2 Internal Audit Definition: ISO defines audits as Systematic, independent
and documented process for obtaining audit evidence
and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for management review and other internal purposes, and may form the basis for an organizations declaration of conformity. In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those providing certification/ registration of conformity to ISO 9001 or ISO 14001. When two or more management systems are audited together, this is termed a combined audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit. Introduction: An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audits are structured and formal evaluations. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. For example, having responsibility for the work, or a vested interest or shares in a supplier or third party company they are assigned to audit, would be conflicts of interest. Internal audits must be carried out to a procedure according to requirements given in clause 9.2 of ISO 9001:2015. The procedure must address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. Is the organization practicing what it described in its documentation? Are the practices being carried out well? The presence of nonconformities in a department or process may indicate the system is ineffective for those areas. 9.2 Internal Audit 9.2.1 The organization should conduct internal audits at planned intervals to provide information on whether the quality management system conforms to the organizations own requirements, the requirement of ISO 9001:2015 standards and is effectively implemented and maintained 9.2.2 The organization must plan, establish, implement, and maintain an audit program, which must include frequency, methods, and responsibilities, planning requirements and reporting. While making an audit program, consideration must be given to the importance of concerned processes, changes impacting the organization and the results of previous audits. It must define audit criteria and scope for each audit. It must select auditors and conduct audits for impartial and objective audit process. It must ensure results of audits are reported to relevant management. it must take necessary correction and corrective actions without undue delay. It must retain evidence of audit program implementation and audit results. Internal audit is the one of the important tool required by this standard used to gauge the health of your QMS. How effective is it in meeting ISO 9001, your own QMS, customer and regulatory requirements. You must have a documented procedure for your internal audit process.The scope of your internal audit program must cover the: Audit of operation processes to determine conformity of both product / services and their processes to customer and applicable regulatory requirements. Audit of the QMS to determine conformity to the ISO 9001 standard. Audit of the QMS to determine conformity to organizational requirements. Audit of QMS processes and their interaction to determine if the QMS has been effectively implemented and maintained. In determining the time frame for your audit program, you should consider organization size, complexity of product and processes, health of the QMS, customer, registrar and regulatory requirements, etc. The most common time frame is six months. Consider adjusting the audit frequency and perhaps even the audit scope, of specific processes or group of processes, when: You experience internal or external nonconformities. Get customer complaints. Have critical or high risk processes. Have frequent or significant changes to processes and product. Your internal audit program should consider the following: Input from audited area and related areas Key customer oriented processes Process and product performance results and expectations
Opportunities for continual improvement
Feedback from customers Audit criteria, refers to the specific QMS policies, objectives, ISO requirements, documentation, customer and regulatory requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods include interview of personnel, observation of activities, review of documents and records, etc. You must define the minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001 standard, the audit process and audit techniques. Internal auditors needs to be trained in the ISO 9001 standard as they generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have knowledge of quality management system standards and their application to the organization. You must have appropriate resources for your annual audit program. These include having sufficient trained auditors available to conduct scheduled audits, sufficient time to perform audits, availability of department or process personnel to be audited, time and tools to prepare audit records and reports, etc. Auditor should be Independent. During the audit Auditors should ensure that the objectivity and impartiality of the audit is not compromised. Auditors cannot audit their own work. Auditor independence must be ensured when assigning personnel to specific audits. Process owners must take timely corrective action on nonconformities found in their area. They should use the corrective action procedure to determine root cause, take appropriate action and follow-up to determine if results indicate that the root cause has been eliminated. Audit results must be summarized and reported for management review. The Process manager must also report any opportunities for QMS improvement. The Process manager must analyze the results of each audit as well as the annual audit program to determine strengths and weaknesses in QMS processes, interactions, functions, products, etc., to identify and prioritize opportunities for improvement. Audit records include annual audit schedule, audit planning such as criteria, scope, frequency, methods, auditor selection and assignment, etc., auditor competence and training, audit checklists and forms, audit notes and other evidence gathered, audit findings, nonconformity reports, audit reports, corrective actions and follow-up of internal audit nonconformities, analysis of audit program performance indicators and trends, and identified improvement opportunities. Performance indicators should be used to measure the effectiveness of your internal audit process and monitor trends in these indicators, to continually improve your audit program. Performance indicators may include reducing the number of late or delayed audits, incomplete audits, incomplete audit records and late reports, auditor errors, auditee complaints, and use of untrained auditors, etc. The output of your internal audit program may be used as performance indicators to: Determine the degree of conformity of the QMS to ISO 9001, customer and regulatory requirements. Determine the effectiveness of QMS implementation and maintenance. Determine the degree of conformity of product to contractual and regulatory requirements. Identify areas of the QMS that need improvement. Audit Objectives Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the audit. Audit objectives may include: Evaluating conformity of requirements to ISO 9001 Evaluating conformity of documentation to ISO 9001 Judging conformity of implementation to documentation Determining effectiveness in meeting requirements and objectives Meeting any contractual or regulatory requirements for auditing Providing an opportunity to improve the quality management system Permitting registration and inclusion in a list of registered companies Qualifying potential suppliers Types of Audits Audits that are carried out to determine whether an organization conforms to a quality Standard may be termed Quality System Audits. This type of audit requires the auditor to use a fair degree of judgment to establish whether controls are adequate. Many second and third party audits are carried out as Quality System Audits. Audits that are carried out against specifically defined practices, procedures, and instructions, and that are perhaps (but not necessarily) more limited in their scope, are termed conformity audits. Many internal audits and many contract related audits between two parties are carried out as conformity audits. Process and product audits are subsets of QMS conformity audits and therefore limited in scope..An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as well, as its relationship with other processes and may include using some or all of the following approaches: Individual processes in terms of:
Input / Output / Value-added activity
Plan / Do / Check / Act Relationship to other processes in terms of: Flow / Sequence / Linkage / Combination Interaction / Communication Customer contract for conformity to contractual requirements through the various processes used to fulfill the customers order Audit trails following concerns or unresolved issues to processes or departments, that are be beyond the scope of a specific audit. Process audits may include the following processes, as well, as related sub-processes Context of organization; Leadership; Planning; support; Operations; Performance evaluation; Improvement. A product/Service audit is a process audit that focuses on the processes needed for executing operations for the product or service realization.
Raj B. K. N. Rao (auth.), Raj B. K. N. Rao, A. D. Hope (eds.)-COMADEM 89 International_ Proceedings of the First International Congress on Condition Monitoring and Diagnostic Engineering Management (C.pdf