Looking for Some Help with ISO 9001:2015 - Internal Audit Frequency ??

ddddavidddd

Registered
Hi everyone,

I am currently working on improving our internal audit process for ISO 9001:2015 compliance and wanted to get some insights from the community here.

Specifically, I am trying to determine the most effective audit frequency. The standard doesn’t specify an exact timeframe, leaving it open to interpretation based on business needs. I have seen some companies do it annually others quarterly, or even more frequently depending on risks and the complexity of their operations.

How do you all decide the frequency for your internal audits: ?? Do you base it primarily on risk assessment, process complexity or something else entirely: ?? Any best practices or experiences you can share would be really appreciated.

Also, for smaller companies, how do you manage this without overwhelming resources, especially when trying to maintain compliance while balancing day-to-day operations: ??

Looking forward to learning from your experiences. Thanks in advance !!

Best regards,
David Miller
 

gakiss2

Involved In Discussions
The primary need is to cover your entire system every three years, that is the same regimen used by your 3rd party auditor. Next is to answer risk based questions. Which areas are more likely to have a failure that will be highly impactful. Some areas that are frequently targeted are Corrective Action, Internal Audits, Calibration. And there may be some that are more impactful for your industry. For some FIFO is highly important, Others may need to focus on Preventative Maintenance. And keep in mind that you need to leave some slack in the system so that you can add audits or increase the frequency of audits based on issues that your firm sees through the year. Management Review is a good time to take this sort of action as it shows your QMS reacting to the issues that it faces.

Even if not specifically required, I would recommend including some 'Process Audits' which are relatively short audits aimed simply at making sure the process is running as it is intended.

These are some generic guidelines and they should certainly be adjusted to your situation but I feel it may be a good start.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
"I am currently working on improving our internal audit process for ISO 9001:2015 compliance..."


Why? What are the challenges with the current internal audit process and frequency?
 

Randy

Super Moderator
The primary need is to cover your entire system every three years, that is the same regimen used by your 3rd party auditor.
That's totally incorrect, and can bite you in the rear with that mindset. The "Primary" reasons are below
9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system: a) conforms to: 1) the organization’s own requirements for its quality management system; 2) the requirements of this International Standard; b) is effectively implemented and maintained.

Specifically, I am trying to determine the most effective audit frequency.
The only correct answer is the frequency that meets, the requirements of ISO 9001, your needs and provides top management the information it needs as part of their decision making process.
 

mattador78

Quite Involved in Discussions
As Ed asks do you have an issue now, has it been raised by your CB in a audit. If it has as mentioned above it can be as easy as copying your CB's audit each year and audit a third of it every 4 months. Depending on your time or resources available change to suit, we combine parts of our 14001 with our 9100 to streamline, then use the information in both standards internal audits.
 

Mike S.

Happy to be Alive
Trusted Information Resource
The standard says you "shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits", so I do. But the registrar insists I cover every process at least every 3 years, so I do that, too.
 

EricHeyworth

Starting to get Involved
For me there are two key factors: risk & external audit frequency. It’s good practice to make sure you’ve covered all areas between audits. So if your auditing body comes every 3 years, you should try and cover everything in that period. You can try and justify longer, but you’ll often lose. Then increase frequency on “riskier” areas. So somethings maybe annually. But also consider grouping areas.
 

Golfman25

Trusted Information Resource
Hi everyone,

I am currently working on improving our internal audit process for ISO 9001:2015 compliance and wanted to get some insights from the community here.

Specifically, I am trying to determine the most effective audit frequency. The standard doesn’t specify an exact timeframe, leaving it open to interpretation based on business needs. I have seen some companies do it annually others quarterly, or even more frequently depending on risks and the complexity of their operations.

How do you all decide the frequency for your internal audits: ?? Do you base it primarily on risk assessment, process complexity or something else entirely: ?? Any best practices or experiences you can share would be really appreciated.

Also, for smaller companies, how do you manage this without overwhelming resources, especially when trying to maintain compliance while balancing day-to-day operations: ??

Looking forward to learning from your experiences. Thanks in advance !!

Best regards,
David Miller
How small is small? And how engaged/active are your managers?
 

joekirk

Involved In Discussions
Your internal audit schedule should be developed based on risk. You should include / consider the following when scheduling / updating your audit schedule:
  • Customer complaints
  • Previous internal audit findings
  • Internal KPI review
  • Internal changes (new dept manager)
  • New part launches
  • External audit findings
Bottom line is you should be auditing the "pains" that your organization and your customer is fealing. Areas that are not causing problems don't need to be audited more frequently than required by ISO9001 or your customer.
 

Ron Rompen

Trusted Information Resource
The 'minimum' requirement is that all processes are audited every 3 years.......but if you follow that line of thought, then you are wasting your time auditing in the first place.
Don't look at the internal audit as a 'checkbox' that has to be covered - look at it as an opportunity to find errors/problems in your processes and practices that may end up causing problems for you and your customer. Prioritize your audits to cover the major potential problem areas (customer complaints, calibration, control of NC product, change control) and don't forget to schedule supplemental audits when you find that a process has failed (especially after a customer complaint).
 
Top Bottom