and external audits carried out.
- Long-range audit schedule
- Internal audit program
- Completed checklists- signed and dated by each auditor
- Audit report

7. REVIEW PROCEDURE
Any suggested improvements or modifications to this procedure are to be passed on to the Quality Assurance Manager for discussion at the next Quality Review Committee meeting.

Management Review IN ISO 9001 Standard

One of the most important factors in determining the success of an ISO 9001 implementation is management commitment and management understanding of what makes a good quality systems. Our turnkey Quality Management System (QMS) gives you everything you need to educate your entire company from top to bottom.

Management review is one of the key elements to building a sustainable quality system. To do this, management must be committed. This means that the management must do more than just say they are committed, they must allocate the resources to make sure that the company can continuously improve quality. Most quality systems fail from the top down! That is why external auditor almost always review the management review documentation every audit. External ISO 9001 auditors look for this commitment by evaluating the management review records. Management reviews should focus on both the quality of the products and the quality of the QMS. In general, it is very simple to maintain compliance of the management review portion of the standard. It can be done with a simple notebook that is maintained as a quality record. The Management review procedure includes a list of documentation that should be included in management review meeting. Management reviews should be done a least once per year and auditors like to see them quarterly.

Under ISO 9001, executive management has defined responsibilities. Although most of the work required to implement and maintain ISO certification is done below the executive level, ISO requires involve of personnel at the top of the organization.

It is the leader of an organization that set the goals and objectives for the quality of the company. It is also the leader that assigns resources (responsibility and authority) throughout the organization. Because of this, the leaders must be kept aware of the status of the quality system and product/service quality so they make good decision.
Much of how the company accomplishes these tasks is covered in the quality manual. Here are the 8 areas that should be address in the quality system to assure compliance to the ISO standard.

Top Management must:

Show A Commitment To The Customer

This requirement includes maintain records showing their commitment to the a customer focus, the quality system and the continuous improvement system. The use of a customer survey program is an excellent way to meet the ISO requirements for a customer focus. It is also an excellent way to keep in touch with your customers.

Make Quality Important

This includes communicating to the organization the importance of meeting the customer regulatory, legal needs as well as their produce or service needs (customer focus). Training and posting quality information around the building can do this.

Establish A Quality Policy

This should include a concise quality statement in conjunction with quality goals and a quality manual. The policy verbiage should include a commitment to continuous improvement. This information must be communicated to and understood by the entire organization.

Establish, Monitor And Update Quality objectives

These objectives should be measurable and should be relevant to all levels of the company. I recommend that they be publicly posted where everyone can see them and their status may also be posted.

Assign Resources

Ensure that resources are available to achieve the quality goals. This is the area where many companies do not meet the requirements but it is very hard to audit this general statement. Resources should be identified and planned. Planning includes manuals, procedure, work instructions and quality plans.

Assign Responsibility And Authority

Ensure that responsibilities and authorities are assigned and communicated to individuals. Responsibilities can be assigned as part of the personnel records ( see training summary sheet). Having authority means that the individual must be empowered to make changes.

Designate A Management Representative

This person will report the QMS status at periodic management reviews and promote awareness of the importance of meeting the customers needs. This is usually the quality, engineering or production manager.

Conduct Periodic Management Reviews

Management review meetings should include inputs from audits, customer feedback, process performance analysis, preventive and corrective actions system, follow-up from previous management meetings and areas for improvement. The output from the management reviews should include resource assignments, action targeting improvement of the products, processes and QMS.

The records for the management review are frequently audited so I recommend keeping a organized notebook with tabs for each management review. The creation of a check sheet (listing all the reports to be shown to top management) will make this periodic task simple to maintain. The check sheet can also be used to keep track of attendance and log feedback that is generated during the meeting.

Corrective and Preventive actions

Corrective and Preventive actions are used to adjust the manufacturing processes, quality system and product documentation to continuously improve product and service quality. This process never ends. Corrective and preventive actions are usually based on an engineering change request and engineering change order system. In general it is recommended that all feedback from internal and external sources be entered into the engineering change request system. This can include customer survey results, customer complaints, nonconforming material data, field failure data, work-in-process testing results, internal audit results, external audit results and suggestions from personnel. The inputs are then entered into the Engineering Change Request System. This system is used to queue workload for the engineering and quality problem solvers. The engineering manager or quality manager then reviews this bulk of requests for prioritization. The highest priority issues are assigned to personnel who create an engineering change order to correct the problem. Some engineering change requests will be denied and the denial will be justified in the ECR system before the item is closed. Other requests will generate an Engineering Change Order that includes an assignment to a project manager. The engineering change order will include complete details on how to correct the problem and when the change will take effect. This system is a closed loop system that will continuously improve quality. The status of the ECR and ECO systems should be used as input for the management review meetings.

The process of managing this data usually requires a database since priorities change on a daily basis and the amount of input can be very large, even at small companies. A database is also advised since the system can be used to generate automated reports that are used in the management reviews. Without constant supervision, engineering requests and change orders can pile up and start dragging down the company.

Corrective and preventive actions are listed separately in the standard to drive home the point that you can not have successful company that only corrects problems, you must prevent problems.

Corrective and preventive actions also go hand-in-hand with the requirement for continuous improvement. If the company is analyzing their mistakes, anticipating future mistakes and continuously improving, The quality of the product and services at the company will eventually be GREAT. The corrective and preventive actions system is the most critical element for an efficient quality system. Corrective and preventive actions are made using Engineering Change Requests (ECR) andEngineering Change Orders (ECO).

Any quality problem or suggestion should generate an ECR. This is the queue for engineering. If the engineering/quality manager decides that an action is required, then an ECO is created and assigned to someone with the resources to correct and prevent future problems.

ECOs should be generated by negative customer feedback, negative trend in product performance, observed areas for improvement, upgrades to documentation, or any other continuous improvement activities. Engineering change orders are the lifeblood of the organization and they must always be flowing to keep the organization strong and growing.

With this in mind, it is critical that the engineering change order system quick, simple and effective. I highly recommend the use of a database for managing ECRs and ECOs. This will give you a searchable history of changes to your products and is the best tool for continuous improvement.