Internal Audit Matrix Process Query

[Rich Shippy]

Jadey,

That's what I did, I did not want to re-invent our system. I matched our current process flows with the embedded documents, to the requirements from the contents of the standard. I had to add a little to some of the systems to cover context, risk, interested parties and internal/externals, and add a bit to the new or upgraded requirements. I also just took those existing process flows and assessed them for risks ,to cover that portion. My goal was not to try and do a complete overhaul, the organization has been ISO for 20 years, so no sense adding a whole bunch of new stuff to confuse people anymore than this already does.

 

[Jadey52803]

Jadey,

That's what I did, I did not want to re-invent our system. I matched our current process flows with the embedded documents, to the requirements from the contents of the standard. I had to add a little to some of the systems to cover context, risk, interested parties and internal/externals, and add a bit to the new or upgraded requirements. I also just took those existing process flows and assessed them for risks ,to cover that portion. My goal was not to try and do a complete overhaul, the organization has been ISO for 20 years, so no sense adding a whole bunch of new stuff to confuse people anymore than this already does.

Ok, thanks.

 

[Sebastian]

Just wondering if anyone can assist please with the following query regarding the ISO 9001:2015 internal audit matrix.

My impression is that this request was not properly responded. It is obvious that one organization differs from other, but some processes could be very similar.

I found process/requirement matrix as very helpful for process owners during establishment of process and later for internal auditors during its auditing. I had made my own for ISO/TS 16949 and currently revised for IATF 16949. Even I made it, still I am not fully convinced my understanding of matrix logic is correct.

One logic is for process owners. There is only one mark per requirement - it is process owner's responsibility to define activities for particular requirement.
Second one for auditors. There are more marks per requirement - it is where auditor can expect results of activities - evidence of complying to requirements. I have uploaded examples limited to ISO sections.

As it was mentioned in one of initial comments, matrix depends mainly on how organizational processes are defined. Where is process starting point, what is its content and where it ends.

I hope it helps.

 

[Kronos147]

[FONT=&quot][/FONT]If I posted our company's matrix I'm afraid it would not help.

Our internal audit matrix has 5 processes in the first column, and 12 columns with months.

Our work instructions are divided by processes. An index for the process helps the process owner know what are the requirements for their process.
Here is a sample:

AS9100 requirements that apply to this process:
7.1.5 Monitoring and Measuring Resources, 7.5.3 Control of Documented Information, 8.2.3 Review of Requirements for Products and Services, 8.6 Release of Products and Services, 10.2 Nonconformity and Corrective Action

AS9100 requirements that apply to all processes:
0.1 General, 0.3 Process Approach, 0.3.1 General, 0.3.2 Plan-Do-Check-Act, 0.3.3 Risk-based Thinking, 4. Context of the Organization, 5.1.2 Customer Focus, 5.2 Policy, 5.3 Organizational Roles and Responsibility, 7.4 Communication, 7.5 Documented Information, 8.7 Control of Nonconforming Outputs, 10.3 Continual Improvement

An internal audit of a process would review the process documents. This would point the auditor to what requirements apply in our system. While auditing the process, it is up to the auditor to keep those in mind and challenge the effectiveness of the process to meet those requirements.

Looking at the requirements one by one in a checklist is really hard to do without making it a clause audit and ignoring processes, IME.

 

[Big Jim]

My impression is that this request was not properly responded. It is obvious that one organization differs from other, but some processes could be very similar.

I found process/requirement matrix as very helpful for process owners during establishment of process and later for internal auditors during its auditing. I had made my own for ISO/TS 16949 and currently revised for IATF 16949. Even I made it, still I am not fully convinced my understanding of matrix logic is correct.

One logic is for process owners. There is only one mark per requirement - it is process owner's responsibility to define activities for particular requirement.
Second one for auditors. There are more marks per requirement - it is where auditor can expect results of activities - evidence of complying to requirements. I have uploaded examples limited to ISO sections.

As it was mentioned in one of initial comments, matrix depends mainly on how organizational processes are defined. Where is process starting point, what is its content and where it ends.

I hope it helps.

A matrix of this type is requested before stage 1 by some certification bodies as evidence that the quality management system covers all of the requirements of the standard. The ones I most often see have the x and y axis swapped (processes listed on the left, clause numbers on top).

 

[Sebastian]

Looking at the requirements one by one in a checklist is really hard to do without making it a clause audit and ignoring processes, IME.

I am working in automotive, so I have to use process approach during auditing. Using it while auditing would be hard and it might look a little bit unprofessional, in my opinion. When it is used during preparation to audit, it helps get wider perspective of audited process and understanding that other/general requirements (which otherwise could be "overlooked") are also applicable here.

The ones I most often see have the x and y axis swapped (processes listed on the left, clause numbers on top).

As request was coming from ISO 9001 area I have limited size of this matrix.
My IATF 16949 (similar to previous ISO/TS 16949) matrix is around three times longer (including ISO 9001 sections) than these already presented, so for me this alignment is more convenient.

 

[ahirons]

Attached is our process map. I arrange internal audits to the processes listed. I've also attached a sample list we use. We also use the turtle diagram approach.

We audit to our work instructions/procedures and confirm we are following those, as well as, the ISO standard.

 

[ahirons]

Samples I mentioned.

 

[Jadey52803]

ahirons,

I've used similar checklists for our internal auditors. I've found it especially helpful as we (me and our auditors) work to apply all of the training we received. This has also helped to provide a certain level of consistency across multiple internal auditors.

One of the unfortunate side-effects is that we've had a couple auditors rely too heavily on the checklist and just tried to fill in the blanks for each question without actually understanding what the intended output of the process is and how effectively they achieve it.

We're still months away from our Certification Audit, so there is still a lot of learning happening. But then again, internal auditing is process unto itself. Isn't it?