QMS Guidance Pt. 11 – ISO 9001 Clause 9.2
Here we are then, you’ve done the planning parts in clauses 4 through 7, then done the doing part in clause 8, now we’re into the second of three sub-parts of the checking phase of how you run your QMS.
Clause 9.2 is all about Internal Auditing sometimes called first-party audits which are conducted by the organisation or by someone on behalf of the organisation so the management can form some kind of view of the level of conformity of the QMS to the standard.
Like many other clauses 9.2 is split into sub-clauses, 9.2.1 about planning for conformity and 9.2.2 planning and conducing the audit.
You’re required to conduct audits of your QMS at planned intervals so you can then later make a call on if your QMS conforms to the standard, conforms to any other provisions your organisation place on the QMS and to see that its been effectively implemented and maintained.
This means you need an internal audit plan and included in the plan should be a schedule of audits you’ll undertake covering all parts of the standard and any add-on’s to the QMS. You’re also required to plan it so you can make sure of effectiveness and maintenance which is really saying think about:
- Risk and Opportunity
- Scope and Strategic Direction
- Any results of previous audits, including second and third-party audits
- Any previous non-conformity’s and what was done about them
- How often individual process have been audited previously and why
What the standard is silent on though is frequency, its left up to you to decide. As a consultant I’ve worked with a few Certification Bodies and without exception they all expect a minimum of all parts of the standard to have been audited at least once per year. And whilst the standard is silent on frequency what you will find is that your QMS will be subject to surveillance audits at least once per year, more frequently for larger organisations. So from a purely risk based perspective then, not to audit on an annual basis might then be viewed as risk taking behaviour, which is definitely not in-keeping with the standard. My recommendation is to plan to audit all aspects at least once per year and those aspects where risk is raised, well audit them more frequently.
So auditing the QMS is not optional and neither is having a plan. There is no requirement to document the plan but how you’re going to demonstrate you have a plan might be a stretch if its not documented and when you get to 9.2.2.f you’ll find that documenting the plan will go a long way in helping to demonstrate implementation if you craft the documented plan to show when planned for and when completed and by who.
If you think of the 9.2.1 plan as the higher big picture plan, then 9.2.2 requires a more detailed plan. Effectively if you choose to document your plan (and why wouldn’t you?) then the two elements can be combined.
Now, the standard is a little tricky here because in a note it refers you to ISO 19011 for guidance on auditing which requires an opening and closing meeting, something the standard is completely silent on.
Best practice when conducting audits is to:
- Decide which processes are to be audited
- Determine what sequence you’d like to audit them in if possible
- Have an overall plan of the audit process including if there’s more than one auditor who will audit what and ensure competency of the auditors and that impartiality is maintained
- Hold an opening meeting and agree what’s going to happen, this is the time when you might make some minor adjustments to your plan. Its also worth reminding those being audited that you’re not there to ‘catch them out’. You might also ask for information such as customer satisfaction information, performance against objectives, any relevant reports, links to other standards and departments and how risk is controlled and so on. This is all very relevant for larger organisations, but very much over-doing it for smaller ones where a simple email or phone call might be enough.
- Conduct the audit making sure to gather evidence, reference documents, hold interviews and record your findings
- Document your findings and compare to the requirements of the standard and QMS
- Categorise any non-conformity, once again the standard leaves it up to you to decide this but typically non-conformity is classed as Major (the process is in complete failure) or Minor (parts of the process failed to comply) also you might use an Observation where you’re saying the system is complaint but only just and might need a bit of looking at. This is a handy tool when used properly, but don’t allow it to fall into being consulting via a back door route.
- You might at this point engage in some root cause analysis and here you can be a bit creative, maybe reaching into the Lean 6-Sigma play book and using FMEA or similar. The goal is to make what you find relevant to the management and process owners.
- The standard requires you to take appropriate correction and corrective actions, my advice is to agree these at the close out meeting or earlier if you can.
- Lastly hold a close out meeting where you might thank the other auditors, explain the audit is a spot check only, explain what you found during the audit and agree any action plans as a result of any non-conformity you uncovered. This is the time when you’ll ask if anyone has any questions and then bring the meeting to a close.
The standard does require some documented information so you can show you’ve implemented the audit programme and the audit results which are normally in the form of a report with any associated non-conformance documentation.
Take-Away # 1 – you need a plan and if well crafted and communicated to those that need to know about it will mean that the audit including the opening and closing meeting will go smoothly, nobody being all that surprised
Take-Away # 2 – by reminding management and those being audited that you’re not there to ‘catch them out’ but instead to help improve processes you’ll have a greater degree of buy-in
Take-Away # 3 – being organised with a plan, the right auditors and communicating to those to be audited will help the organisation to be ready for the audit meaning a speedier audit and less resistance from those involved
Take-Away # 4 – documenting what you’ve found will leave information that can be revisited at a later time to see what has been a weakness or strength in the past and maybe how it was previously dealt with
Philip Dawson MBA | Business Consultant | Leadership Coach
Lead Auditor | ISO 9001 | ISO 14001 | ISO 45001/OHSAS 18001 | ISO 27001 | Lean 6-Sigma Practitioner
Found this post informative and helpful then: