Internal Audit Matrix Process Query

[perkins201]

Hi all,

Just wondering if anyone can assist please with the following query regarding the ISO 9001:2015 internal audit matrix.

Our external auditing company provided a sample internal audit matrix which is not company specific. On their example, they used the following processes (which differ to our company's processes):

Leadership
Purchasing
Quality
Sales
Production/Service Planning
Production/Service Provision
Production/Service Provision

My question is, do you have to use your own company processes specific to the Process Overview sheets or can you use the generic examples listed above?

Any advice would be greatly appreciated!

 

[howste]

You always need to audit to the processes as defined by your company.

 

[Kronos147]

Look at section 0.2 Quality Management Principles again.

 

[perkins201]

Many thanks both for the input!

Is it possible to audit the likes of 4.1, 4.2, 4.3, 4.4, 5.1, 5.2, 5.3, 9.3 against the 'Sales' or 'Design' process(es)?

I'm just trying to ascertain whether certain processes can only be audited against certain procedures.

As always, many thanks in advance!

 

[howste]

Many thanks both for the input!

Is it possible to audit the likes of 4.1, 4.2, 4.3, 4.4, 5.1, 5.2, 5.3, 9.3 against the 'Sales' or 'Design' process(es)?

I'm just trying to ascertain whether certain processes can only be audited against certain procedures.

As always, many thanks in advance!

Generally you would audit the requirements where the responsibility is. Clause 4 is big overall QMS, clause 5 is leadership, and clause 6 is management review, so I would mostly look to audit them in a Leadership process (by whatever name you call it). While you're looking at the management review you should look for inputs/outputs and KPIs from the Sales and Design processes though.

 

[perkins201]

Much appreciated!

Lastly, I'll be doing a Process Overview Sheet now for 'Leadership'.

Would anyone happen to have an example of or be able to provide suggestions for 'Process Inputs', 'Process Outputs', Resource Requirements' and 'Control Methods' specific to the 'Leadership' process.

As always, many thanks in advance!

 

[ReworkIT]

Hi all,

Just wondering if anyone can assist please with the following query regarding the ISO 9001:2015 internal audit matrix.

Our external auditing company provided a sample internal audit matrix which is not company specific. On their example, they used the following processes (which differ to our company's processes):

Leadership
Purchasing
Quality
Sales
Production/Service Planning
Production/Service Provision
Production/Service Provision

My question is, do you have to use your own company processes specific to the Process Overview sheets or can you use the generic examples listed above?

Any advice would be greatly appreciated!

Hi - first post. Do you mean your registrar? If they give you a specific tool, doesn't that constitue consulting?

 

[ReworkIT]

You always need to audit to the processes as defined by your company.

I've noticed similar statements (some registrars have a similar statement on their website that says it's a requirement) but I can't find in ISO where it says processes have to be audited. It says that process have to be taken into consideration, but I can't see where it says I have to audit a process. I was taught that often the problems happen BETWEEN processes.

Can anyone help me where this is indicated?

 

[Kronos147]

Since we have process-based systems that are focused on meeting requirements, it is vital we understand those requirements.

In our process ID map in our quality manual, we recognize the processes and the requirements of the processes. Here is a small example-

All Processes:
0.1 General, 0.3 Process Approach, 0.3.1 General, 0.3.2 Plan-Do-Check-Act, 0.3.3 Risk-based Thinking, 4. Context of the Organization, 5.1.2 Customer Focus, 5.2 Policy, 5.3 Organizational Roles and Responsibility, 7.1.2 People, 7.1.3 Infrastructure, 7.1.4 Environment for the Operation of Processes, 7.4 Communication, 7.5 Documented Information, 8.7 Control of Nonconforming Outputs, 10.3 Continual Improvement

Threaded Requirements:
-Risks and Opportunities (many clauses)
-Process Approach (many clauses)
-Change Management (many clauses)

Management:
4.1 Understanding the Organization and Context, 4.2 Understanding the Needs and Expectations of Interested Parties, 4.3 Determining the Scope of the AQMS, 4.4 QMS and its Processes, 5.1 Leadership and Commitment, 6.2 Quality Objective and Planning to Achieve Them, 7.1 Resources, 8.1 Operational Planning and Control, 9.1 Monitoring, Measurement, Analysis and Evaluation, 9.1.2 Customer Satisfaction, 9.3 Management Review, 10. Improvement

Purchasing:
8.1.4 Prevention of Counterfeit Parts, 8.4 Control of Externally Provided Processes, Products and Services, 8.4.2 Type and Extent of Control, 8.4.3 Information for External Providers
​

This same information is also provided on the process work instruction "index" we created, and on the internal audit form. It's only fair we make people aware of their requirements. It's necessary to identify them in the internal audit program.

 

[howste]

I've noticed similar statements (some registrars have a similar statement on their website that says it's a requirement) but I can't find in ISO where it says processes have to be audited. It says that process have to be taken into consideration, but I can't see where it says I have to audit a process. I was taught that often the problems happen BETWEEN processes.

Can anyone help me where this is indicated?

The context of my post you quoted was in response to a question about auditing a set of generic processes OR the processes specific to their company. Given the choices, the company's own processes is the clear winner.

I agree that there is no "shall" that says that internal audits are required to be based on processes. However, given the Process Approach (0.3) which leadership shall promote (5.1.1d), the fact that the QMS is managed using these processes (4.4.1), and that these processes shall be evaluated (4.4.1g) anyway, why wouldn't we audit using them as the basis of the audit planning?

The standard says that we shall audit to determine whether the QMS meets requirements and is effectively implemented and maintained. Unless you go out and audit the whole QMS at once (unlikely), you will need to break the elephant into bite sized pieces. It makes sense to use the processes for this. We may sometimes also need to do some focused audits on particular requirements that cover multiple processes - these might not be process audits.

I also agree that problems happen in the interactions between processes. That's why whenever I audit a process I make sure to cover the interactions on both ends. If I audit all processes in this way, covering the "in between" parts should be covered twice - the input direction from the receiving process and the output direction from the sending process.