Search This Blog

Sunday, January 15, 2017

Internal Audit Documentation for ISO 9001:2015

Source: ISO 9001 Li group

Question asked by: 

Sarah Banks,Group Quality Systems Manager at Volac International Ltd.
I would like to change the Internal Audit Documentation that our company use to include a planned approach to risk assessment and then management and ranking of the risk identified. Can anyone in the group recommend a good reference source?



Margarethe Boisserie
Sarah, the best source is you / your organization, as it's YOUR system - why would one make a copy-paste?

Sarah Banks
Thanks Margarethe, I agree, but I am looking to create a 'standard template' so that I can analyse the results from the Internal Audits in a more comprehensive way. The risk, I agree, is different for every organisation.

Danny James 
Wow, wicked request. An Audit that focuses on the alignment of the QMS to provide support to Business Mandates is my Key Link. Each Business Mandate should have established Key Performance Indicators that can be used to project likely outcomes of the actions planned and implemented and the support QMS activities that are needed to enable results established and required. Example response to resolve customer issues, Process Capability measures to mitigate inefficiencies , new product triggers based on Market feedback and Sales tends etc

Dear Friends, I'm like you very interested about this subject! My impression is that new revision of ISO 9001 (2015)is more complex than old edition (2008)! At the least for little companies with poor resources! I wish you good luck in new implementation!

Oscar González Muñoz
I don't know exactly what you intent to do, the audit scheme should be the same, the audit process has not changed (ISO 19011). The process of evaluating risk is a different thing. During the audit you should apply the process approach: when you audit a process (not a clause of ISO 9001 standard) you should evaluate many things, some important maters are: elements of process control (procedures, instructions, specifications etc), competence of personnel , kpi, , infrastructure, resources for operating and control process, and now according to new requirements Risks and opportunities BUT depends on what method people use to evaluate the risk: could be a "simple" Check List or a What if Method or a Matrix so ..
My point is if it is necessary a "template" to evaluate Risks or the auditor should know as many methods as they can in order to evaluate them properly. I think I don't need a Template but it's my opinion.
Are you familiar with the turtle' scheme for making the audit?

Hazem Yassin, 
QMS Lead Auditor, TQM, CPM, CBSC, ERM Risk Assessment could be done at first stage, an out put to this process is a prioritization of the processes to be audited based on the risk rate of each one, as second stage you could plan and schedule your audit execution based on the prioritization of processes (based on the risk rating) and make sure that you audit core and support function and last year audit results and findings.

Alan Roberson 
Sarah, ISO 31000 is a great reference source for undertaking and managing identified risks. Undertake the risk assessment, identify your major risks and include them in your internal audits.

Emily Hill 
Hi Sarah, this article gives you a step-by-step breakdown of risk-based thinking for ISO 9001:2015: It specifies the process for identifying risk, analysing and prioritising risks and opportunities, planning and implementing actions to address risk, and then checking the effectiveness of the risk management process. Are you already using integrated document, audit & risk management system to enforce your processes and systematically follow them up?

Paul Walsh
Sarah,We wrote a paper last year on RBT that might be of use to you. Download from:

Miguel Piedras
Are your internal auditors trained to do both quality auditing and risk assessment? - different activities and mind frames.
Beware of creating time consuming chores that do not add value to your audit.

Gray Warner 
One question that you need to ask is if this undertaking is compatible with your QMS and company culture. Adapting the revised standard to your QMS really should be a value-added process. Adding fancy risk features that do nothing to improve your QMS or blend into your company culture can present acceptance and maintenance issues.

V Muralidhar
Hi Sarah: I suggest you go through 19011 well and that will take you through for compliance to clause 9.2.2. If you still need help, please do not hesitate to contact me. Best wishes.

Ali Al-Zubaidi 
Sarah. For any audit (internal or external), it must be linked to the organisation risk profile, in order to add value and be effective. The internal audit programme of an organisation must be based on the risk assessment conducted by the organisation. This has always been clearly (to me at least) implied by standards such as ISO 9001. We have always advanced this approach in our auditor training. Having said that, I am afraid many organisations do not practice this approach. From my experience, sadly many certification auditors do not understand this approach, either. Denis Campbell Mr Scott can you please share it with me

Dear Mr. Ali Al-Zubaidi... I appreciate your understanding ; that's what exactly is the requirements of ISO 9001:2015.. Can you please share example of risk based auditing on my email address -

Swatantrenand Sanjay 
MOTAH it all depends on your field of activity you are engaged in .... you may have very good representation of risk assessment on the net with colour code ranking and classification as per your activity ....
Lázaro Borroto
It is a good tool that helps you manage the major risks, It is also used to audit the controls (barriers), this allows you to evaluate the barriers and visually, through colors, you can see if it works well (green), bad ( red) or regular (yellow). The tool is called Bow Tie (see ISO 31010) and In practice, I know two software that works: BowTieXP and AuditXP, from: 
Richard Tompkins
create and maintain PFMEAS on all your processes and work instructions. My company is now doing this for AS 9100 and ISO 13485. It's working very well!
Kevin Kerr
Elements to consider as part of a robust risk management program include;
1. A list of risk categories relevant to your business
2. An inventory of your business processes
3. Defined criteria for both severity and probability
4. Tools for risk screening and assessment
5. Well defined management review and approval requirements.
6. Appropriately trained staff

Documenting the above will help ensure consistency / sustainment over time plus helps provide 'evidence' of a planned approach.
Feel free to send me a message if you're interested in suggestions regarding execution of risk management programs.

Don Baker 
From the ISO 2015 manual. Don't overdue this clause for ISO. If it is value added for you, then by all means proceed.
" Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards." 

Janet Nelson 
As indicated above BOWTIE is a great resource to 'show' that there's been logical thought about risk. Pre-Emptive Six Sigma© is a collection of tools which can be used to identify, rate, rank and...again... 'show' that a company's tolerance for risk and their ID of risk has been well thought out.

Churchill Aribodor
I agree with Dr Ali Al-Zubaidi. We need to understand organization's risk profile and appetite.

Hugo Alejandro Garza Michel 
Why change that documentation if you only want to identifiy and evaluate the risk? I think that you should only implement tools can help you like Qualitative Risk analysis is a method that help you to prioritize the risk, but first you must indentify the risk with another tools like analysis FODA (strengths, weaknesses), brainstorming, Delphi technique, etc. And document all.

Rajendran Arun Kumar 
I would suggest better go with 9001 2015. and follow the QMS.

Prof. Dr. Mohamed Alaalam
I would suggest first to study risk assessment.That would help you very much.

Geraldinho Buffon 
Como trata da informação documentada relativa a auditoria interna o que você deve prever são os riscos da auditoria, tais como: Planejamento (não atingimento dos objetivos e a abrangência do programa de audito-ria); recursos (tempo insuficiente); seleção da equipe (competência); comunicação ineficaz; registros e seus controles; desatenção (auditor e auditados); ineficácia nos resultados; acidentes; contaminação em salas limpas.

John Kleinschmidt
 you can create a FMEA to identify, rate and evaluate how your plan as impacted the identified risk.

Ian Hendra 
Since when was risk assessment ever an internal audit activity? IA happens so late in the piece as to be almost irrelevant for RM purposes... get real.. understand the issue here.

Afaq Ahmed 
ISO 9001:2015, clause 9.2.2 (audit program) does not specify the requirement for a planned approach to risk assessment.

Rajendran Arun Kumar
Follow the complete clause of 9001-2015 to identify the risk in internal audit

Guy Plouffe 
Hello Sarah You should include in the risk assessment process at 6.1 the key processes of the QMS including the internal audit. After, you should evaluate if the internal audit process represented a high risk rate to ensure the application of the QMS. If yes, KPI should be in place to measure the performance of the internal audit process to be able to evaluate the criticity of this risk.
The internal audit shall require some changes in the audit report to include for each key processes audited, the KPI objectives, the results and the risks associated.

Ian Hendra 
Once again.. Risk assessment is a management responsibility for inclusion in system and product/service design processes. It has almost nothing to do with internal audit... not least because the expectation that internal auditors will know more about system and product/service risk than those responsible for identifying and managing the resources to control them is completely ridiculous.

Alhussain Abushady
First you donot need to change the standard internal audit Documentation but you could add through the check lists the points which check the apply of the risk notes of the clauses,processes which effect by the risk assessment.