An audit of the audit system I hear you say! What ever next? Well actually it is a mandatory requirement but it often confuses people on what they should actually ask during their ISO 9001 internal audit.
Here is a checklist that will allow you to thoroughly audit your ISO 9001 internal audit system. It has references to ISO 9001, but this could be easily applied to OHSAS 18001 and ISO 14001 if required.
The checklist can also be downloaded in checklist style below so that all you have to do is print the checklist out to use it as part of your audit.
Audit Programme
1. Is there an audit programme available, approved and communicated?(8.2.2)
2. Does the audit programme cover all processes & clauses of ISO 9001? (8.2.2)
3. Does the audit programme cover processes (or does it tend to follow procedures within the system?). (8.2.2)
4. Does the programme reflect the results of previous audits & importance of process? (8.2.2)
5. Are auditor’s trained? Check training certificates/records. (6.2.2)
Audit Procedure
6. Review audit procedure (8.2.2) does this cover:
– Requirements for planning audits?
– Checklist preparation as a means to record objective evidence?
– Non conformity reporting including categorisation (e.g. Major/Minor/Improvement etc)?
– How corrective actions are agree, verified and followed up?
– Requirements for auditor competency? (6.2.2)
Reporting & Records
7. Are records of internal audits maintained? (8.2.2)
8. Are these records maintained? If so for how long? (4.2.4)
9. Are records of any non-conformities and corrective actions maintained? (8.5.2)
10. Are records of root cause and corrective action verification maintained? (8.5.2)
System Effectiveness & Improvement
11. Is the audit programme on track (or have some audits been missed this year?) (8.2.2)
12. Are corrective actions from internal audits closed in a timely manner? How many overdue actions are there? (8.2.2)
13. Are audits reviewed at management review as a means to improve the business? (5.6)
14. And finally, always ask yourself…does the audit programme provide real information to the senior management team to identify the real risks to the business and drive improvement if required or is it just a tick in the box exercise?