ISO 9001 can be a great tool for helping businesses standardise and improve internal processes as well as gain entry into highly competitive markets or to supply government departments and large organisations requiring certified quality management systems.
Having worked in small to medium sized businesses and working as a certification body third party auditor for several years I have found some similar challenges being faced internally and by clients. I hope to provide some insight into these and bring some simple ideas on what ISO 9001 actually requires.
To start with, I find the most number of issues I come across as a third party auditor is in regard to internal audits.
Do I really need to do internal audits? Isn't that what the certification auditors do?
This is a common statement from businesses starting the certification journey and at first seems reasonable to ask. The answer to those questions is basically Yes and No, respectively.
Internal audits are mandatory, so yes you have to do them. While it is reasonable to expect some overlap in internal and external audits it is important for your business to internally assess how the quality management system is working for you.
Okay, so you have to do the audits. Clause 9.2 in the standard lists the requirements but to make it easier to understand how to apply those, I have put together a list of 7 steps. Follow these steps and you will meet the requirements and should have no problems passing an external audit:
Start by planning which processes you need to audit. Use a risk assessment approach when choosing processes; work out the processes that would cause the business big headaches if they went wrong. Highest risk processes are often your operation type processes - project files, manufacturing processes etc. If there are any big changes in your processes since the last internal audit, or poor results from a previous audit, focus on these areas also. Now work out what is an achievable frequency of audits. I suggest auditing high risk areas at least once per 6 months and the rest of the main processes within your system across a maximum of 2 years.
Note that the standard does not specifically require you to audit all processes in the business, but I do recommend covering all the main processes in your plan.
Put together a schedule of the audit(s) you are going to perform, when they are due and some process of reminders to do them. "I forgot" or "I was too busy" won't go down too well with external auditors.
Ensure there is clear criteria to audit against. How do you know if processes are being followed as required? If you have internal procedures for the processes to be audited then that can work. I like to use a checklist specifically developed for the audit, which can help to focus on elements of the processes that are of higher risk / importance. ISO 9001 requires auditing against the standard requirements as well as your own management system so a checklist is one way of ensuring both requirements are covered in one audit.
Appoint auditors. In a small business this can be difficult but must be a priority to achieve and maintain certification. The auditors must be trained for the task. The standard does not require external qualifications for auditors. They can be internally trained, although it is probably good if one person in the business has some type of formal training or previous experience.
Another important point is the auditor must be impartial. You can't audit your own work. Utilise others within the business even if it is just for a part of an audit. If resources are really stretched there is no problem engaging external help from a suitable consultant etc. but try and choose one that understands your industry and business. There are plenty out there and I am one of them.
Everything is now in place so it is time to conduct your audits. This is the "easy" bit. It doesn't have to be ultra formal with opening and closing meetings, particularly if you are in a small business. The larger the business the more formal it could be to ensure relevant management are aware of the audit and the outcomes and subsequent actions. Audits should include talking to staff, not just looking at past records. The benefit of talking to people is that you can find out if they have an idea what to do if something goes wrong, for example, which may not be clear from records alone.
Record results of the audit. Results must be reported to management, including in the management review. Reporting of results should be defined clearly including how to report acceptable findings, improvements and significant issues that require immediate or long term actions. The format of reporting is up to your business and could range from a copy of your checklist with a brief summary of issues through to a full formal report for larger organisations.
Note that external auditors will typically want to see recorded evidence of what you have checked, e.g. reports sampled, staff talked to, files checked, inspections witnessed etc.
Take correction and corrective action as appropriate to the level of findings and the issues raised. This can be the most difficult to progress. Correction is an immediate fix, such as updating and re-issuing a report, recalling product, filing records correctly or obtaining management sign off. Corrective action is then taking further steps to ensure it does not happen again, such as further training, increasing frequency of reviews or inspections, updating procedures or introducing a new process. Typically this would be recorded and tracked in your corrective action system (which will be covered on another post).
Well done, you've made it through.
While some external auditors may argue that they want to see something more than the above it would be hard to justify from the standard point of view. An auditor's job is not to tell you how to comply with a clause only whether what you are doing is compliant or not. Having said that I don't recommend starting too many arguments with your auditor...
Happy internal auditing!
If you have any comments or questions on this blog, please don't hesitate to send an email via the contact us page here.