Slide 90 of 262
8.2.2 Internal Audit
NOTE: There are no new requirements in Internal Audit from the 1994 version.
The company shall conduct internal audits at planned intervals to determine whether the quality management system..... (see 8.5.2).
NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance.
8.2.2 correlates to the old 4.17 of ISO 9001:1994. The new standard states that your company must plan and conduct periodic internal audits to determine whether your quality management system:
a) Conforms to the ISO 9001:2000 standard, and
b) Has been effectively implemented and maintained.
Your company may take into consideration the status and importance of the activities and areas to be audited and the results of previous audits when planning your audit program. You must define the audit scope, frequency and methodologies. Your audits must be conducted by someone other than the personnel who perform the activity being audited.
You must also have a documented procedure that includes the responsibilities and requirements for conducting audits, ensuring the audit is independent, recording the results of the audit and reporting the results of the audit to management.
Internal Quality Audits are required to ensure that the quality system is working effectively and is in conformance with the ISO 9001:2000 standard. Internal Audits are a key component of your QMS, they provide a means for measuring, analyzing and improving your management system. Audits are also a very important input to the Management Review process. The accuracy, scope and reporting of the results of your internal audits are critical in enabling your management to identify the need for corrective actions and preventive action.
The ISO 9001:2000 standard has helped to clarify the auditing requirement. ISO 9001:94 was a little vague when it called for audits to "determine the effectiveness of Quality System". The new standard now is more prescriptive, pointing to the purpose of the audit as to "determine whether the quality management system a) conforms to the requirements of this (ISO 9001:2000) International Standard, and b) has been effectively implemented and maintained." The use of checklists is still a valuable tool for auditing.
You must define the audit scope, frequency and your audit method, in doing this you must place into consideration the importance of activities and areas within your company to be audited, obviously placing the most importance on the areas having the most effect on quality. This is not a new requirement of ISO 9001:2000.
When choosing your auditor you must select an individual other than one who performs the activity being audited. The Internal Quality Audits are often assigned to the financial manager. however the quality manager, as the management representative, will usually maintain responsibility for the development of, and implementation of the quality audit activity. Internal quality auditors will require training; in addition those performing audits can start their activity during development and implementation, to ensure that the quality system reflects reality and is being deployed effectively.
In the course of seeking conformance, concerns or nonconformances may become evident, but it is important that everyone involved understand that the intent is to seek conformance. Conclusions must be based on objective evidence, observation, interview and documents.
If auditing is understood as a staff persecution or a 'witch-hunt,' then do not be surprised when (not if, but when) the members of your company respond with suspicion, distrust and even hostility. It is extremely important that management appreciate the purpose and principles of quality system auditing and that the auditors conduct themselves accordingly.
The results of an audit should indicate whether the quality system is properly implemented and maintained. These results are considered by management for action as necessary.
A positive and constructive attitude toward auditing can make the exercise enjoyable for both the auditor and the auditee. Most people enjoy telling you what they know and how good they are at their job. In addition, without an air of suspicion and distrust, auditees are likely to confide concerns or suggestions that are in the company's best interest to address and not simply lay blame.
One way to ensure that everyone understands and retains a good perspective on the intent of a management system audit, is to develop an audit mission statement. A two or three sentence statement that captures the positive and constructive intent of your company's audit program can help keep the auditor and auditee on track.
Finally, Quality System audits are not surprise audits! They are planned and everyone knows when it will happen, and what elements or departments will be audited. There should be no surprises, as this tends to foster mistrust towards the audit process, and a feeling of "them versus us" between your company and the auditors.
Potential Audit Questions
1. Who in your company is responsible for auditing your Quality Management System? Who reports the result of the audits? If non-conformances arise from an audit, who is notified and who is responsible for following up?
2. How are audits received in your company? Do employees take them negatively or positively? Describe what is done in your company to try to curtail negativity arising from internal audits? In a perfect world, what would you do to ensure a positive response to audits?
3. How will your company determine whether the quality system has been "effectively implemented and maintained"? Will you treat this requirement differently than the requirement to determine the "effectiveness of your quality system"? Please explain your interpretation.
-> My concern is: Is the Lead Auditor Training Course a
-> requirement in the new standard?
No. To be clear, there is no requirement in ISO 9001:2000 that there be a designated 'Lead Auditor' at all. Nor is there a requirement for an internal auditor to have attended a course, although that is pretty common anymore. You could do this by pairing a 'trainee' with a 'qualified' auditor - thus you would have 'On-The-Job' training as the basis for that person's qualification as an internal auditor. There is no requirement for classroom training, for what its worth.
The bottom line is: The requirement is that your internal auditors know what they're doing. It may be from training, experience, education or an 'appropriate' combination of one or more.
-> Can the result of our examination from the
-> Internal/External Auditing Course for ISO9001:2000 would
-> be a valid evidence that would earn me as a Lead Auditor
-> for the new standards?
You can be Lead Auditor in your company, but that does not extend to the definition of Lead Auditor with respect to the RAB or IRCA with respect to working for a registrar. That is, if you are appointed as Lead Auditor of the internal auditors in your company that does not mean you could go to work for a registrar as a Lead Auditor.
-> Or Is it the MR would recommend me as the Lead Auditor in
-> our company?
That is perfectly acceptable.
-> Does it need a memo that recognizes me and my team as
-> Internal Quality Auditors of the company?
You should have the team defined somewhere - typically you have lists of people qualified to do certain things - whether running a specific machine or performing certain tasks. Internal auditing shouldn't be any different. How you represent it is up to you. Some companies have departmental lists of who is qualified to do what. Other companies have qualifications only in individual records. Either way, you should be able to say who is qualified to do what. This applies to internal auditors as well. A memo would work as well.