Where to begin with an ISO 9001:2015 internal audit

[Willhele007]

Our very small manufacturing company is new to ISO 9001:2015. We need to plan and complete our internal audit but are clueless as no one here has done this before. Do we have to audit every Section of the QMS from 4.1 to 10.3? Or can we choose a few processes/areas of our business and audit those? For example:

1. Audit purchasing process and procedures
2. Audit a particular part we manufacture and trace it back to customer order
3. Audit tune and test procedures

Would auditing 3 key areas of operation suffice? We just don't know where to begin!

 

[Ninja]

Howdy, and welcome to the forum...

FIrst, do a search on this forum...there are a TON of answers to this question lying around here...

Second, if no one there has ever done an internal audit, I strongly recommend you contract out your first year (or three).
Have your QM, or someone who will be leading your IA team later go along with the internal audits to learn by experience.

There are a number of things you can pick up and figure out for yourself...but IA is rarely one of them. Hire an old pro at it and learn by watching. It will cost you less in the long run...

And MAKE SURE you tell whomever you bring in that you've not had an internal audit before...that's a horrible thing to surprise someone with...and it will likely be a negative experience for both sides if you don't give fair warning first.

 

[Coury Ferguson]

Our very small manufacturing company is new to ISO 9001:2015. We need to plan and complete our internal audit but are clueless as no one here has done this before. Do we have to audit every Section of the QMS from 4.1 to 10.3? Or can we choose a few processes/areas of our business and audit those? For example:

1. Audit purchasing process and procedures
2. Audit a particular part we manufacture and trace it back to customer order
3. Audit tune and test procedures

Would auditing 3 key areas of operation suffice? We just don't know where to begin!

Are you having a 3rd Party Registration Audit in the very near future? If it is, delay it. Apparently you wouldn't be ready. This would be found during Stage 1 of the external/registration audit.

To answer your question in a more direct manner: You audit the processes not the paragraphs. You want to see the interaction of those process. You would need to make sure you meet all of the requirements of ISO 9001:2015. Selecting 3 key processes only would miss the mark.

As Ninja stated, it would be better to have an outsider of the organization run a few Internal Audits. Take a class on Internal Audits (you can look at ISO 19011 to help guide you).

Just my opinion.

 

[Golfman25]

So generally prior to your certification audit, they will want to see a full internal audit of all processes. I agree with Ninja, if this is your first experience you should have a consultant do your first series of audits and shadow him, or go to an internal (not external) audit training course -- sometimes a local trade association might put one on.

Over time, I have found creating checklists based on the process ensures my auditors hit all the key points I want them to hit. Kind brings it down to "auditing for dummies" and works for small organizations.

 

[Mike S.]

With a brand new system the first thing I'd do is verify that somehow, in some way, I have adequately addressed every single requirement (shall) in the standard, and do it well before it is time for the 3rd party auditor to show up. Part of that means a complete internal audit cycle needs to be completed and any noted nonconformances addressed.

Later, you schedule internal audits based on "the importance of the processes concerned, changes affecting the organization, and the results of previous audits".

If you have no trained internal auditors, as someone said, that is a competence issue you need to address.

 

[RoxaneB]

To add to the responses already provided, I usually employed one of two strategies:

1. Start with Leadership/Top Management - Since they're already in the room (presuming you're doing an opening meeting), this saves them from having to come back later. It's also a good way to hear what they think the QMS is all about and how they think it's doing/working. From there, as the audit expands out, I'm continually looking to see alignment between what leadership says/does versus what the rest of the organization says/does.

2. Final product walk-thru - We would select a product that was about to be shipped (i.e., sitting on the truck at the scale and about to be processed). From there, we worked backwards. We still asked about current processes, but following that one item back was a good exercise for traceability and records.

 

[John C. Abnet]

Would auditing 3 key areas of operation suffice? We just don't know where to begin!

Good day @Willhele007 ;
Obviously you have already received some great council in this thread. It has been assumed that your organization is "just starting" and preparing for initial registration . Please advise if that assumption is correct.

Specific to your question, the standard does not specify a frequency, but allows/requires the organization to determine frequencies based on "importance...", "changes...", results of previous audits....", BUT if this is your organizations initial preparation for 3rd party registration, then it is important to include all processes for a full "round" of audits.

One thing that I have done for "new" teams in the past is as follows...
a) Create a matrix with each of your organizations determined processes (e.g. Buy ingredients- Assemble Pizza- Bake- Cut- Deliver) across the top of the columns.

b) Associated with each of the process columns, identify the aspects (clauses) of the standard that apply to each of those determined processes

c) Now consider and confirm the items in "b" when you are auditing the processes in "a'".

While check lists can certainly be helpful (especially for new auditors), ensure your people are taught HOW to audit before they look at the checklist.
e.g.: To the auditee (process owner),.... "what are you doing?", "why are you doing it?" "how do you know what to do?", "how do you control what you do"? , "how do you manage changes to what you do?" "how do you know how well you're doing (i.e. what's the score) "?

....THEN the auditor will have a clear understanding of what is and what is not being taken care of by the auditee and now the auditor can refer to the checklist as a safety net to make sure nothing was overlooked..

As mentioned above, focus on YOUR organization's processes and reverse engineer the expectations into the audit plan.

Hope this helps.
Be well.

 

[Danyboy32]

Our very small manufacturing company is new to ISO 9001:2015. We need to plan and complete our internal audit but are clueless as no one here has done this before.

We are a small manufacturing company also. If we outsource the internal audit process, Would we need to hire the external provider (e.g. consultant), during a 3rd party audit?Or the internal audit records would be enough for the external auditor?

 

[John C. Abnet]

We are a small manufacturing company also. If we outsource the internal audit process, Would we need to hire the external provider (e.g. consultant), during a 3rd party audit?Or the internal audit records would be enough for the external auditor?

Good day @Danyboy32 ;
Your would not need to have your consultant present during the 3rd party audit. Even if the consultant was present, you would still need to provide evidence of your internal audit records.

Hope this helps.
Be well.
John

 

[Willhele007]

Good day @Willhele007 ;
Obviously you have already received some great council in this thread. It has been assumed that your organization is "just starting" and preparing for initial registration . Please advise if that assumption is correct.

Specific to your question, the standard does not specify a frequency, but allows/requires the organization to determine frequencies based on "importance...", "changes...", results of previous audits....", BUT if this is your organizations initial preparation for 3rd party registration, then it is important to include all processes for a full "round" of audits.

One thing that I have done for "new" teams in the past is as follows...
a) Create a matrix with each of your organizations determined processes (e.g. Buy ingredients- Assemble Pizza- Bake- Cut- Deliver) across the top of the columns.

b) Associated with each of the process columns, identify the aspects (clauses) of the standard that apply to each of those determined processes

c) Now consider and confirm the items in "b" when you are auditing the processes in "a'".

While check lists can certainly be helpful (especially for new auditors), ensure your people are taught HOW to audit before they look at the checklist.
e.g.: To the auditee (process owner),.... "what are you doing?", "why are you doing it?" "how do you know what to do?", "how do you control what you do"? , "how do you manage changes to what you do?" "how do you know how well you're doing (i.e. what's the score) "?

....THEN the auditor will have a clear understanding of what is and what is not being taken care of by the auditee and now the auditor can refer to the checklist as a safety net to make sure nothing was overlooked..

As mentioned above, focus on YOUR organization's processes and reverse engineer the expectations into the audit plan.

Hope this helps.
Be well.

John,
This is actually our third year of certification. We have passed for 2 years without knowing or understanding what we are doing. Our auditors have been tough on us- we did not get a pass either. There is nothing out there to fully explain the process in a concise way- and believe me I have looked. External auditors assume that we already know how to do an internal audit. It seems to me that year after year the internal audits will be redundant if you only have a handful of products. Am I wrong to make this assumption?