ISO 9001:2015 Internal Audits

Is the Process Approach to Audits Just a Myth?

Since ISO 9001:2000, it’s become increasingly common to consider that an organization’s Internal Quality Audits be performed using the so-called “Process Approach.” At the time of publication, that particular version of the International Standard for Management Systems contained no description of what the process approach was. The recently introduced 2015 version makes the “Process Approach” a lot clearer by describing what is envisaged, in section 0.3 of the Introduction to the Standard–and how it applies to the quality management system–development, implementation and improvement. Reading further, the text goes on to describe the Process Approach involving the “systematic definition and management of processes, and their interactions, so as to achieve the intended results.” There’s no mention of anything to do with conducting internal audits in any particular fashion.

Perhaps the Internal Audit requirements, found in clause 9.2, will reveal something…

This particular clause states that “the organization shall:
a) Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the process concerned, changes affecting the organization, and the results of previous audits;”

Interestingly, even this statement, which deals with the actual planning and implementation of the internal audits, doesn’t require that those audits shall (or even should) be conducted using the “process approach.” In basic terms, it simply states that the audit programme has to consider the importance of the (quality management system) process concerned. Nothing requires an actual audit of a process! So, why has the mantra of “Process-based Internal Audits” become so pervasive?

Maybe “mission creep” has occurred from the influence of the Certification Body auditors who were required to change their approach to one of auditing process(es), around the time ISO/TS 16949 was published. This era ushered in the use (by CB auditors) of the “turtle” diagram for audit planning, which has become widespread throughout their client base, too.

Although not advocating against the internal audits of only processes, a risk-based approach to the considerations of what to audit and when can be very useful. Empirically, we know that risks occur in business, and they don’t always occur within a process. Traditionally, risks are associated with something new and/or changed or activities affecting an organization:

• Product designs & specifications
• Sources of supply
• Personnel
• Technology

By reference to the diagram below, adapted from James Reason’s “Managing the Risks of Organizational Accidents,” (ISBN-10: 1840141050), it can be seen that risks occur throughout an Operation.

Clearly, the selection of a specific process may help when considering what part(s) of the management system to audit, however, further planning may reveal that it’s not always the whole process which should fall under the audit spotlight… It may be a relatively simple activity contained within the process. Perhaps a review of a requirement (customer order) and a subsequent change to that requirement may mean that a second review isn’t as robust. In such a case, auditing the entire process may be unnecessary in determining where the change “slipped through the cracks.” Experience also shows that it can be the interaction between processes where issues manifest themselves – at the interface of two (or more) processes.

It follows then, that without a clear, specific requirement to audit (only) processes, an organization is free to choose a specific audit “scope” and “criteria” if those define something within the quality management system which represents risk to effectiveness in achieving intended results. In addition to considering a process as the scope of an audit, the following also may be used:

• A customer and/or regulatory requirement – may be implemented in parts of multiple processes
• A physical area or location – a warehouse, for example
• A specific requirement from the ISO requirements – when establishing the QMS
• A project – improvement, new product design, the implementation of a new technology, etc.
• An activity – something which may be part of an overall process

For more help in establishing and managing an effective internal audit program, to meet ISO 9001, AS9100D or the IATF 16949 requirements, contact us at: ISO@the-center.org.


MEET OUR EXPERT

Andy Nichols, Quality Program Manager
Andy has 40 years of expertise in a wide variety of roles and industries, with a focus on quality management systems in manufacturing organizations. In addition to his ISO 9000 Management Systems experience, he has worked extensively with ISO/TS16949, ISO/IEC 17024 and ISO/IEC 17025.

His broad practical knowledge of ‘Quality Tools’ includes: SPC, FMEA, Quality Circles, Problem Solving, Internal Auditing and Process Mapping. He has also been an IRCA and RABQSA accredited Lead Auditor. To read Andy's full bio, visit click here.


Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.