Does ISO 9001:2015 require a full internal audit annually?

Tagin

Involved In Discussions
#1
Does ISO 9001:2015 require a full system internal audit every year?

Or, can an internal audit plan be multi-year?
E.g.:
  • Year1: Audit processes A,B,C
  • Year2: Audit processes D,E,F,G
  • Year3: Audit processes H,I
  • Year4 -repeat cycle-
(Of course, there likely will be also top-level items that should be audited each year, such as COTO, Mgmt Review, Audits, CAPAs, etc.)

I see nothing in 9001:2015 or 19011:2018 which specifies a full system internal audit must occur each year.

The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
 
#2
Does ISO 9001:2015 require a full system internal audit every year?

Or, can an internal audit plan be multi-year?
E.g.:
  • Year1: Audit processes A,B,C
  • Year2: Audit processes D,E,F,G
  • Year3: Audit processes H,I
  • Year4 -repeat cycle-
(Of course, there likely will be also top-level items that should be audited each year, such as COTO, Mgmt Review, Audits, CAPAs, etc.)

I see nothing in 9001:2015 or 19011:2018 which specifies a full system internal audit must occur each year.

The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
The standard requires to Audit, it depends on you the frequency.
However, as you suggest, some processes may be not audited in three years, which is many time.
I don't see how are you going to have effectiveness if processes are not audited more frequent.
If we consider that in audits you detect areas of improvements and problems.
I think you need to make what is necessary to audit at least 1 or 2 times a year each process.
Hope this helps
 

dsheaffe

Involved In Discussions
#3
You are correct there is nothing in the standard that requires all areas/processes to be audited annually - they need to scheduled based on previous audit results, risk, etc.

Some of our non-critical areas processes are only audited every 2 years.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#4
Does ISO 9001:2015 require a full system internal audit every year?
...snip...
I see nothing in 9001:2015 or 19011:2018 which specifies a full system internal audit must occur each year.
The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
Yes, you are correct; there is nothing in the standard which stipulates that the whole QMS needs to undergo an internal audit on an annual basis. It does state, however, that, when planning the internal audit program, one needs to consider the importance of the processes, changes and past history of conformance and performance. Your proposed tri-annual schedule seems to be set without any due consideration to what the standard requires along these lines.

Unfortunately, for the overwhelming majority of organizations out there, internal audits are a wasted effort and time. So people want to devise ways to do as little as possible in terms of internal audits while still "passing" the external audits. For the very rare organizations that make their internal audit programs a (business) value added effort, they normally want to see more, not less, when it comes to internal audits. But for that to happen, the internal auditors have to be really business savvy and understand that, if well executed, an internal audit can provide plenty of insight into the business performance, latent risks and unexplored opportunities. It takes a special caliber of internal auditors and management that demands business benefit from audits, for that to happen.
 
#5
For any effective audit program to function, you have to understand why an organization does audits. Clearly, (if you HAVE a copy) the standard doesn't require annual audits - beware that a Certification Body MAY require them, however.

Sidney is correct, doing every process/requirement/whatever isn't what's required (it would say so in the standard) and would be totally useless to management. You run the risk of getting to audit in year 3, something which has been broken for 2 years and 10 months? You don't even have to have a calendar of audits. I've got a book on the subject on Amazon...
 

buzzjaw

Inactive Registered Visitor
#6
You must have an audit program, you must be able to demonstrate it is working and it must focus on quality risks. Considering the importance, change and past history of conformance and performance of processes is about identifying those that pose and mitigate the most significant risks. As a minimum I would suggest your audit program should document what risks it aims to mitigate. Once a year may be sufficient if you can prove that there is ongoing monitoring, that processes (and the requirements which they are written to meet) are stable and risk controls are shown to be highly effective.
 

TechnicalGuy

Research and Development
#7
The ISO does not state how regular these audits should be. I would advise your audit programme being put together from your management review and should be risk based. How you decide that is up to you, we look at all risk inputs we have, such as internal complaints, external complaints, critical processes (commercially and safety) etc. So based on that I would suggest your audit plan is not adequate, for example if Process A is in a department that is 10 times the size and creates 10 times the number of products as Process B then it should be audited more. Equally, if Process C is involved in making Class III medical devices that are implantable and Process B makes Class I devices then Process C should be considered to be a higher risk and would require more auditing. I would be careful not to over audit also, because that may arguably reduce the effectiveness of the audit.

As you can see, its not so simple!
 
#8
Does ISO 9001:2015 require a full system internal audit every year?

Or, can an internal audit plan be multi-year?
E.g.:
  • Year1: Audit processes A,B,C
  • Year2: Audit processes D,E,F,G
  • Year3: Audit processes H,I
  • Year4 -repeat cycle-
.....The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
This looks good to me. Much like what the registrar does, no?

There is the good point in what buzzjaw adds (past history and performance) . The plan is good, but how does it react to what happens? If process A had big issues year 1, and year 2 objectives support the case that process A needs love, would you not then adjust the audit plan and add it to year 2 (or year 3 if there is a corrective action in place)?

One other thing I like is adding corrective action verification activities to the audit plan. This is more objective evidence in support that the organization uses evidence based decision making in their planning.
 

Devin A

Involved In Discussions
#9
I'm VERY new to quality, so please feel free to explain things to me like I have no idea what I'm doing.. Because, well, I don't..
I'm a little confused about the internal audit scheduling. People in this thread seem to be saying that you can just base it on risk, but 9.2.1 specifically says "planned intervals". I would love to be able to put in our procedures that we will do them as deemed necessary based on risk, but that's not quite a planned interval is it?
 

Tagin

Involved In Discussions
#10
Thanks all for the replies. In my initial simplified example there was indeed no mention of risk, etc. regarding audit frequency of specific processes. So, in a more proper example, some process might be audited every year, others every other year, some twice a year, etc. And, of course, the plan could be updated based on finding results.

The main point I wanted to verify is that there is no 9001/19011 requirement, or anything canonical, about a 1-year timeframe.
 

Top Bottom