Management system guidance
9.0 Performance Evaluation
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
9.2 Internal audit
The guidance shown on this page is relevant to ISO 9001, ISO 14001 and ISO 45001. Your organization should establish an internal audit programme to cover all requirements of the standards. In addition, you should ensure that consideration is given to the status and importance of the processes that comprise the audit programme and the results of previous audits.
If you need a procedure and forms to help your business control its auditing process, click here. Objective evidence should demonstrate information of concerning the effective implementation the audit programme, as well as a sample of audit results. The internal audit process should include the following activities:
- The development of a programme of internal audits which can be revised depending on the results of previous audits and the results of performance monitoring;
- The identification, selection and training of internal auditors;
- The analysis and evaluation of the results of internal audits;
- The identification of the need for corrective or improvement measures;
- The verification of the completion and effectiveness of these measures;
- The documentation pertaining to the execution and results of audits;
- The communication of the results of audits to the top management.
The internal audit process is part of the continual improvement feedback loop to evaluate and improve the effectiveness of the management system. It also highlights where processes and procedures are not addressing risks adequately and where changes are needed to improve efficiency or effectiveness. The audit process also serves as a method of compliance monitoring.
Setting up your internal audit programme
During the early stages of implementing ISO 9001:2015, or any other management system standard, the internal audit programme often focuses on ensuring that any compliance issues or nonconformities are discovered and rectified prior to the Certification Body assessment. However, once your organization becomes certified, the internal audit programme must evolve.
The focus of the internal audit programme should be re-directed, away from 'clause-based' compliance with standards, to an audit strategy that bases the audit frequency upon process performance data, feedback from customers, etc., to ensure that you are focusing on the risks and issues that should be on Top management's radar.
When designing the audit programme you should ensure that customer feedback, organizational changes and risks and opportunities are brought into consideration. You should consider process importance as the degree of direct impact that process performance has on customer satisfaction; i.e. could the process provide the customer with a defective product?
You should consider process status in terms of maturity and stability; a more established, proven process will be audited less frequently than a newly implemented or recently modified process. Conversely; processes which are not performing to the planned arrangements should be audited more frequently.
Support processes should be given a lower ranking than the manufacturing/service provision processes. In addition, the results of previous audits should be considered too. Processes that have been audited recently that have shown effectiveness and improvement should be audited less frequently. When applying risk-based thinking to select internal audits and their frequency, consider the following:
- Processes that are critical to product and service quality;
- Complex processes that require close monitoring and control to ensure conformity;
- Balance across operational and non-operational processes;
- Processes that utilize qualified personnel;
- Activities or processes that occur across multiple locations;
- Processes impacted by human factors;
- Introduction of new or changed processes;
- Changes affecting the organization;
- Statutory and regulatory issues;
- Process performance, e.g. process conformity/non-conformity, escapes to the customer, complaints, previous internal/external audit results, identified risk (see 6.1 and 8.1).
When designing your internal audit programme you should ensure that customer feedback, organizational changes, and risks and opportunities have been brought into consideration. Internal audit programmes that are based on risk and customer feedback will help your organization to embark upon new methods of compliance in which risk-based thinking and continual improvement are the drivers, rather than compliance.
Determining the frequency of internal audits
Deciding the frequency of internal audits will depend on the perceived need for the audit and the size and complexity of your organization. The frequency of internal audits should depend on the criticality of each process and the perceived need to audit it, but all processes should be formally audited at least once during a 2-year audit cycle.
Critical processes that directly affect process and product conformity, and customer satisfaction should be audited more frequently, e.g. monthly, quarterly, or more regularly as required. When determining internal audit frequency, you should consider the following:
- The level of risk associated with the activity, policy or procedure;
- The priority of the specific element of the management system;
- The results of previous audits; and
- The significance of problems identified in the areas to be audited.
The basic requirement of the quality management system is that it is audited at least once per year. If many issues are found during audits, then additional audits can be undertaken to help get that part of the system working effectively again as soon as possible.
If some areas are not audited in a given year, then they can be scheduled for audit the following year and so forth. Some audits are likely to be conducted on a monthly basis in order to cover all manufacturing processes over the year. Unscheduled audits may be conducted at any time based upon:
- Previous audit results;
- Regulatory inspections;
- Operational changes (planned or unplanned);
- Management review concerns;
- Identified non-conformances.
The frequency of internal audits should be reviewed and, where appropriate, adjusted based on occurrence of process changes, internal and external nonconformities, and/or customer complaints. The effectiveness of the audit programme should be reviewed as a part of management review.
Based on the audit process derived from ISO 9001:2015 and ISO 19011:2018, our audit checklists, internal audit programme, procedures and report templates help deliver meaningful results through effective audit planning, performance and reporting.
Gap analysis audits
The unique knowledge obtained about the status your existing quality management system will be a key driver of the subsequent implementation approach. Armed with this knowledge, it allows you to establish accurate budgets, timelines and expectations which are proportional to the state of your current management system when directly compared to the requirements of the standards.
The results of a gap analysis exercise will help to determine the differences, or gaps, between your existing management system and the requirements of ISO 9001, ISO 14001 or ISO 45001. Not only will the analysis template help you to identify the gaps, it will also allow you to recommend how those gaps should be filled.
The gap analysis output also provides a valuable baseline for the implementation process as a whole and for measuring progress. Try to understand each business process in the context of each of the requirements by comparing different activities and processes with what the standard requires.
At the end of this activity you will have a list of activities and processes that comply and ones that do not comply. The latter list now becomes the target of your implementation plan.
Management system audits
Management system audits are commonly referred to as a ‘first-party audit’ and are conducted by an organization to determine compliance to a set of audit criteria in the form of requirements that arise from standards like ISO 9001, ISO 14001 or ISO 45001, as well as customer, or regulatory requirements.
The internal audit checklist is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements. The checklist stands as a reference point before, during and after the audit, and will provide the following benefits:
- Ensures the audit is conducted systematically;
- Promotes audit planning;
- Ensures a consistent audit approach;
- Actively supports your organization’s audit process;
- Provides a repository for notes collected during the audit process;
- Ensures uniformity in the performance of different auditors;
- Provides reference to objective evidence.
Before a new audit is started in a particular area, it is important to check the status of any outstanding issues since the last audit (if any) was performed in the area. If there are outstanding issues, then they may be carried forward into the current audit, and the previous audit could then be closed off.
The system audits are best undertaken using and internal audit checklist. This type of audit focuses on the quality management system as a whole, and compares the planning activities and broad system requirements to ensure that each clause or requirement has been implemented.
The adoption of the ‘process approach’ is mandated by ISO 9001:2015 and is one of the most important concepts relating to quality management systems. Process auditing is about auditing your organization’s processes and their interactions, which together comprise the quality management system.
The process audit provides assurance that the processes have been implemented as planned and provides information on the ability of the process to produce a quality output.
Using the internal audit checklist to undertake a clause-by-clause audit works very effectively for the initial audits in preparation for implementation, gap analysis or certification. However, once your management system is implemented, your organization is expected to develop a process approach to its auditing programme.
Use the process audit template for conducting an in-depth analysis to verify that the individual processes comprising the management system are performing and producing outputs in accordance with the planned outcomes. The process audit also identifies any opportunities for improvement and possible corrective actions. Process audits are used to concentrate on any special, vulnerable, new or high-risk processes.
The process approach is one of the core quality management principles, which is defined as a ‘consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system’.
A process is a set of interrelated activities that transform inputs, such as materials, customer requirements and labor, via a series of activities into outputs, such as a finished product or service. Various stages of the process must meet various applicable clauses of the standard. There are six characteristics to look out for when auditing a process:
- Does the process have an owner?
- Is the process defined?
- Is the process documented?
- Are links between other processes established?
- Are processes and their links monitored?
- Are records maintained?
As part of the process approach, the process audits must be scheduled according to the processes defined by your management system. The audit schedule should not be based on the clauses of the standard, but it should instead be based upon the importance and criticality of the process itself. The process approach to auditing should cover three vital stages:
- Preparing for the audit; (desk review)
- Auditing the process and its linkages;
- Preparing the summary and audit report.
An audit of each process should be conducted at planned intervals in order to determine whether the processes conform to planned arrangements in order to determine whether the process is properly implemented and maintained and to provide process performance information to top management.
Effective process auditing requires the auditor to identify and record audit trails that will make a difference to the organization. The audit should begin with the process owner in order to understand how the process interacts with the other process inputs, outputs, suppliers and/or customers.
What are ‘audit criteria’?
We’ve all heard the term ‘audit criteria’ but what exactly does it mean? As defined in ISO 19011:2018, audit criteria are used as ‘a reference against which conformity is determined’. It goes on to say that ‘The criteria may include one or more of the following:
- Policies, processes and procedures;
- Performance criteria including objectives, statutory and regulatory requirements, management system requirements;
- Information regarding the context and the risks and opportunities as determined by the auditee (including relevant external/internal interested parties’ requirements);
- Business sector codes of conduct or other planned arrangements.
Basically, all documented information that helps you to prove the consistency and compliance of your quality management system should be part of the scope for each individual audit. If you are auditing to verify that the requirements of ISO 9001, ISO 14001 or ISO 45001 are implemented, then the standard itself becomes the audit criteria.
If you are going to audit your management system documentation as per ISO 9001, ISO 14001 or ISO 45001, the audit criteria become the standards themselves, and any relevant quality management system documentation such as the quality manual, procedures, work instructions, standard operating procedures, and forms, etc.
If you are going to conduct a product audit against a production control plan, the audit criteria will be the control plan itself, or relevant parts of it. The same applies when auditing an operator to see whether they follow the Work Instruction, the audit criteria is the Work Instruction for that process and any applicable criteria.
Preparing the internal audit report
A good summary report is the final output of the audit and deserves an appropriate amount of attention and effort. The audit report is the detail of what was found during the audit.
It presents an overall summary of the audit findings, as well as any positive aspects noted during the audit. The audit report must also identify nonconformities identified during the audit and their associated corrective actions.
The Internal Auditor should be responsible for finalising the audit report, which should include:
- The area and element/procedure/process audited;
- Audit team composition, audit scope, persons interviewed;
- Executive summary;
- Observations and key findings (identified nonconformities);
- Opportunities for improvement, which are areas that may become nonconforming in the future;
- Graphical representation of findings.
On completion of the audit, a closing meeting should be scheduled between the audit team and the organization or department being audited, to present the results of the audit and discuss any subsequent steps required to complete the audit.
Observations may also be recorded for future consideration. The audit report needs to be signed by the lead auditor and the manager of the relevant department, and distributed as required to relevant persons. The findings and conclusions should be formally documented as part of the summary report. Too often, the audit report only recites back facts and data the managers already know. The value is in identifying issues and opportunities they do not know!
This summary should be reviewed first with the lead auditor, then the Process Owner and Management Team. Make final revisions and file the audit report and all supporting audit materials and notes.
The audit summary and the corrective action forms should be attached to the audit report, which now becomes the audit record. Only the summary report and corrective actions need be given to the Process Owner and a copy of the audit report should be given to Top management.
More information on PDCA
Monitoring, measurement, analysis and evaluation
Want to know more?
- Read our customer's feedback
- Client list - who's using our templates?
- How the templates are formatted and download examples
- Why we use turtle diagrams and process maps
- What's the difference between a process and a procedure?
- About documented information
A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.
Free PDCA guidance
ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.