Does ISO 9001:2015 require a full internal audit annually?

Tagin

Trusted Information Resource
#1
Does ISO 9001:2015 require a full system internal audit every year?

Or, can an internal audit plan be multi-year?
E.g.:
  • Year1: Audit processes A,B,C
  • Year2: Audit processes D,E,F,G
  • Year3: Audit processes H,I
  • Year4 -repeat cycle-
(Of course, there likely will be also top-level items that should be audited each year, such as COTO, Mgmt Review, Audits, CAPAs, etc.)

I see nothing in 9001:2015 or 19011:2018 which specifies a full system internal audit must occur each year.

The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
 
Elsmar Forum Sponsor

qualprod

Trusted Information Resource
#2
Does ISO 9001:2015 require a full system internal audit every year?

Or, can an internal audit plan be multi-year?
E.g.:
  • Year1: Audit processes A,B,C
  • Year2: Audit processes D,E,F,G
  • Year3: Audit processes H,I
  • Year4 -repeat cycle-
(Of course, there likely will be also top-level items that should be audited each year, such as COTO, Mgmt Review, Audits, CAPAs, etc.)

I see nothing in 9001:2015 or 19011:2018 which specifies a full system internal audit must occur each year.

The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
The standard requires to Audit, it depends on you the frequency.
However, as you suggest, some processes may be not audited in three years, which is many time.
I don't see how are you going to have effectiveness if processes are not audited more frequent.
If we consider that in audits you detect areas of improvements and problems.
I think you need to make what is necessary to audit at least 1 or 2 times a year each process.
Hope this helps
 

dsheaffe

Involved In Discussions
#3
You are correct there is nothing in the standard that requires all areas/processes to be audited annually - they need to scheduled based on previous audit results, risk, etc.

Some of our non-critical areas processes are only audited every 2 years.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#4
Does ISO 9001:2015 require a full system internal audit every year?
...snip...
I see nothing in 9001:2015 or 19011:2018 which specifies a full system internal audit must occur each year.
The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
Yes, you are correct; there is nothing in the standard which stipulates that the whole QMS needs to undergo an internal audit on an annual basis. It does state, however, that, when planning the internal audit program, one needs to consider the importance of the processes, changes and past history of conformance and performance. Your proposed tri-annual schedule seems to be set without any due consideration to what the standard requires along these lines.

Unfortunately, for the overwhelming majority of organizations out there, internal audits are a wasted effort and time. So people want to devise ways to do as little as possible in terms of internal audits while still "passing" the external audits. For the very rare organizations that make their internal audit programs a (business) value added effort, they normally want to see more, not less, when it comes to internal audits. But for that to happen, the internal auditors have to be really business savvy and understand that, if well executed, an internal audit can provide plenty of insight into the business performance, latent risks and unexplored opportunities. It takes a special caliber of internal auditors and management that demands business benefit from audits, for that to happen.
 
#5
For any effective audit program to function, you have to understand why an organization does audits. Clearly, (if you HAVE a copy) the standard doesn't require annual audits - beware that a Certification Body MAY require them, however.

Sidney is correct, doing every process/requirement/whatever isn't what's required (it would say so in the standard) and would be totally useless to management. You run the risk of getting to audit in year 3, something which has been broken for 2 years and 10 months? You don't even have to have a calendar of audits. I've got a book on the subject on Amazon...
 

buzzjaw

Inactive Registered Visitor
#6
You must have an audit program, you must be able to demonstrate it is working and it must focus on quality risks. Considering the importance, change and past history of conformance and performance of processes is about identifying those that pose and mitigate the most significant risks. As a minimum I would suggest your audit program should document what risks it aims to mitigate. Once a year may be sufficient if you can prove that there is ongoing monitoring, that processes (and the requirements which they are written to meet) are stable and risk controls are shown to be highly effective.
 

TechnicalGuy

Research and Development
#7
The ISO does not state how regular these audits should be. I would advise your audit programme being put together from your management review and should be risk based. How you decide that is up to you, we look at all risk inputs we have, such as internal complaints, external complaints, critical processes (commercially and safety) etc. So based on that I would suggest your audit plan is not adequate, for example if Process A is in a department that is 10 times the size and creates 10 times the number of products as Process B then it should be audited more. Equally, if Process C is involved in making Class III medical devices that are implantable and Process B makes Class I devices then Process C should be considered to be a higher risk and would require more auditing. I would be careful not to over audit also, because that may arguably reduce the effectiveness of the audit.

As you can see, its not so simple!
 

Kronos147

Trusted Information Resource
#8
Does ISO 9001:2015 require a full system internal audit every year?

Or, can an internal audit plan be multi-year?
E.g.:
  • Year1: Audit processes A,B,C
  • Year2: Audit processes D,E,F,G
  • Year3: Audit processes H,I
  • Year4 -repeat cycle-
.....The point of a multi-year plan is not to avoid work, but to be able to spend more time on specific areas each year.
This looks good to me. Much like what the registrar does, no?

There is the good point in what buzzjaw adds (past history and performance) . The plan is good, but how does it react to what happens? If process A had big issues year 1, and year 2 objectives support the case that process A needs love, would you not then adjust the audit plan and add it to year 2 (or year 3 if there is a corrective action in place)?

One other thing I like is adding corrective action verification activities to the audit plan. This is more objective evidence in support that the organization uses evidence based decision making in their planning.
 

Devin A

Involved In Discussions
#9
I'm VERY new to quality, so please feel free to explain things to me like I have no idea what I'm doing.. Because, well, I don't..
I'm a little confused about the internal audit scheduling. People in this thread seem to be saying that you can just base it on risk, but 9.2.1 specifically says "planned intervals". I would love to be able to put in our procedures that we will do them as deemed necessary based on risk, but that's not quite a planned interval is it?
 

Tagin

Trusted Information Resource
#10
Thanks all for the replies. In my initial simplified example there was indeed no mention of risk, etc. regarding audit frequency of specific processes. So, in a more proper example, some process might be audited every year, others every other year, some twice a year, etc. And, of course, the plan could be updated based on finding results.

The main point I wanted to verify is that there is no 9001/19011 requirement, or anything canonical, about a 1-year timeframe.
 
Thread starter Similar threads Forum Replies Date
BeaBea Interesting Discussion Where Does Marketing/ Advertisement of Products fit in to ISO 9001? Process Maps, Process Mapping and Turtle Diagrams 35
G Is ISO 9001:2015 certification worth it for a company that does only contract manufacturing? Quality Management System (QMS) Manuals 14
C Does ISO 9001-2015 have a requirement for manufacturing equipment to be numbered? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
Q Does our material suppliers’ supplier have to be at least ISO 9001 certified? IATF 16949 - Automotive Quality Systems Standard 3
M Does ISO 9001 mandates cooking procedure for restaurants ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
N Does anyone know a registrar that offers both ISO 9001 and ISO 17020? Registrars and Notified Bodies 6
Q Does ISO 9001 require CARs for all customer complaints? Customer Complaints 2
Q ISO 9001 Cl. 4.1 and 4.2 - What does monitoring and review mean? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
Sidney Vianna ASQ apparently doesn't know ISO does not issue ISO 9001 certificates? ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 4
C Optic Patchcord Cables - Does 8.3 (Design) Apply Here? ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
A Does anyone have a comparison between ISO 9001:2015 and ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
G Does ISO 9001:2015 call for a Policy or a Statement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
Q Does ISO 9001 Requirement for Document Approval (a service organization) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
J Does the word "claim" in ISO 9001 Clause 8.2.2 mean "requirement"? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T Does your Quality Dept Control Procedures Outside the Scope of ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
S ISO 9001:2008 Certification Scope does not mention "manufacturing" ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Q Where does 5S technique fit into ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
L What does "conformance matrix" means in terms of ISO 9001:2008? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Does AS9100 Certificate include ISO 9001 Certification? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 9
P Does the term ISO 9001:2008 imply we are all five years out of date? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Marc Does ISO 9001 *require* that Internal Audits be Process Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
L What exactly does Configuration Management in ISO 9001, Clause 7.5.3 means? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
T If a company becomes TS 16949 certified does it still need ISO 9001 certification? IATF 16949 - Automotive Quality Systems Standard 12
G Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
F Paperless Procedures - Does ISO 9001 Require Paper Documents? Quality Manager and Management Related Issues 37
K Does ISO 9001 require Supplier Pre-Qualification? Supplier Quality Assurance and other Supplier Issues 27
L Does ISO 9001 require that hard copies of documents be archived? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
T Does the Layout Design of a PCB fall under clause 7.3 in ISO 9001 Design and Development of Products and Processes 7
T Employee Satisfaction - Does ISO 9001 Require Monitoring of Employee Satisfaction? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
M Does ISO/IEC 17025:2005 require the Laboratory to have separate ISO 9001 Procedures ISO 17025 related Discussions 4
N How does a company determine what ISO standard (9000 or 9001) to register to? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
S How does ISO 9001:2008 apply to a logistics Company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
C How long does it take to get the ISO 9001 certificate after passing the audit? Registrars and Notified Bodies 21
S Does ISO 9001 Clause 7.3 Design and Development apply? Design and Development of Products and Processes 18
J Customer Property ISO 9001:2008 Clause 7.5.4 - Does this include E-mails? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
H Does ISO 9001 have nothing to do with profitability? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
T ISO 9001 Clause 7.3.2 (a) Functional & performance requirement - what does it mean? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
G Does BSI do ISO 9001/TS 16949 Lead Auditor training? Training - Internal, External, Online and Distance Learning 5
J Does plant personnel need to be re-trained to the new ISO 9001:2008 revision?? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
V ISO 9001:2008 - How does an organization demonstrate "sustain success"? General Auditing Discussions 14
H QMS - How does ISO 9001 apply to Service Providers (utility or facility management) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
A What is ISO 9001 Certification and how does it relate to Product Quality? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 38
J What does the revised standard ISO 9001:2008 mean to Jim "Q" public ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 44
J Change Management System - Does ISO 9001 specify you need a process flow? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
B Does that Q-Policy fulfill ISO 9001 requirements? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
G Does ISO 9001 require a procedure for every part of the business? Document Control Systems, Procedures, Forms and Templates 8
N Poor control of testing chemicals ? which ISO 13485/9001 clause does it contravene? ISO 13485:2016 - Medical Device Quality Management Systems 8
I Does ISO 9001 requires the Control of All Records generated? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
G Does ISO 9001 Audit fit in within the Corporate Internal Audit department? Internal Auditing 31
C Does it make sense to hold both ISO 9001 & TS 16949 registrations? World News 16
Similar threads


















































Top Bottom