One of the key audit skills we develop with delegates during our audit courses is the ability to write a good audit checklist. This core skill provides you with a clear set of questions to ask during the audit, identifies what documents you might want to sample and keeps you on track with the audit timetable and objectives.
How to write an audit check list using an ISO standard
The key steps to writing a checklist based on any management system standard is to understand:
- The intent of the section/clause of the standard – knowing what the clause is aiming to achieve
- Breakdown the specific requirements of the clause of the standard (the ‘shalls’)
- Identify what objective evidence you are going to look for to prove the system works – would you expect to see records etc to demonstrate conformance
To give a simple example I have chosen Management Review from ISO 13485:2016 (Section 4.6) but this technique can be applied to any ISO standard including Harmonised Standards. The overall intent of management review is to ensure the management system is implemented and effective in driving improvement.
If we take a look at clause 5.6, the key requirements are that:
- Results of records of feedback on the product are reviewed
- Any complaints received are discussed
- Any communications from the regulatory body (such as the MHRA in the UK) are considered
- Results from internal audits will be reviewed
- Results from processes are reviewed – are they continuing to work effectively
- Results of product testing/product release is reviewed – what monitoring is taking place
- Status of preventive and corrective actions are reviewed
- Follow up actions from previous reviews
- Changes (legislation, organisation, technology etc) are reviewed
- That any recommendations for improving the medical device quality management system are communicated
- And that any new regulatory requirements that might impact the medical device are considered
The evidence you will need to look at during the audit will be:
- Evidence that the above points have been discussed – such as in minutes of management review meetings
- Evidence that attendees at the review agreed that the effectiveness of the QMS is being maintained – and if necessary, what improvements and resources are being allocated to maintain its effectiveness
- Decisions on what needs to be done to maintain any regulatory requirements
And the main question to ask to ensure effectiveness… review an actual improvement that has occurred as a result of a decision taken in management review. This allows you to show that the system if fully implemented and effective.
ISO 13485 Audit Checklist Example
Here is a checklist that will allow you to thoroughly audit your ISO 13485 internal audit system.
Audit Programme
1. Is there an audit programme available, approved and communicated?(8.2.4)
2. Does the audit programme cover all processes & clauses of ISO 13485? (8.2.4 a and b)
3. Does the programme reflect the results of previous audits & importance of process? (8.2.4)
4. Are auditors competent? Check training certificates/records. (6.2.e)
Audit Procedure
5. Review audit procedure (it must be documented) (8.2.4) does this cover:
– Requirements for planning audits?
– Checklist preparation or similar as a means to record objective evidence?
– Nonconformity reporting – how is the achieved and what happens with the report?
– How corrective actions are agreed, verified and followed up?
– Are actions then taken to address any non-conformances – addressing the cause and ensuring that the issue does not recur (8.5.2)
Reporting & Records
6. Are records of internal audits maintained? (8.2.4)
7. Are these records maintained? Are they up to date? (4.2.5)
System Effectiveness & Improvement
8. Is the audit programme on track (or have some audits been missed this year?) (8.2.4)
9. Are corrective actions from internal audits closed in a timely manner? How many overdue actions are there? (8.5.2)
10. Are audits reviewed at management review as a means to improve effectiveness? (5.6)
11. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?