ISO 9001 Internal Auditing

For something that is, in theory, relatively straightforward. The subject of what makes a good internal quality audit can certainly get some people all hot under the collar

ISO 9001 requires organisations to “implement & maintain” an internal audit program, and so, like it or not, organisations that need ISO 9001 registrations need to be able to demonstrate something that meets the definition

The requirements are actually quite clear, and boiled down to its elements, clause 8.2.2 requires that internal audits demonstrate the following attributes

  • A plan or schedule for carrying them out that is up-to-date
  • Specific scope and criteria for each audit
  • A rationale behind the frequency of audits that is based on things like criticality, recent changes and level of problems
  • Competent and independent internal auditors
  • Documented and sufficiently descriptive findings
  • A discipline of dealing with non-conformities in a timely way
  • A periodic review of findings at top management level

But often many of these things are ignored. For what reason I would not like to speculate. For example a recent training client of mine had been allowed a three year period of grace from their certification body (a large BRITISH CB – there’s a clue) before they received a minor non-conformity for not conducting audits. Seriously, they hadn’t done any for THREE YEARS

That’s an extreme case, but more often we see things like;

  • the rationale behind the frequency is not questioned
  • the quality of the reports is poor and lacking in detail
  • corrective actions are superficial and fail to deal with “root cause” and
  • good practice is not be reported

There are also a couple of myths that need exploding. For example, all procedures must be audited at least once per year (which they don’t) and non-conformities must be graded “major” and “minor” or by some equivalent (which gain they do not)

The thing that continually baffles me, however, is that it usually takes about the same level of time and effort to do them well as it does to do them badly. It certainly is a strange one. Do them well and at the right time and there’s some really useful management information to be generated


Doru and Dragos in auditing mode a couple of years back

This entry was posted in Auditing, ISO 9000 and tagged , . Bookmark the permalink.

4 Responses to ISO 9001 Internal Auditing

  1. Pingback: Beginner's guide to ISO 9001 | Capable People Blog

  2. Pingback: EFQM and ISO 9001 - a comparison of approaches | Capable People Blog

  3. Andy Nichols says:

    Agreed! I see the root of the issue is that there’s no training available to train people in how to manage the audit program. Even if auditors were given good training in doing audits, if they turn up to do audits under the wrong premise, they won’t be as effective anyway.

    Auditor training is, and has always been, based on supplier auditor training (from British Gas) back in the 80s and hasn’t changed (much) since. What’s not been considered is that the needs of supplier audit management is mainly triggered by two things – supplier problems and qualification of a new supplier. Internal audits have (significant) others. What’s needed is a complete revamp of the IRCA and RABQSA style training program.

  4. shaun says:

    I think we have to be realistic about what you can do in 5 days Andy. If we are to burden “training” with a substantial share of the blame (and I’m not saying that might not be relevant) we also have to accept that there are natural limits on any improvement curve in this direction, based on the current 5 day (for IRCA) and 4 day (for RABSQA) “flagship” training programs. I know of no other specialism that takes itself so seriously where they think 5 days and a 2 hour open book would be any more than an introduction. Most other training programs are measured in years, not hours. So as things stand I would have to say that a trainer can only go so far, and what happens when these characters are set loose is fair and square the responsibility of their employer or contractor

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.