The specific requirements for internal audits have not really changed much, apart from introduction of the “impartiality and objectivity” requirement. The current version of the Standard (ISO 9001:2015) does, however, contain significantly more requirements for top management engagement.
Clause 9.2.2 requires that the organisation’s internal audits shall be conducted to confirm that the QMS conforms to the requirements of the international Standard and that the QMS is effective. That is, the internal audit programme shall cover all ISO 9001 requirements, not just some of them.
It follows thereby that ISO 9001’s Clause 5 – Leadership, is included as a key element of an internal audit, as are other related clauses. Clause 5 relates to top management’s responsibilities and accountabilities. “Top management” includes executives, functional business directors and management system owners, and requirements apply when they individually and/or collectively have to ensure the creation, resourcing, support and performance of an effective QMS.
Leadership in organisations (that is, top management) sets the business’s strategic direction based on its understanding of the organisation’s context, interested parties’ needs, and the risks and opportunities associated with both.
This means that when top management faces strategic or operational challenges – internal, external, or both – they must consider and respond to the corresponding risks. These include risks to successfully delivering on opportunities, deploying organisational structures, and quality management system design and deployment.
Thus, the programme of internal audits must now verify all ISO 9001:2015 Clause 5 requirements are effectively addressed; this is a significantly greater challenge for internal auditors than previously. With more management system requirements than ever before, top management must be involved and engaged with the QMS. Examples of these requirements include:
- Ensuring the organisation’s context (e.g. determined internal and external challenges) is considered when scoping and building the QMS and its processes
- Ensuring the QMS (including its policy and objectives) aligns with the organisations’ strategic direction
- Ensuring the QMS’s requirements are integrated into the organisations’ business processes
- Ensuring the QMS addresses known risks and opportunities that are considered a priority
- Promoting the process approach and the application of risk-based thinking
- Taking accountability for the QMS’s implementation and results
- Ensuring that the quality policy is communicated, understood and applied by the entire organisation.
This greater focus on leadership in the Standard requires internal auditors to be able to verify the effectiveness of how top management:
- Demonstrates a clear understanding of the business context
- Addresses risks and opportunities
- Is accountable for the QMS’s performance, effects (risks and opportunities) and impacts on relevant parties (including the organisation and its strategic direction).
Hence, an organisation’s programme of internal audits against ISO 9001:2015 must include top management and verify whether it has met the above requirements. This has a significant impact on the programme’s effectiveness; it also increases the capability and competence required of internal auditors.
In summary, how confident are you that your organisation’s internal audit process, and your internal audit resources, are capable and competent enough to verify the effectiveness of:
- Top management actions in response to ISO 9001 Clause 5 (e.g. boardroom decisions and subsequent actions)
- The processes used to determine and respond to issues derived from the organisation’s context (ISO 9001 Clause 4)
- How other key management roles across the organisation manage their processes and key interfaces/inter-dependencies with other functions/processes (ISO 9001 Clause 4.4.1)
- How managers at all levels apply risk-based thinking to determine and respond to risks and/or opportunities (ISO 9001 Clauses 4, 5, 6, 9 and 10)?
Or, get more information on how SAI Global has helped organizations like yours.
View our full list of Training Courses.
About the AuthorMore Content by David White