The role of the internal audit in the performance evaluation and upkeep of your Quality Management System (QMS) is highlighted in the ISO 9001:2015 requirements. This is one of the main tools you have in place to verify that your processes are meeting the planned arrangements you set out for them to achieve. Although your key process indicators may be telling you that the outputs of the process are certain, the internal audit is a good opportunity for you, as the process owner, to be reassured that the small details of the process are also happening as planned. The internal audit will also provide some opportunities for improvement of your process, and should you find that something is not happening as planned, you have the opportunity to correct it for the future. The internal audit is good for your process.

However, this does not stop the employees who are going to be audited from worrying about what will be found


 

Understanding why people get worried

The employees in your organization want to do a good job, and having someone from outside of their department coming in to look at their work can make some people worry. Unfortunately, even though the purpose of the internal audit is to verify conformity to the requirements, many people think that this is a fault-finding exercise. As a result, they become concerned that a small mistake will be found and lead to serious problems for them in the workplace.

Remember that the internal audit process is a way for the auditor to review the planned arrangements for a process, create an audit checklist for the process, review what is happening in the process to verify that the planned arrangements are being met, and report on their findings when the audit is complete. The internal audit process is intended to help your process, and making sure your employees understand this will be important in helping them to prepare for the internal audit.
 

How do you prepare your employees for an internal audit?

There should really be no preparation required for the records of your process – this is, after all, how you perform your process daily, so the records should already be in good shape. Even so, there are a few things that you can remind your employees about to help them prepare for the internal audit:

Remind them how the internal audit works – Even if they have been through an internal audit before, it is helpful to remind employees that the internal audit is there to confirm conformance to the process plans, and even if there is a problem found, this is just a chance to make corrections and ensure that the process is stronger going forward.

Refresh where the planned arrangements are found – Even if you have a documented procedure for your process, it is likely that employees might not use this every day. A quick reminder of what your procedures are, where the information can be found, and where the records are kept can go a long way toward helping an employee to feel more prepared when a question is asked.

Answer to the best of their ability – Auditors know that people can be nervous, and sometimes will forget the answer to a question. It is acceptable to say: “I forget that right now, but here is where I can find that information,” and then to show the auditor the procedure or other information they need. If an employee doesn’t know an answer, it is far worse to make up the answer than to just say, “I don’t know, but I can find out.”

Perfection is not a requirement – When a problem is found during an internal audit, the most effective use for a corrective action is for a systematic problem. This means that if a small mistake was made that is not a recurring problem, then it’s not the end of the world. We can fix the small mistake and go forward – sometimes mistakes happen, and that is OK.

Ensure that corrective actions are not a search for the guilty – People tend to remember what happened before, so make sure that if a problem is found, that it is corrected, and corrective action applied, without laying blame or pointing fingers at anyone. For long-term employees, a negative experience with other managers in the past may be why they are fearful of the internal audit process to begin with, so make sure this does not happen with you as the process owner.

Knowledge is the key to fighting the fear of the internal audit

The only way to fight the concerns of employees is with knowledge. Teach your employees what the internal audit is, how it works, and how any findings are dealt with. Give the employees some advance knowledge so that they know what is expected of them, and that there will be no recriminations against them if a non-conformance is found. The internal audit is not a search for the guilty. It’s a time to verify that things are working as planned, and if they aren’t, then corrections will be made going forward. The more you help your employees to be prepared, the better information you will get from the internal audit in order to find continual improvements within your processes – and continual improvement is one of the biggest benefits you will get from both the internal audit and your QMS.

Writing an Audit Checklist for ISO 9001 Processes

For many people who perform internal audits, there is always a question of the best way to create an audit checklist when preparing your internal audit. Unfortunately, there is no one best way to do this. Audit checklists can take many forms, and there are many ways to create them, but there are a few things that should be remembered when preparing these documents.

In a recent article on 13 Steps for ISO 9001 Internal Auditing using ISO 19011, I discussed the steps identified in the ISO 19011 guidelines for performing audits of a quality or environmental management system. In this approach I identified two steps that are critical to the creation of audit checklists: step 2, to review the documents, and step 5, to prepare the working papers. It is during step 2 that you will find the questions you want to include on your audit checklist and in step 5 that you will create the checklist with the questions.
 

Review of the process documents

During the review of the process documents there are a few things that are important to check, as these things can comprise the most critical questions to ask. Here are a few things to look for during your documentation review:

Corrective action responses: If the documentation has been updated in response to previously identified corrective actions or opportunities for improvement, then this should be looked at. If the follow up for the corrective action has not yet been performed, this is a good time to do so by checking the effectiveness of the updates to ensure that the previously identified problems do not recur. Also, check that the change has been properly implemented and that all employees who need to understand the change know what is happening.

Process or procedure updates and improvements: Even if there have been updates that were not in response to identified problems, it is good to follow up on these changes to make sure they have been properly implemented and communicated.

Unchanged areas: If you are dealing with a process for which the documentation, or portions of the documentation, have not been updated for a long time, you might want to focus a bit of attention on verifying that the documented process is still accurate. If the process in place has been improved by employees implementing best practices, this is great – but you need to make sure that this does not contradict what is in the procedures.

Preparing the audit checklist

The ISO 19011 document calls this “preparing the working papers,” but it is commonly called an audit checklist. The checklist becomes a list of information and questions that the auditor wants to ask during the audit to verify that the process is performing according to plan. Along with the items identified in the documentation review, here are some other things that are important to consider when creating the audit checklist:

The ISO 9001 requirements: It is critical that part of the internal audit is to ensure that the requirements of ISO 9001 are met in the process. This is especially important if the process does not have a documented procedure associated with it. As such, including questions that will verify that the process is conforming to the requirements of the ISO 9001 standard is imperative.

Process Overview: When the process approach was introduced to the ISO 9001 standard, many auditors implemented a process overview style of audit (sometimes called a “turtle diagram,” because some people think it looks like a turtle). This approach allows you to look at the elements of the process even if there is no documented procedure. The focus is to ensure that each part of the turtle is understood, consistent, and supports the effectiveness of the process, as well as the other processes before and after the process. In some cases a marked-up version of the turtle diagram could become the completed audit checklist for a simple process.

Inputs and Outputs: One area of the process approach to quality management that often has difficulty is ensuring that the outputs from one process are correctly received as inputs by the next process. Does the output include all the information needed by the next process (if the next process employees are searching for information that could be easily included, this is a waste of time)? Is the output even used by another process (if not, question why the output exists)? Checking for these problems will help your internal processes flow much better, saving time and money.

Process Objectives and Key Performance Indicators (KPI): All processes have some sort of indicator of the acceptable results (as indicated in the turtle diagram). Verifying the process performance against these expected results can help you, as an auditor, to understand whether the overall process is performing as expected. It can also help you to understand how well the resources are applied and implemented if the indication shows that improvement is needed.

Understanding your initial sample: In order to audit the process for the review of contracts (to ensure they are completed and approved), you will not want to look at every contract. It is important to understand this going into the audit and to identify to yourself how many samples you want to start with and how you will choose them (hint: the person being audited should probably not choose what data you want to look at). This could be choosing from a list, or the first contract per week for the last five weeks, or any criteria you choose.

Preparation is the key to a successful audit

However you choose to document your audit checklist: as a process diagram, a list of questions, a list of activities to observe for consistency, a copy of the procedure with highlighted areas to check, or a list of documents to verify for completeness, it is important to make sure you are prepared with your starting points. An audit query can lead to further questions or documents to verify (the audit trail), but the checklist needs to include the starting point so that you don’t try to write your questions from scratch as you audit. Good preparation will help make your audit more professional, and therefore more trusted and accepted, and this will make it easier to have any corrective actions accepted to improve your system.

How to create a checklist for an ISO 9001 internal audit for your QMS

One of the most important checking tools in a Quality Management System (QMS), or any management system, is the internal audit. The ISO 9001:2015 requirements are very clear that this is a critical element of your QMS; and, since you want to know how your processes are functioning, your internal audits become a key resource. Although audit checklists are not stated as a requirement in the ISO 9001:2015 standard, they are a widely used and  important tool to make sure that when you perform an internal audit on a process you do not miss any elements of that process.

What does ISO 9001:2015 require the internal audit to do?

 

To better understand the why and how of internal audit checklists, it is helpful to understand what the ISO 9001:2015 requirements state about why we do internal audits. As per clause 9.2.1 of the standard, the internal audit is there to perform two functions:

• to make sure that the processes are meeting the planned arrangements that the company has identified for the process in the QMS and any requirements that the IOS 9001:2015 standard has in place for that process
• to make sure that the process is effectively implemented and maintained

So, when you are creating an audit checklist you want to include the information needed to make sure that you successfully check these two outcomes of the process.

How do you create a checklist to check conformance?

An internal audit is there to witness the outcome of a process through a review of records or witnessing the actions of the employees, and to then compare this to the planned arrangements for the process to see if what is being done is what was planned. As can be seen above, there are two sets of planned arrangements to check: those required by ISO 9001:2015 and those that the company has put in place for their process to function.

For example, if you are auditing a purchasing process against the ISO 9001:2015 standard (section 8.4.1), you will want to confirm that external providers are evaluated, selected, monitored, and reevaluated based on their ability to provide processes or products and services according to the requirements. This is the ISO 9001:2015 requirement. The company might also specify that this is done using an audit of the customers every three years, which would be a company-defined criteria for the process.

From this we can start to create the audit checklist. An audit checklist is basically a set of questions that the auditor wants to ask, or activities that the auditor wants to witness, in order to verify the planned arrangements as above. The checklist is created by reviewing the ISO 9001:2015 standard and any documented procedures or undocumented processes for the activity to determine what should happen. For the example above, the audit checklist could include questions on supplier evaluation and a review of the supplier audit reports that have been collected to see if they are done when determined by the QMS.

The checklist can include more than just questions; it can also include statements from the procedures that the auditor wants to check. Remember that the checklist is a tool for the auditor, and not something to give the auditee to fill out, so whatever format or questions and statements will be useful for the auditor to use in order to make sure that all important parts of the process are checked will work.

If you want to better understand the process approach, this is a good article on ISO 9001: The importance of the process approach.

How can you tell if the process is effective?

The second part of the ISO 9001:2015 internal audit requirements can be trickier to evaluate; but, depending on the process, implementation can also be quite simple. Many companies will use the concept of key performance indicators for the processes when satisfying the ISO 9001:2015 requirements to evaluate performance. This concept is for the process owner to have one or several main measures for their process that will let them know that the process is functioning as expected.

So, if you have key performance indicators (KPIs), and these are maintained by your process owners, an assessment of process effectiveness can be included on your internal audit checklist by reviewing the KPIs and determining if the measures are showing that the process is meeting the expected outputs. If KPIs are not formally used, then questioning the process owner on how they know their process is effective is another good line of questioning for the internal audit checklist.

For more information on key performance indicators and how to use them, check out this blog post on How to define Key Performance Indicators for a QMS based on ISO 9001.

Why should you use checklists in your internal audit?

While the ISO 9001:2015 standard does not include requirements that state an internal audit checklist must be used, it is a useful and effective way to document the questions you need to ask to ensure that your process outputs meet the planned arrangements for your process. When you are reviewing your process plans you can write down what you need to check, and in this way you can make sure that nothing important is forgotten. When you have finished an internal audit you do not want to find that you have neglected to collect the proper information and need to reschedule your audit to complete it.

So, like many other tools in the QMS, the internal audit checklist is a time-saving tool that will help prevent mistakes, and if you are interested in implementing a lean but useful QMS, then tools such as the internal audit checklist are invaluable to help you in this endeavor.

Cinco grandes pasos en la Auditoría Interna de ISO 9001

Muchas compañías ven el proceso de la Auditoría Interna como una actividad incómoda que se tiene que llevar a cabo y que tienen que soportar para mantener el certificado de la ISO 9001. En el mejor de los casos piensan que es duplicar el esfuerzo de la entidad certificadora (del auditor jefe), sin darse cuenta de que la auditoría interna puede ser mucho más eficaz porque se suelen ver más procesos y con mayor profundidad que la entidad registradora, que generalmente tiene poco tiempo para revisarlo todo. En el peor de los casos, los auditores internos son vistos como una especie de policía interna contra la que es mejor protegerse ocultando datos esenciales o engañando con información falsa.

Pasos en la auditoría interna

De hecho, el proceso de Auditoría Interna puede ser el mejor camino para tener un conjunto de ojos externos que miran con detenimiento tus procesos para ayudar a identificar áreas de mejora, o ayudar a optimizar sus procesos para que puedan ser ejecutados de mejor manera, más rápido o de manera más eficiente. A continuación se presentan los cinco principales pasos en el proceso de auditoría interna, y cómo pueden servir a los dueños de procesos internos a mejorar sus procesos.

1) Planificación de la agenda de la auditoría. Una parte clave de un buen proceso es tener un plan general, en este caso para la auditoría, que pueda estar disponible para que todos sepan cuando será auditado cada proceso durante el próximo ciclo (generalmente el plan es anual). Si no existiese un plan y la auditoría se llevase a cabo por sorpresa, el mensaje dado desde la dirección sería “No confiamos en nuestros empleados”. Con la publicación de las intenciones de la auditoría, el mensaje es que se tiene que entender como un apoyo a los dueños de proceso y a los auditores que están ahí para ayudar. Esto puede permitir a los dueños de proceso a finalizar a tiempo cualquier mejora en la que estén trabajando antes de la auditoría, de esta manera pueden reunir información valiosa sobre la implementación, o solicitar a los auditores que se centren en ayudar a recoger información para otras mejoras planificadas

2) Planificación del Proceso de Auditoría. El primer paso en la planificación del proceso de auditoría es confirmar con los propietarios de procesos cuando tendrá lugar la auditoría. El plan general del punto anterior es más una serie de pautas para saber la frecuencia, aproximada, con la que se tienen que auditar los procesos, y la colaboración permitirá la confirmación al auditor y el dueño del proceso del mejor momento para revisar el proceso. Aquí es cuando el auditor puede revisar auditorías previas para ver si es necesario realizar cualquier seguimiento en comentarios o dudas planteadas, y cuando el propietario del proceso puede identificar las áreas que el auditor puede revisar. Un buen plan de auditoría puede asegurar que el propietario del proceso dará valor al proceso de auditoría.

3) Llevando a cabo la auditoría. Una auditoría debe comenzar con una reunión con el propietario del proceso para asegurarse de que el plan de auditoría está completo y listo. Entonces hay muchas vías para que el auditor pueda recopilar información durante la auditoría: revisando archivos, hablando con empleados, analizando datos de procesos clave o incluso observando el proceso en acción. El objetivo de esta actividad es reunir pruebas de que el proceso funciona según lo previsto en el Sistema de Gestión de Calidad y es eficaz en producir los resultados esperados. Una de las cosas más valiosas que un auditor puede hacer para un dueño de proceso no es sólo identificar las áreas que no están funcionando bien, es también identificar las áreas de un proceso en las que se puede funcionar mejor si se realizan cambios.

4) Informe de la Auditoría. Es necesaria una reunión final con el propietario del proceso para garantizar que no se retrase el flujo de información. El propietario del proceso estará interesado en conocer si existen áreas débiles que se deben de abordar, pero también querrá saber si existe alguna área que pueda mejorarse. Esta reunión final debe ser seguida tan pronto como sea posible por un informe escrito para proporcionar toda la información recabada durante la auditoría en un formato más permanente que permita hacer el seguimiento de la información registrada. El propietario del proceso obtendrá un mejor aprovechamiento de la auditoría interna identificando no solamente las áreas no conformes del proceso, sino también identificando las áreas positivas y que pueden ser potencialmente mejores.

5) Seguimiento de los problemas o mejoras encontradas. Como ocurre con otras muchas áreas del estándar, el seguimiento es un paso crítico. Si se han detectado problemas, y se han tomado acciones correctivas, hay que estar completamente seguro de que el problema está completamente solucionado. Si se han completado proyectos de mejora con la identificación de oportunidades en la auditoría, el comprobar cómo han mejorado los procesos, se puede utilizar como un gran motivador para futuras mejoras.

Centrarse en la mejora de procesos para obtener el máximo provecho de una auditoría interna

Usando el proceso de auditoría interna como foco para ayudar a mejorar los procesos y no solamente para mantener el cumplimiento, la compañía puede ver más valor en las auditorías internas. La mejora de procesos es uno de los elementos clave de un sistema de gestión de calidad basado en ISO 9001, y debe ser uno de los principales puntos motivadores de una empresa que quiere implementar y mantener un buen Sistema de Gestión de Calidad. La mejora de procesos no solamente ayuda a la eficacia, también ayuda a ahorrar tiempo y dinero en el proceso. Por tanto, si se utiliza correctamente, la auditoría interna, en lugar de ser un “mal necesario”, puede ser uno de los mayores contribuyentes para conseguir la mejora de los procesos en el Sistema de Gestión de Calidad.