Where to begin with an ISO 9001:2015 internal audit

#1
Our very small manufacturing company is new to ISO 9001:2015. We need to plan and complete our internal audit but are clueless as no one here has done this before. Do we have to audit every Section of the QMS from 4.1 to 10.3? Or can we choose a few processes/areas of our business and audit those? For example:

1. Audit purchasing process and procedures
2. Audit a particular part we manufacture and trace it back to customer order
3. Audit tune and test procedures

Would auditing 3 key areas of operation suffice? We just don't know where to begin!
 
Elsmar Forum Sponsor

Ninja

Looking for Reality
Trusted Information Resource
#2
Howdy, and welcome to the forum...

FIrst, do a search on this forum...there are a TON of answers to this question lying around here...

Second, if no one there has ever done an internal audit, I strongly recommend you contract out your first year (or three).
Have your QM, or someone who will be leading your IA team later go along with the internal audits to learn by experience.

There are a number of things you can pick up and figure out for yourself...but IA is rarely one of them. Hire an old pro at it and learn by watching. It will cost you less in the long run...

And MAKE SURE you tell whomever you bring in that you've not had an internal audit before...that's a horrible thing to surprise someone with...and it will likely be a negative experience for both sides if you don't give fair warning first.
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#3
Our very small manufacturing company is new to ISO 9001:2015. We need to plan and complete our internal audit but are clueless as no one here has done this before. Do we have to audit every Section of the QMS from 4.1 to 10.3? Or can we choose a few processes/areas of our business and audit those? For example:

1. Audit purchasing process and procedures
2. Audit a particular part we manufacture and trace it back to customer order
3. Audit tune and test procedures

Would auditing 3 key areas of operation suffice? We just don't know where to begin!
Are you having a 3rd Party Registration Audit in the very near future? If it is, delay it. Apparently you wouldn't be ready. This would be found during Stage 1 of the external/registration audit.

To answer your question in a more direct manner: You audit the processes not the paragraphs. You want to see the interaction of those process. You would need to make sure you meet all of the requirements of ISO 9001:2015. Selecting 3 key processes only would miss the mark.

As Ninja stated, it would be better to have an outsider of the organization run a few Internal Audits. Take a class on Internal Audits (you can look at ISO 19011 to help guide you).

Just my opinion.
 

Golfman25

Trusted Information Resource
#4
So generally prior to your certification audit, they will want to see a full internal audit of all processes. I agree with Ninja, if this is your first experience you should have a consultant do your first series of audits and shadow him, or go to an internal (not external) audit training course -- sometimes a local trade association might put one on.

Over time, I have found creating checklists based on the process ensures my auditors hit all the key points I want them to hit. Kind brings it down to "auditing for dummies" and works for small organizations.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#5
With a brand new system the first thing I'd do is verify that somehow, in some way, I have adequately addressed every single requirement (shall) in the standard, and do it well before it is time for the 3rd party auditor to show up. Part of that means a complete internal audit cycle needs to be completed and any noted nonconformances addressed.

Later, you schedule internal audits based on "the importance of the processes concerned, changes affecting the organization, and the results of previous audits".

If you have no trained internal auditors, as someone said, that is a competence issue you need to address.
 

RoxaneB

Super Moderator
Super Moderator
#6
To add to the responses already provided, I usually employed one of two strategies:

1. Start with Leadership/Top Management - Since they're already in the room (presuming you're doing an opening meeting), this saves them from having to come back later. It's also a good way to hear what they think the QMS is all about and how they think it's doing/working. From there, as the audit expands out, I'm continually looking to see alignment between what leadership says/does versus what the rest of the organization says/does.

2. Final product walk-thru - We would select a product that was about to be shipped (i.e., sitting on the truck at the scale and about to be processed). From there, we worked backwards. We still asked about current processes, but following that one item back was a good exercise for traceability and records.
 

John C. Abnet

Teacher, sensei, kennari
#7
Would auditing 3 key areas of operation suffice? We just don't know where to begin!
Good day @Willhele007 ;
Obviously you have already received some great council in this thread. It has been assumed that your organization is "just starting" and preparing for initial registration . Please advise if that assumption is correct.

Specific to your question, the standard does not specify a frequency, but allows/requires the organization to determine frequencies based on "importance...", "changes...", results of previous audits....", BUT if this is your organizations initial preparation for 3rd party registration, then it is important to include all processes for a full "round" of audits.

One thing that I have done for "new" teams in the past is as follows...
a) Create a matrix with each of your organizations determined processes (e.g. Buy ingredients- Assemble Pizza- Bake- Cut- Deliver) across the top of the columns.

b) Associated with each of the process columns, identify the aspects (clauses) of the standard that apply to each of those determined processes

c) Now consider and confirm the items in "b" when you are auditing the processes in "a'".

While check lists can certainly be helpful (especially for new auditors), ensure your people are taught HOW to audit before they look at the checklist.
e.g.: To the auditee (process owner),.... "what are you doing?", "why are you doing it?" "how do you know what to do?", "how do you control what you do"? , "how do you manage changes to what you do?" "how do you know how well you're doing (i.e. what's the score) "?

....THEN the auditor will have a clear understanding of what is and what is not being taken care of by the auditee and now the auditor can refer to the checklist as a safety net to make sure nothing was overlooked..

As mentioned above, focus on YOUR organization's processes and reverse engineer the expectations into the audit plan.

Hope this helps.
Be well.
 
#8
Our very small manufacturing company is new to ISO 9001:2015. We need to plan and complete our internal audit but are clueless as no one here has done this before.
We are a small manufacturing company also. If we outsource the internal audit process, Would we need to hire the external provider (e.g. consultant), during a 3rd party audit?Or the internal audit records would be enough for the external auditor?
 

John C. Abnet

Teacher, sensei, kennari
#9
We are a small manufacturing company also. If we outsource the internal audit process, Would we need to hire the external provider (e.g. consultant), during a 3rd party audit?Or the internal audit records would be enough for the external auditor?
Good day @Danyboy32 ;
Your would not need to have your consultant present during the 3rd party audit. Even if the consultant was present, you would still need to provide evidence of your internal audit records.

Hope this helps.
Be well.
John
 
#10
Good day @Willhele007 ;
Obviously you have already received some great council in this thread. It has been assumed that your organization is "just starting" and preparing for initial registration . Please advise if that assumption is correct.

Specific to your question, the standard does not specify a frequency, but allows/requires the organization to determine frequencies based on "importance...", "changes...", results of previous audits....", BUT if this is your organizations initial preparation for 3rd party registration, then it is important to include all processes for a full "round" of audits.

One thing that I have done for "new" teams in the past is as follows...
a) Create a matrix with each of your organizations determined processes (e.g. Buy ingredients- Assemble Pizza- Bake- Cut- Deliver) across the top of the columns.

b) Associated with each of the process columns, identify the aspects (clauses) of the standard that apply to each of those determined processes

c) Now consider and confirm the items in "b" when you are auditing the processes in "a'".

While check lists can certainly be helpful (especially for new auditors), ensure your people are taught HOW to audit before they look at the checklist.
e.g.: To the auditee (process owner),.... "what are you doing?", "why are you doing it?" "how do you know what to do?", "how do you control what you do"? , "how do you manage changes to what you do?" "how do you know how well you're doing (i.e. what's the score) "?

....THEN the auditor will have a clear understanding of what is and what is not being taken care of by the auditee and now the auditor can refer to the checklist as a safety net to make sure nothing was overlooked..

As mentioned above, focus on YOUR organization's processes and reverse engineer the expectations into the audit plan.

Hope this helps.
Be well.
John,
This is actually our third year of certification. We have passed for 2 years without knowing or understanding what we are doing. Our auditors have been tough on us- we did not get a pass either. There is nothing out there to fully explain the process in a concise way- and believe me I have looked. External auditors assume that we already know how to do an internal audit. It seems to me that year after year the internal audits will be redundant if you only have a handful of products. Am I wrong to make this assumption?
 
Thread starter Similar threads Forum Replies Date
G New to ISO 9001 - Where to begin? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
J Where to begin to move our company towards ISO 9001 certification ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
F Where do I begin for ISO 9K:2K? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
supadrai Forced into Regulatory Affairs Role - Where do I begin? Career and Occupation Discussions 4
F Where does Contact begin for Biocompatability? EU Medical Device Regulations 5
N Where to begin defining and monitoring Quality Metrics in a Machine Shop Manufacturing and Related Processes 9
J Risk Management - Where to begin? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 21
T Implementing a Kaizen Team - Where Should I begin? Lean in Manufacturing and Service Industries 7
R MSA (Measurement Systems Analysis) - Where to begin when setting up a system? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 14
GStough Where to begin - creating a Quality Plan for Class I Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 7
H Auditing Lean as a process - Where to begin? Internal Auditing 9
T Changing Existing Quality Culture/Program - Where to Begin? Misc. Quality Assurance and Business Systems Related Topics 5
M Quality program, where to begin? One man machine/mold shop Quality Management System (QMS) Manuals 13
C where 2 begin? Info Mgmt Blueprint for internal Communication & knowledge xchange Document Control Systems, Procedures, Forms and Templates 3
CarolX Where does Quality begin? Philosophy, Gurus, Innovation and Evolution 36
M Research and Development Process - Where does research end and development begin? Misc. Quality Assurance and Business Systems Related Topics 15
R Where does IATF 16949 address Process mapping? IATF 16949 - Automotive Quality Systems Standard 3
C Where to place CE/label in Sterile IVD EU Medical Device Regulations 1
BeaBea Interesting Discussion Where Does Marketing/ Advertisement of Products fit in to ISO 9001? Process Maps, Process Mapping and Turtle Diagrams 35
K No IFU, where the requirements would go? EU Medical Device Regulations 5
T Assessing Hazard-Related Use Scenarios where control measures exist through standards IEC 62366 - Medical Device Usability Engineering 14
J Where to Place Process Maps in our Documentation? Process Maps, Process Mapping and Turtle Diagrams 4
GreatNate Where to get a KPI dashboard for QMS processes Quality Tools, Improvement and Analysis 5
I Where can I beg, steal (just kidding of course) or borrow good training material on the ISO 9001:2015 standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
A Implementing ISO 20000-1 - Where to start Other ISO and International Standards and European Regulations 2
D Where does "as far as possible" stop? FMEA - EN 14971 ISO 14971 - Medical Device Risk Management 28
Q Statistics - Where to start in ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
H Calibration of InfraRan Vapor Analyzer - where to get calibration for SF6 General Measurement Device and Calibration Topics 2
L Clause 0.4 of ISO 9001 and EHS - Where should I stop the inclusion of EHS in my QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
M Where can I find examples of PPAP? APQP and PPAP 6
A What if Contract Manufacturers does not have an ISO 13485 certificate? Where will the NB audit take place, at legal mfg. site or contract mfg. site? Other Medical Device Regulations World-Wide 3
J Where can I find the latest update to Reach and ROHS? REACH and RoHS Conversations 7
D Where (in US) can I get the VDA Auditor Edition book? VDA Standards - Germany's Automotive Standards 3
S Where to get online AS standard audit certification classes? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
J Where I can get a copy of either the 3rd or 4th edition of UL544? Other Medical Device Regulations World-Wide 7
G Where to find Proficiency Test provider for photometrics (spectral %R, %T, photo density) General Measurement Device and Calibration Topics 9
Marc Quiz - Where did the idea of an assembly line come from? Coffee Break and Water Cooler Discussions 4
F Quality Objectives - Where in the QMS Quality Objectives should be located ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
M Where to obtain a calibrated DICOM image? ISO 13485:2016 - Medical Device Quality Management Systems 1
R Where to get information - M6 per WA900 Manufacturing and Related Processes 1
S Where did FDA 510(K) form 3654 go? Other US Medical Device Regulations 1
D China - Where I can get NMPA complete structure/organogram chart and GB/YY format list China Medical Device Regulations 1
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
CCaantley Where to get a good test indicator stand for a granite surface plate General Measurement Device and Calibration Topics 8
I ESD - Dissipative foam on a seat for where the people sit at benches Manufacturing and Related Processes 6
C In cases where users of an electronic system change their names Qualification and Validation (including 21 CFR Part 11) 6
P Warning Letter 1999 - Where does the FDA make older warning letters available? US Food and Drug Administration (FDA) 4
Rameshwar25 Where is Personnel Safety in IATF 16949:2016 IATF 16949 - Automotive Quality Systems Standard 2
A Where are the rules for when a repeat minor nonconformance becomes a major? IATF 16949 - Automotive Quality Systems Standard 36
S Medical device mobile app UDI - Where is the UDI labelled? Other US Medical Device Regulations 1
Similar threads


















































Top Bottom