ISO 9001 Audit Types and Execution Methods

ISO Audit:

ISO 9001 is defined as the international standard that specifies requirements for a quality management system .An ISO 9001 audit is a systematic, independent, objective and documented process for gathering facts. These will help you identify areas for improvement and ensure you have best practice processes in place.

During an ISO audit you:

  • Verify that the management system is in compliance with the relevant ISO standard
  • Check to ensure that the actions taken to meet the quality objectives of the organization are suitable
  • Verify that any problems within the management system have been addressed
  • Look for any improvements that can be made to the system

The ISO 9000 family addresses various aspects of quality management and contains some of ISO’s best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved.

ISO 9001 Audit Types

ISO 9001:2015

ISO 9001:2015 sets out the criteria for a quality management system and is the only standard in the family that can be certified to .It can be used by any organization, large or small, regardless of its field of activity.

This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement.

ISO 9001 Audit Types and How They are Executed

There are two main categories of audits: internal and external.

The three ways audits can be conducted are:

  • On-site audits : These audits are performed in full days. The number of days needed for an audit depends on several factors including size, complexity, risk, and nature of an organization.
  • Remote audits : These audits may be performed via web meetings, teleconferencing or electronic verification of processes. Remote audits are less common and typically not as effective as on-site audits.
  • Self-audits : Not always internal audit. A self-audit can be requested of your customer to eliminate the need for them to use their resources

Audit Types:

Internal Audits: Internal audits are audits that are performed by your organization and are a self examinaion of your organization’s  QMS, performed on-site. Internal audits are an ISO 9001 requirement and they are critical to the success of your QMS. The internal auditor must be independent of the area being audited to ensure objective results.

Internal audits will be used to assess conformity, evaluate the effectiveness and identify opportunities for improvement , When you perform an internal audit, you will be able to compare your quality management system to the requirements  and understand if there are any non-conformances. This will allow you to correct your QMS and ensure that your organization will meet the requirements for the external auditor and allow for certification.

External Audit:

External Audit includes customer, supplier, certification and surveillance. A customer audit is where an existing, or potential customer, audits your organization to verify you can or are meeting their requirements.  If you are auditing an existing or potential supplier, we consider this a supplier audit.

Certification Audit:

A certification audit is an audit your selected registrar will conduct to verify conformance against the ISO 9001 standards before they issue your official ISO 9001 certificate. Certification audits are typically conducted every three years. After certification, your registrar will check-up on your periodically using surveillance audits to verify you are still upholding your QMS and the ISO requirements. Surveillance audits are very much like certification audits, with the exception that they are not issuing or re-issuing a certificate. These are typically conducted by your registrar annually.

Typically certification audits will be conducted in two stages Stage 1 and Stage 2

Stages 1 oftentimes conducted remotely to check the readiness for stage 2. Stage 2 audits will always be on-site audits. This is where the auditor will interview your staff and review your documented information(procedures, records, etc.) to verify you are meeting all the ISO 9001 requirements.

One of the most obvious difference between the 9001:2008 and the 9001:2015 standard is the clause structure. ISO 9001:2008 has eight clauses (Clauses 4-8 are requirements) whereas, ISO 9001:2015 has ten (Clauses 4-10 are requirements).

What topics does ISO 9001:2015 cover?

It provides a process oriented approach to documenting and reviewing the structure, responsibilities, and procedures required to achieve effective quality management in an organization. Specific sections of the standard contain information on many topics, they are

  • Requirements for a quality management system including documented information, planning and determining process interactions
  • Responsibilities of management
  • Management of resources, including human resources and an organization’s work environment
  • Product realization, including the steps from design to delivery
  • Measurement, analysis, and improvement of the QMS through activities like internal audits and corrective and preventive action

 Some of the key updates in ISO 9001:2015 include:

  • The introduction of new terminology
  • Restructuring some of the information
  • An emphasis on risk-based thinking to enhance the application of the process approach
  • Improved applicability for services
  • Increased leadership requirements

ISO 9001:2015 Risk Management

A risks is a positive or negative deviation from the expected. The better your organization manages risks, the better prepared you are to face uncertainties. The organizations are required to come up with mitigating plans for risks during planning stage. There are several requirements around risks and opportunities throughout the ISO 9001:2015 standard.

Risk-based thinking is presented within the introduction of the ISO 9001: 2015 standards. ISO 9001 has always advocated mitigating and avoiding risk. ISO 9001:2015 replaced the term preventative actions with “actions to address risks and opportunities”.

The examples in below table are few clauses of risk management under ISO 9001:2015

ISO 9001:2015 clausesComments
4.4 Quality management system and its processesThe overall quality management system (QMS) must consider both risks and opportunities as part of its core planning process.
5.1 Leadership and commitmentThose who lead the organization must promote risk-based thinking.
5.1.2 Customer focusEnsure risks and opportunities that affect customers are determined and addressed.
6.1 Actions to address risks and opportunitiesWhen planning for the QMS, determine and address risks and opportunities.
9.1.3 Analysis and evaluationEvaluate the effectiveness of actions taken to address risks and opportunities.
10.2 Nonconformity and corrective actionUpdate risks and opportunities determined during planning, if necessary.

 How to address risks and opportunities?

While evaluating risk, it is helpful to use two metrics or parameters:

  1. Severity (If the risk occurs, how serious is it?)
  2. Probability (What is the probability of the risk occurring?)

Common methods for identifying and addressing risk include maintaining a risk register, performing FMEA (Failure Mode Effects Analysis) or FTA (Fault Tree Analysis), using a Probability and Impact Matrix, or other risk management exercises

When addressing risks and opportunities, these are key steps:

  1. Define the risk and opportunity type: i.e. whether it derives from context, process and products/ services
  2. Define the activity/source from where the risk or opportunity comes from.
  3. Determine category the risk falls under.
  4. Thoroughly describe the risk.
  5. Define the impact and the probability of occurrence.
  6. Establish how your organization will treat the risk and create a predefined list of treatments.
  7. Define the acceptable action to treat the risk.
  8. The organization should identify opportunities and describe in ways on which it will capitalize on them via documentation an action plan.
  9. Regularly review risks and opportunities.
  10. Procedures and forms related risk and opportunity can be described in a documented information module.

Unichrone offers ISO 9001 Lead Implementer Training, ISO 9001 Lead Auditor Training