Part 27: Clause 9.2 - Internal Auditing
I think the internal auditing clause of ISO 9001 has had more articles, blogs, webinars, videos and letters to the editor produced about it than any other clause in ISO 9001. Perhaps only Document Information (clause 7.5) comes close to having a similar number of column inches dedicated to analysing it.
Not to buck the trend, I have written and presented numerous times on the subject of Internal Auditing.
Here is a list of those articles I have written about it:
- The Use of Risk Based Thinking When Creating an Internal Audit Schedule
- Is it time to STOP Internal Auditing?
- 5 Habits of Successful QHSE Compliance Managers
- Internal Audits - Your (Not So) Secret Weapon
Here are the webinars I have presented on the topic:
- Tips and Tricks to Add Value to Your Audit Reports
- Freshening-up Your Internal Auditing Programme
- Are you Running an Effective Internal Audit Programme
- How to Create an Internal Audit Schedule
- Creating Internal Audit Schedules
- 7 Keys to Running an Effective Internal Audit Programme
Clause 9.2.1 requires that you conduct internal audits at planned internals. The technique of doing internal audits is up to you. The length of the intervals between audits is up to you. The way you’ll decide how your organisation conforms to your QMS and ISO 9001 is up to you. The manner by which you’ll determine how effective and maintained the system is, is up to you. It really is a free-for-all. The only requirement is that you have to do it.
I have found that internal audits give great value but it can be a confrontational experience and, depending on your interview technique, people can be uncooperative and defensive. I would highly recommend getting some internal auditor training from local experts to help find the best techniques to prevent and/or overcome such experiences.
The clause 9.2.2 has the nitty gritty on how to conduct the audits.
First, plan your approach to internal audits based on the importance of the processes. A mistake most companies make is to audit absolutely everything once a year. The standard gives you flexibility around this, so use your resources wisely and only audit what is important or what is the highest risk to your business.
Second, for each audit work out the scope of what will be covered. You can’t audit 100% of the process, but you do need to cover enough to be satisfied that the important issues have been captured.
Third, make sure the auditors are independent of the process under audit. This can be tricky so you need to give it plenty of thought.
Fourth, report all findings to the relevant mangers so there aren’t any surprises.
Fifth, ensure that the corrective actions from the audit are dealt with.
Finally, retain the audit results in a document.
For example, here at Mango we are taking an innovative approach to internal auditing. We are using a DIME (documented, implemented, monitored and effective) matrix to ensure the QMS conforms. The DIME approach is referenced in this webinar: Freshening-up Your Internal Auditing Programme.
Here is a list of takeaways that will help you meet clause 9.2:
- Only audit what is important or what is the highest risk to your business.
- For each audit work out the scope of what will be covered.
- Make sure the auditors are independent of the process.
- Keep records of the audit.
View previous blogs in this series "How to Implement a QMS and Achieve ISO 9001 Certification":