ISO 9001:2015 Clause 9.2 Internal Audit

Definition: 

ISO defines audits as “Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine  the extent to which audit criteria  are fulfilled.”
Internal audits, sometimes called first-party audits, are conducted by, or on behalf of, the organization itself for management review and other internal purposes, and may form the basis for an organization’s declaration of conformity.  In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from responsibility for the activity being audited. External audits include those generally termed second- and third-party audits. Second-party audits are conducted by parties having an interest in the organization, such as customers, or by other persons on their behalf. Third-party audits are conducted by external, independent auditing organizations, such as those providing certification/registration of conformity to ISO 9001 or ISO 14001. When two or more management systems are audited together, this is termed a combined audit. When two or more auditing organizations cooperate to audit a single auditee, this is termed a joint audit.

Introduction:

An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audits are structured and formal evaluations. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. For example, having responsibility for the work, or a vested interest or shares in a supplier or third party company they are assigned to audit would be conflicts of interest. Internal audits must be carried out to a procedure according to requirements given in clause 9.2 of ISO 9001:2015. The procedure must address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and may be obtained through observation, measurement, test, or by other means. Evaluating the extent to which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. The presence of nonconformities in a department or process may indicate the system is ineffective for those areas.

9.2 Internal Audit

9.2.1

The organization should conduct internal audits at planned intervals to provide information on whether the quality management system conforms to the organization’s own requirements, the requirement of ISO 9001:2015 standards and is effectively implemented and maintained

9.2.2

The organization must plan, establish, implement, and maintain an audit program, which must include frequency, methods, and responsibilities, planning requirements, and reporting. While making an audit program, consideration must be given to the importance of concerned processes, changes impacting the organization, and the results of previous audits. It must define audit criteria and scope for each audit. It must select auditors and conduct audits for the impartial and objective audit process. It must ensure the results of audits are reported to relevant management. it must take necessary correction and corrective actions without undue delay. It must retain evidence of audit program implementation and audit results.

Internal audit is one of the important tools required by this standard used to gauge the health of your QMS. How effective is it in meeting ISO 9001, your own QMS, customer, and regulatory requirements? You must have a documented procedure for your internal audit process. The scope of your internal audit program must cover the:

• Audit of operation processes to determine conformity of both product /services and their processes to the customer and applicable regulatory requirements.
• Audit of the QMS to determine conformity to the ISO 9001 standard.
• Audit of the QMS to determine conformity to organizational requirements.

Audit of QMS processes and their interaction to determine if the QMS has been effectively implemented and maintained.

In determining the time frame for your audit program, you should consider organization size, the complexity of product and processes, the health of the QMS, customer, registrar, and regulatory requirements, etc. The most common time frame is six months. Consider adjusting the audit frequency and perhaps even the audit scope, of specific processes or group of processes, when:

• You experience internal or external nonconformities.
• Get customer complaints.
• Have critical or high-risk processes.
• Have frequent or significant changes to processes and product.

Your internal audit program should consider the following:

• Input from the audited area and related areas
• Key customer-oriented processes
• Process and product performance results and expectations
• Opportunities for continual improvement
• Feedback from customers

Audit criteria refer to the specific QMS policies, objectives, ISO requirements, documentation, customer and regulatory requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria. Examples of audit methods include an interview of personnel, observation of activities, review of documents and records, etc. You must define the minimum qualification requirements for internal auditors. These requirements include knowledge of QMS processes and their interaction, related QMS controls, customer requirements, applicable regulatory requirements, the ISO 9001 standard, the audit process, and audit techniques. Internal auditors need to be trained in the ISO 9001 standard as they generally audit for conformity to organizational requirements and also for conformity to ISO 9001 requirements. Additionally, the ISO 19011:2002 Guidelines for quality and environmental auditing says that auditors should have knowledge of quality management system standards and their application to the organization.The output of your internal audit program may be used as performance indicators to:

• Determine the degree of conformity of the QMS to ISO 9001, customer and regulatory requirements.
• Determine the effectiveness of QMS implementation and maintenance.
• Determine the degree of conformity of product to contractual and regulatory requirements.
• Identify areas of the QMS that need improvement.

Audit Objectives

Always establish the objectives of the audit. Audit objectives are not limited to the ISO 9001 standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary detours beyond the scope of the audit. Audit objectives  may include:

• Evaluating conformity of requirements to ISO 9001
• Evaluating conformity of documentation to ISO 9001
• Judging conformity of implementation to documentation
• Determining effectiveness in meeting requirements and objectives
• Meeting any contractual or regulatory requirements for auditing
• Providing an opportunity to improve the quality management system
• Permitting registration and inclusion in a list of registered companies
• Qualifying potential suppliers

Types of Audits

Audits that are carried out to determine whether an organization conforms to a quality Standard may be termed Quality System Audits. This type of audit requires the auditor to use a fair degree of judgment to establish whether controls are adequate. Many second and third-party audits are carried out as Quality System Audits, as are many audits for the purpose of consultancy. Audits that are carried out against specifically defined practices, procedures, and instructions, and that are perhaps (but not necessarily) more limited in their scope, are termed conformity audits. Many internal audits and many contract-related audits between two parties are carried out as conformity audits.  Process and product audits are subsets of QMS conformity audits and therefore limited in scope. An ISO 9001 process audit evaluates the controls and characteristics of a specific process, as well, as its relationship with other processes, and may include using some or all of the following approaches:

1 Individual processes in terms of:

• Input / Output / Value-added activity
•  Plan / Do / Check / Act

2) Relationship to other processes in terms of:

•  Flow / Sequence / Linkage / Combination
•  Interaction / Communication

Customer contracts for conformity to contractual requirements through the various processes used to fulfill the customers’ orders.

 Audit trails – following concerns or unresolved issues to processes or departments, that are beyond the scope of a specific audit.

External Audits

These are audits done outside one’s own organization and there are at least two distinct types of external audit second and third party.

 Second Party Audits

These audits, carried out by one company on another, originally came from the idea of an organization auditing its suppliers. There are a number of reasons why an organization may wish to audit its suppliers.

1. One method to satisfy clause 8.4.1 of the ISO 9001:2015
2. Input to selecting, grading, and approving suppliers
3. Help to improve supplier Quality Management Systems
4. Mutual understanding of quality requirements

 Many major organizations carry out second-party audits to advise user departments of areas of weakness in suppliers so appropriate contract and/or surveillance mechanisms can be instigated if the supplier is to be given work. It can also highlight likely additional costs.

Third Party Audits

As a result of the growth in interest in Quality Assurance during the 1960s and 1970s, more and more second-party audits were being carried out. Some companies in certain fields had to employ people whose sole task was to accompany visiting auditors around the company! Clearly, this state of affairs was helping nobody, particularly the supplier. After considerable discussions at national levels, the ISO 9000 scheme was introduced to rationalize all the assessment schemes as a third-party audit operated by an independent body that would certify companies as conforming with the Standard (or not, as the case may be). Various bodies became registration bodies (Registrars) and BSI, UL, SGS, DNV are prominent examples. There are different types of registration, but the main interest here is on the Registrar’s Quality Management System assessment and registration. On payment of an initial fee to the Registrar, they will assess your Quality Management System to ISO 9001 and, depending on the results of the assessment, the organization would become registered.

Internal audits or  First Party Audits

First-party audits are carried out by an organization on itself to conform to management that their documented quality management system is working effectively. An organization’s own defined and documented system forms the basis for this audit. Reasons for a first-party audit:

1. ISO 9001:2015 clause 9.2 requires it
2. Control and feedback mechanism for management
3.  Correction of nonconformities before external bodies find them
4.  Systematic improvement of the organization

 As in the second party, if the audits are done only for reason (1) or (3) above, the value is going to be limited. By establishing an internal audit program, management is making available an extremely useful and powerful tool for improving business, and for assessing the effectiveness of the quality management system. Of course, in considering (3) above, it means that if an organization is to find for itself the kinds of nonconformities that external bodies are likely to find, it should, if possible, carry out its audits in a similar way to the Registrars. It must be remembered that all audits are based on sampling; therefore, there is no guarantee that all nonconformities will be found during the internal audit process.

Benefits of Quality Management System Audits

Audit results are a major input to the management review process. Management must take appropriate actions based on the review of quality system strengths, weaknesses, and opportunities for improvement. The allocated time and for conducting internal audits demonstrates top management commitment. If the purpose of the audit is properly communicated, and employees realize that the audit is not an evaluation of personal performance, they are more likely to discuss weak areas and opportunities for improvement. This should lead to an improvement in operational performance and improved customer satisfaction.

• Provides information for management review
• Demonstrates senior management commitment
• Improves personnel awareness, participation, and motivation
• Provides opportunities for continual improvement
• Improves customer confidence and satisfaction
• Increases operational performance

The Auditor within the Audit System

All systems in an organization have to be designed and made to work by people. The audit system is no different. It must have procedures and training to advise the auditor what the role requires, and also what and who qualifies or authorizes the auditor to do the work. An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform an audit, the auditor must be authorized for that particular audit.

Auditor Responsibilities

The Auditor has the following responsibilities:

• Support the team leader
• Be prepared
• Participate in opening and closing meetings
• Carry out assigned tasks
• Keep to the timetable and audit scope
• Document and support all findings
• Keep team leader and auditee informed
• Safeguard all documents
• Maintain confidentiality
• Be objective and ethical
• Verify corrective actions (if assigned as the auditor)

Lead Auditor Responsibilities

In addition to the auditor’s responsibilities, the lead auditor must possess management capabilities that include:

• Assisting in team selection and briefing the team
• Responsibility for planning and managing all phases of the audit
• Representing the audit team with auditee
• Controlling conflicts and handling difficult situations
• Conducting and controlling all meetings with team and auditee
• Making decisions on audit issues and quality system
• Reporting audit results without delay
• Reporting major obstacles encountered
• Reporting critical nonconformities immediately
• Possessing effective communication skills

The Lead Auditor must balance the on-site audit workload so that there is sufficient time to conduct these managerial tasks.

Auditee

The Auditee is a department or the process of the organization to be audited. The auditee could be one of its manufacturing or service facilities. The Organization determines the audit scope and objective

Principles of ISO 9000 Auditing

QMS auditors must adhere to the following principles and attributes, based on ISO 19011, Principles relating to auditors:

1, Ethical Conduct is the foundation of professionalism. It includes auditor behavior that reflects trust, integrity, confidentiality, and discretion.

2. Fair Presentation is the obligation to report truthfully and accurately:

•  Audit activities through – audit findings, conclusions, and reports
•  Significant obstacles encountered
• Unresolved diverging opinions between auditee and audit team

3.Due Professional Care is applying diligence and judgment in auditing. Auditors must exercise care related to the importance of the task and the confidence placed in them by the auditee and other interested parties. Having the necessary competence is an important factor.

4. Independence forms the basis for the impartiality of the audit and objectivity of the audit conclusions. Auditors must:

• Be independent of the activity being audited
• Be free from bias and conflict of interest
• Maintain an objective state of mind throughout the audit process
• Ensure that audit findings and conclusions will be based only on the audit evidence

5. The evidence-based approach is the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process. Audit evidence must:

• Be verifiable
• Be based on samples of the information available (since the audit is conducted during a finite period of time and with finite resources)
• Ensure that proper use of sampling is made, to contribute to the confidence that can be placed on the audit conclusions

Additionally, ISO 9001 QMS Auditors must be:

• Be open-minded and mature
• Possess sound judgment, analytical skills, and tenacity
• Have the ability to perceive situations in a realistic way
• Understand the role of individual units within the overall organization
• Understand complex situations from a broad perspective

The auditor must be able to apply these attributes in order to:

1. Fairly obtain and assess objective evidence.
2. Remain true to the purpose of the audit without fear or favor.
3. Constantly evaluate the effects of audit observations and personal interactions.
4. Treat participating personnel in a way that will best achieve the audit objective.
5. React with sensitivity to conventions of the area where the audit is performed.
6. Perform the audit process without deviating due to distractions.
7. Commit full attention and support to the audit process.
8. React effectively in stressful situations.
9. Arrive at generally acceptable conclusions based on audit observations.
10. Remain true to the conclusion despite pressure to change not based on evidence.

 Auditors must be open-minded and base decisions on objective evidence. They cannot assume, feel, or impose their views. Remember that ISO 9001 is interpretative, not prescriptive. There are many ways to implement a requirement to achieve effective control. Keep an open mind. Don’t jump to conclusions.

Other useful attributes:

1. Other desirable personal attributes that an ISO 9000 auditor may possess include being polite, punctual, practical, principled, persevering, industrious, positive, and prepared. Be mature, have sound judgment, be tenacious, be perceptive and realistic.
2. Maturity comes from education, understanding, and experience. Sound judgment and analytical skills are gained through research and experience in interpreting and applying the requirements of the standard. Learn from experienced auditors. Take notes of their audit evaluation techniques.
3. Tenacious does not mean digging until you find a nonconformance. It refers to your ability to stay focused on the audit objective and scope, in spite of distractions. Perceptive means being alert to changing circumstances or concerns. Realistic is being pragmatic. Evaluate the risk. How serious is it? What is the probability of occurrence?

Very few organizations are alike. They have different products, processes, management structures, cultures, and environments. Auditors must learn to quickly gauge these factors to determine to what extent they will facilitate or hinder conducting the audit.

Auditor “Independence”

•  Auditors must be free from bias and influence
• They cannot audit their own work
• All participants in an audit must respect the integrity and independence of the auditors

From a first party perspective, internal auditors cannot audit their own work. They must be selected to perform impartial and objective audits. From a second or third party perspective, independence may be jeopardized if the auditors have a business or other association with the second or third party company that may influence their objectivity, or they own shares in the company to be audited, or their spouse or relative works there.

Role of an Internal  Auditor

The Internal auditors may have many roles depending upon whether they perform as Lead auditor or team member. The scope and objective of the assignment must also be taken into consideration.  Some of the key roles and issues are discussed below:

• Is the management interface
• May facilitate the documentation and implementation process
• May act as a guide during audits
• May interface with customer and external auditors
• Must maintain “independence” and confidentiality
• Exhibit professional behavior

They follow management’s directives and conduct internal audits on behalf of management. Internal auditors report audit findings to top management so the system can be improved. Internal auditors may facilitate the communication, documentation, and implementation of the system and communicate with the registrar or customers. They may also act as guides during audits by external auditors or customers.

 Managing An ISO 9001 Audit Program

Authority for Audit Program An ISO 9001 audit program may include one or more audits, depending on the size, nature, and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint (multiple auditing organizations) or combined (QMS and EMS) audits. An audit program also includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the specified time frames. An organization may establish more than one audit program. The organization’s top management should grant the authority for managing the audit program. Those assigned the responsibility for managing the audit program should:

1. Plan, establish, implement, monitor, review and improve the audit program
2. Identify the necessary resources and ensure they are provided.

Examples of ISO 9001 audit programs include the following:

1. A series of internal audits covering an organization-wide quality management system for the current year.
2. Second-party management system audits of potential suppliers of critical products to be conducted within six months.
3. Registration and surveillance audit conducted by a registrar on a quality management system within an agreed time period.

An audit program also includes appropriate planning, the provision of resources, and the establishment of procedures to conduct the audits within the program.

Establishing the ISO 9001 Audit Program

Audit program objectives

 Objectives should be established for an audit program to direct the planning and conduct of audits. These objectives should be based on consideration of:

1. Management priorities
2. Commercial intentions
3. Management system requirements
4. Statutory, regulatory and contractual requirements
5. Need for supplier evaluations
6. Customer requirements
7. Needs of other interested parties
8. And risks to the organization

 Extent Of An Audit Program

The extent of an audit program can vary and will be influenced by the size, nature, and complexity of the organization to be audited, as well as, by the following:

1. The scope, objective and duration of each audit to be conducted
2. The frequency of audits to be conducted
3. The number, importance, similarity, and locations of the activities to be audited
4. Standards, statutory, regulatory and contractual requirements, and other audit criteria
5. Conclusions of previous audits or results of a previous audit program review
6. Any language, cultural or social issues
7. The concerns of interested parties
8. Significant changes to an organization or its operations

Audit Frequency

Factors that may cause the frequency to increase include:

• The significant change in management, organization, policy, techniques, or technology
• Requests by the customer or regulatory body
• Changes to the quality management system
• Results of recent audits
• Status and importance – internal audit results

Audit Frequency for Internal Audits

Clause 9.2.2 Internal audits are scheduled on the basis of the importance of the activity to be audited, changes affecting the organization as well as, previous audit results.

Importance – Refers to the criticality of the processes or activity to the quality of the product or service (critical internal or external suppliers). Also reflects top management’s priorities.

Audits – refers to the results of previous internal and external audit results. You must consider past audit findings and coverage in setting audit frequency. The complete quality management system must be audited at least once a year. Weak areas or activities must be audited more often. Top management determines the frequency of internal audits with the help of the Management Representative. Audit frequency is also determined by contractual or regulatory requirements, as well as, significant changes in ownership, policies, products, processes, technology, control systems, documentation, or the organization.

Audit Program Responsibilities, Resources, And Procedures

ISO 9001 Audit Program Responsibilities

The responsibilities for managing an audit program should be assigned to one or more individuals with a general understanding of audit principles, the competence of auditors, and the application of audit techniques. They should have management skills, as well as, technical and business understanding relevant to the activities to be audited. Those assigned responsibility for managing the audit program should:

1. Establish the objectives and extent of the audit program
2. Establish the responsibilities and procedures, and ensure that resources are provided
3. Ensure the implementation of the audit program
4. Ensure the appropriate audit program records are maintained
5. Monitor, review and improve the audit program

ISO 9001 Audit Program Resources

Consider the following when identifying resources:

1. Financial resources necessary to develop, implement, manage and improve audit activities
2. Audit techniques
3. Processes to achieve and maintain the competence of auditors appropriate to the particular audit program objectives
4. The extent of the audit program
5. Traveling time, accommodation and other auditing needs

Audit Program Procedures

Audit program procedures should address:

1. Planning and scheduling audits
2. Assuring the competence of auditors and audit team leaders
3. Selecting appropriate audit teams and assigning their roles and responsibilities
4. Conducting audits
5. Conducting audit follow-ups, if necessary
6. Maintaining audit program records
7. Monitoring the performance and effectiveness of the audit program
8. Reporting to top management on the overall achievements of the audit program

For smaller organizations, the activities above can be addressed in a single procedure.

Audit Program Implementation

Implementation should address:

1. Communicating the audit program to relevant parties
2. Coordinating and scheduling audits and other activities to the audit program
3. Establishing and maintaining a process for the evaluation of auditors and their continual professional development
4. Ensuring the selection of audit teams
5. Providing necessary resources to the audit teams
6. Ensuring the conduct of audits according to the audit program
7. Ensuring the control of records of the audit activities
8. Ensuring review and approval of the audit records and their distribution to the audit client and other specified parties
9. Ensuring follow-up if applicable

Audit Program Records

Records should be maintained to demonstrate the implementation of the audit program and should include the following:

• Records related to individual audits such as audit plans, audit and nonconformity reports, corrective and preventive action reports, and audit follow-up reports
• Results of the audit program review
• Records related to the audit personnel regarding:

1. Auditor competence and performance evaluation
2. Audit team selection
3. Maintenance and improvement of competence

• Records should be retained and suitably safeguarded.

Audit Program monitoring and reviewing

The implementation of the audit program should be monitored and at appropriate intervals, reviewed to assess whether its objectives have been met and to identify opportunities for improvement. The results should be reported to top management. Performance indicators should be used to monitor characteristics such as:

• The ability of the audit team to implement the audit plan
• Conformity with audit program and schedules
• Feedback from audit clients, auditees and auditors

The audit program should consider

• Results and trends from monitoring
• Conformity with procedures
• Evolving needs and expectations of interested parties
• Audit program records
• Alternative or new auditing practices
• Consistency in performance between audit teams in similar situations

Results of audit program reviews can lead to corrective and preventive actions and the improvement of the audit program.

Audit Activities

The extent of audit activities is applicable depending on the scope and complexity of the specific audit and the intended use of the audit conclusions. The planning and conducting of audit activities involve the following process flow or life cycle:

Initiating The Audit

1. Appointing the audit team leader
   Those assigned the responsibility for managing the audit program should appoint the audit team leader for the specific audit. Where a joint audit is conducted, the agreement should be reached between the audit organizations, before the audit commences on the specific responsibilities of each organization, particularly with regard to the authority of the team leader appointed for the audit. The leader has responsibility for planning, conducting, and reporting the audit, following these rules and guidelines. The leader is briefed on the objectives and scope of the audit and is then required to specify the resources necessary to carry out the audit, in terms of staff days, and the number of auditors required, including any with special technical expertise. The auditor needs knowledge of quality management systems and the Standard. However, auditors will be required to use all applicable senses during an audit.

2. Defining Audit Objectives, Scope And Criteria
Within the overall objectives of the audit program, an individual audit should be based on documented objectives, scope, and criteria. The audit objectives define what is to be accomplished by the audit and may include the following:

• Determining the degree of conformity of the QMS, or parts of it with audit criteria
• Evaluating the capability of the QMS to ensure compliance with statutory, regulatory and contractual requirements
• Evaluating the effectiveness of the QMS in meeting specified objectives
• Identifying areas for potential improvement of the QMS. The objectives can be many and diverse, but it is essential to be clear on the objectives at the beginning of the audit process.

The audit scope describes the extent and boundaries of the audit, such as:

• Applicable requirements of ISO 9001
• Physical locations – facilities, plants, offices
• Organizational activities – products, processes, departments, functions
• Date the quality management system was formally in effect

The audit criteria are used as a reference against which conformity is determined and may include:

• Applicable policies and procedures
• Standards, laws, and regulations
• ISO 9001 and organization management system requirements
• Industry requirements
• Business sector codes of conduct

The audit scope and criteria should be defined by the organization in accordance with audit program procedures.

3. Selecting The Audit Team
The team leader will select the audit team, following the criteria defined by the organization. Selection criteria may include the following:

• Audit objectives, scope, criteria and the estimated duration of the audit
• Whether it is a combined or joint audit
• The overall competence of the audit team to achieve audit objectives
• Statutory, regulatory, contractual and accreditation/ registration requirements, as applicable
• Independence of the audit team and avoiding conflict of interest
• The ability of an audit team to interact with each other and with auditee
• Language of the audit and an understanding of auditee’s social and cultural characteristics
• The need for a technical expert
• Availability of competent audit team members

4. Establishing Contacting With The Auditee
The initial contact with the auditee may be formal or informal and should be made by the audit team leader. The purpose is to:

• Establish communication channels with the auditee.
• Confirm the authority to conduct the audit
• Inform auditee on proposed timing and audit team composition
• Request access to relevant documents, including records
• Determine applicable site safety rules
• Make arrangements for the audit
• Agree on the attendance of observers and availability of guides

5. Preliminary Visit
These visits can be of great value since they allow the team leader to meet members of the organization. Much information can be gathered and benefit derived from a preliminary visit. Some of these may include:

• Clarification of the scope of the audit
• Agreement on procedures to be used during the audit
• Resolution of communication and any misunderstandings
• A quick tour to appreciate its scale, layout, and geography
• Perform documentation review
• Degree of readiness and cooperation
• Identification of any special needs – skills, protective clothing
• Provides the auditee with an opportunity to ask the team leader about the way the audit will be conducted.

6 Conducting Document Review
The auditee’s documentation should be reviewed to determine the conformity of the system, as documented with the audit criteria. The documentation may include relevant management system documents and records and previous audit reports. The review should take into account the size, nature, and complexity of the organization, and the objectives and scope of the audit. In some situations, this review may be deferred until the on-site activities commence if this is not detrimental to the effectiveness of the conduct of the audit. If the documentation is found to be inadequate, the audit team leader should inform the program manager and auditee. A decision should be made as to whether the audit should be continued or suspended until documentation concerns are resolved.

 Preparing for the on-site audit activities

1.Audit Strategies
In preparing the plan, the team leader in consultation with the audit team will decide the strategy for the audit, and there are a number of options. Some auditors favor starting at the point in a company where inquiries from clients are received. The auditors then follow the process through confirming an order, going through technical, procurement, inventory, production, test, shipping, and service, plus taking in specialized areas along the way. This approach may be termed a “process audit”. The auditors follow a specific order or set of processes through the system and examine controls of each process along the way. The process audit approach will require the auditor to look at the following aspects of process management:

1. Controls over inputs, outputs, and the value-added activities within a process
2. Controls related to the utilization of resources in converting inputs to outputs
3. Use of the PDCA methodology in applying the clauses of the ISO 9001:2015 standard to each process
4. Reviewing the controls related to the interaction, linkage, and combination with other processes, both on the input and output sides
5. Evidence of measurable objectives for each process and metrics to track performance to them

2. Preparing the Audit Plan
After having been in contact with the organization to be audited, and perhaps made a preliminary visit, the audit team leader will prepare an audit plan, which provides the basis for the agreement among the audit team and the auditee regarding the conduct of the audit. The plan should facilitate the scheduling and coordination of audit activities. The amount of detail in the audit plan should reflect the scope and complexity of the audit. The details may differ, for example, between initial and subsequent audits. The plan should be sufficiently flexible to permit changes in the audit scope, which can become necessary as the on-site audit activities progress. It is up to the team leader to determine how much flexibility to allow so the achievement of the audit objective and scope within the agreed time is not compromised. The audit plan should cover the following:

• Audit objectives, criteria, and reference documents
• Audit scope, including organizational and functional units and processes to be audited
• Dates and places where the on-site activities are to be conducted
• Expected time and duration of on-site activities, including all meetings with auditee or audit team
• The roles and responsibility of audit team members and accompanying persons
• Allocation of appropriate resources to critical areas of the audit

The audit plan should also cover, as appropriate:

• Identification of the auditee’s representative for the audit
• Working and reporting language of the audit
• Audit report topics
• Logistics arrangements
• Matters relating to confidentiality
• Any audit follow-up actions
• Confidentiality requirements
• Audit report distribution and issue date

.

3. Auditee’s  Responsibility
The auditee has a responsibility to:

• Agree with or clarify the planned arrangements
• Arrange for personnel to be available
• Request full cooperation from all personnel
• Arrange office facilities for auditors
• Arrange for any safety equipment

4.Assigning Work To The Audit Team
The audit team leader, in consultation with the audit team, should assign to each team member, responsibility for auditing specific processes, functions, sites, areas, or activities. Such assignment should take into account the need for the independence and competence of auditors and the effective use of resources, as well as, the different roles and responsibilities of auditors, auditors-in-training, and technical experts. Changes to the work assignments may be made as the audit progresses, to ensure the achievement of audit objectives.

5. Preparing work documents
Auditors need to go forward armed with the tools of the trade in order to conduct an efficient and professional audit. The audit team members should review the information relevant to their assignments and prepare work documents as necessary for reference and for recording audit proceedings. Such work documents may include a copy of the ISO 9001: 2015 Standard, checklists, sampling plans, forms for recording information such as supporting evidence, audit findings, and records of meetings. Work documents, including records resulting from their use, should be retained at least until audit completion.

 Checklist Preparation

While conducting the Audit the purpose will be something like:

“To collect objective evidence for an informed judgment about the documentation, implementation, and effectiveness of the organization’s quality management system.”

The primary aim of the checklist is to help the auditor to ensure the depth and continuity of the audit, plus it will save time during an audit and the auditor to come to an informed judgment. The company conducting the audit usually defines the format of the checklist. The Checklist defines the Sample. The checklist must, therefore, be as representative as the auditors can make it, bearing in mind the objectives of the audit. The information available to the auditors could comprise:

• Information from previous audits
• Known quality problems
• Management priorities
• Documented Information
• Product/service specifications and information
• Auditor’s own considerations based on experience and knowledge,

The point made in preparing checklists concerns making the sample representative. Always using the same checklist is not to be recommended, although this is widely practiced.

Checklist Benefits

1. Identifies relevant samples
2. Defines a formal audit process
3. Requires helpful research
4. Helps maintain the pace of audit
5. Keeps audit objectives clear
6. Gives historical reference as an audit record
7. Reduces workload on auditor during the audit
8. Assures auditee of auditor professionalism
9. Provide space for audit notes

Checklist Disadvantages

1. Can become a tick list
2.  Maybe full of yes-no questions
3. If not on the checklist, will not look at the area
4. May stifle initiative and process analysis

 Conducting On-Site Activities

Having made all the preparations with the auditee and confirmed all arrangements, it is proper etiquette for the team leader to contact the auditee a few days in advance of the audit to verify all the arrangements are in place.

Conducting The Opening Meeting

The opening meeting, is typically held at the location of the audit. Good practice demands the auditors arrive together, neither early nor late, otherwise, it can be embarrassing for both parties and, what is more, it is unprofessional. This meeting, like any other, requires preparation by the team leader. The meeting is usually held in a manager’s office or the company’s conference room. It will usually begin with a welcome and introductions by the Process Manager/ Management Representative. The audit team has prepared an agenda to ensure that all necessary points are covered quickly and efficiently. Matters to be addressed include:

1. Introduction of personnel
   The lead auditor should introduce the team and explain the way they are organized if there is more than one group, particular specialists in the group, etc. It is normally a requirement to record the attendees at this meeting. Passing around an attendance sheet and asking everyone present to record their name and position is a practical solution.
2. Audit purpose and scope
   Just in case there is any doubt about why the audit is being carried out, and the extent to which the company is going to be examined, the team leader needs to restate these points. In certain situations, the auditee may require evidence or a statement about the team’s authority, although matters such as these tend to be covered during the preparation stage.
3. Review of the audit plan 
   The plan will have been discussed, developed, and agreed upon with the auditee. However, plans may have to be altered slightly and these possibilities should be covered at this stage. The team leader should confirm the intention to keep to the plan to the extent possible.
4.  Audit Methods
   Describe briefly the methods that the auditors will use to gather objective evidence, such as interviews, observations, document and record reviews, and trend analysis.
5. Reporting methods
   The method of recording nonconformities, and of presenting the audit report that will be left by the auditors at the end of the audit, will need to be explained by the team leader.
6. The audit is a Sample 
   The team leader should make it clear that the audit is a sampling activity and subject to those limitations. Both conforming and nonconforming aspects will be seen and missed. The team leader should assure management, however, that they will make samples as representative as possible and draw only reasonable conclusions.
7. Logistics
   Logistics covers all the other arrangements transport, protective clothing, lunch arrangements, and facilities for use by the auditors.
8. Restrictions
   Although any major restrictions to the auditors will tend to have been made clear during the planning stage, these may need confirmation or discussion during the opening meeting. Such restrictions include clean areas or hazardous areas where particular arrangements for protective clothing have to be made.
9. Clarification: There may be questions or points the auditees wish to raise and the team leader should deal with these items during the opening meeting. The team leader also needs to confirm the current issue status of the key documents in the quality management system.

When all the above and any other matters have been dealt with, the team leader should bring the opening meeting to a close by thanking the management and confirming the date, time, and location of the closing and any interim (end of day management briefings) meetings.

Communicating During the Audit

Depending upon the scope and complexity of the audit, it can be necessary to make formal arrangements for communication within the audit team and with the auditee during the audit. The audit team should confer periodically to exchange information, assess audit progress, and reassign work between the audit team members as needed. During the audit, the audit team leader should periodically communicate audit progress and any concerns to the auditee and top leadership, as appropriate. Evidence collected during the audit suggests that an immediate and significant (e.g., safety, environmental, or quality) should be reported without delay to the auditee and as appropriate to the top leadership. Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the auditee. Where the available audit evidence indicates that audit objectives are unattainable, the audit team leader should report the reasons to the auditee to determine appropriate action.  Auditing deals with people. People are unpredictable in their behavior, emotions, and dispositions. A good auditor must know how to interact and get information from people in an effective manner.

Auditor Communication Skills:

• Put auditee at ease before interviewing
• Ask and listen
• Ask short questions
• Show interest in people; what they say
• Reflect the right attitude and tone of voice
• Be tactful and polite
• Watch body language and facial expressions
• Show patience and understanding
• Smile and show eye contact
• Turn off your own problems
• Avoid interruptions and contradictions
• Remember to say please and thank you
• Avoid off-cuff or condescending remarks
• Ask the right person
• Give praise when appropriate
• Don’t say you understand if you don’t

Questioning Techniques
Any audit carried out anywhere has an objective. Auditors who lose sight of this will not be effective. They are better off asking two questions than lose their way because they asked only one. The quality of the audit can be considered in terms of achieving the audit objectives. The ability to discover information of relevance (facts related to the audit objective) is dependent on the ability to ask the right questions. Elsewhere, particularly in quality training, they are called 5 W’s and an H. Although a clumsy description, the idea is the same. Questions beginning with these words will elicit more than just Yes or No answers and are, therefore, called open questions. It takes longer to answer such a question than it does to ask, so the auditor also gets some thinking time. Auditors can control the tone of discussions to their advantage with the use of these questions since the questions demand meaningful answers. It is impossible to correctly answer an open question with a Yes or No response. Without a doubt, the ability to ask questions of the right type is one of the most powerful tools in the auditor’s toolbox. It is taken for granted as a management skill, but auditors must learn to identify and use the appropriate techniques. In this way, they will improve communications and conduct more effective audits.

The Roles And Responsibilities Of Audit Participants

1. It is in the team leader’s interest to keep the number of people in such a group to a minimum, but with patience, good management and a clear idea of the audit objectives, the auditors can carry out the audit with even a large following.
2. It must be made quite clear to all in the party that only two people should speak during the audit: the auditor and the person being interviewed at the time.
3. The team members carry out the audit as per the audit plan and support the lead auditor. The team leader manages the audit team and also shares in the auditing workload.
4. Observers do not participate in the audit. They can only watch the audit, take notes as necessary, and clarify issues at the audit team meetings.
5. Experts may be used when auditing a highly specialized business. Their role is not to audit, but to provide technical guidance on products, processes, and activities.
6. From the auditee side, guides take audit team members to the specific parts of the organization and introduce auditors to various auditees at the scheduled times. They should ensure that the audit team is aware of and conform to the safety and security rules of the organization. They should not participate in the audit interview unless invited to do so by the auditor, perhaps to clarify a question or assist in collecting information. They should take notes and witness the audit observations. Observers and trainees must not participate in the audit interview but should take notes to witness or learn.
7. Consultants must declare their relationship with the auditee and must not participate in any of the audit activities unless permitted to do so by the team leader.

Collecting and verifying information

During the audit, information relevant to the objectives, scope, and criteria, including information relating to the interfaces between functions, activities, and processes, should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded. The audit evidence should be based on samples of the available information. Therefore, there is an element of uncertainty in auditing, and those acting upon the audit conclusion should be aware of this uncertainty. Process for collecting information to reaching audit conclusions:

1.Audit Evidence

The purpose of an audit is to collect audit evidence to permit audit findings and by evaluating the evidence against audit criteria and then reviewing all individual findings to reach an overall audit conclusion about the degree of conformity and effectiveness of the quality management system. Auditors must not allow their opinions or prejudices to influence decisions. Audit evidence supports the existence or conformity of an element of the quality management system. The evidence must be capable of being verified and may be:

• Information, records, or statements of fact
• Qualitative (non-numerical) or quantitative (numerical)
• Based on observation, measurement, or test

Audit information can exist in a variety of forms:

1. It may be quantitative, such as numerical performance data on products, processes and the QMS.
2. It may be qualitative, such as from interview, observations and documents.
3. The auditor must decide if the information is relevant to the product or quality system.
4. Statements can be used as objective evidence when made by those responsible for the activity being audited – known as “admissible statements”.
5. If possible, auditors should gather documented support for the admissible statements.
6. Nonconformities, when found, must be quantified for communication to the auditee.

Techniques to obtain objective evidence include:

• Interview People:
  • that manage, perform and verify activities
  • with responsibility and authority for work
• Observe Operations:
  for identification, status, condition, flow, and operation of facilities, materials, product, equipment, processes, and tasks
• Review Documents:
  • pertaining to processes and activities
  • for details of why, who, what, when, and where
• Examine Records:
  for objective evidence of implementation of  processes, activities, controls, inspections, and tests
• Evaluate Results:
  • to summarize and analyze the audit observations
  • to determine the effectiveness of the quality system

2.Audit Sampling

•  Objective evidence is obtained by sampling processes, people, documents, and records
• It is based on a small representation of the audited activities
• Not finding nonconformities do not equate to the total assurance of control
• Determine sample size and selection based on:
  • complexity
  • volume
  • risk
  • past problems
  • audit time span
  • Collect the sample on a random basis (ask permission of the auditee)
  • Don’t let the auditee select the samples and possibly bias the representation
  • Don’t dig deeper, or select another sample, if the first sample doesn’t find nonconformities
  • If no nonconformities are found, move on to the next area of the audit
  • Review and agree on conformity with the auditee, guide, and department head
  • Deviate from the audit checklist, if appropriate
  • Follow unexpected audit trails only if warranted (consult Management Representative or team leader)
  • Consider minimal sample size guidelines of 4/10; 10/100; 20/1000

Generating Audit Findings

Audit evidence should be evaluated against the audit criteria to generate the audit findings. Audit findings can indicate either conformity or nonconformity with audit criteria. When specified by audit objectives, audit findings can identify an opportunity for improvement. The audit team should meet as needed to review the audit findings at appropriate stages during the audit. Conformity with audit criteria should be summarized to indicate locations, functions, or processes that were audited. If included in the audit plan, individual audit findings of conformity and their supporting evidence should also be recorded. Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be graded or classified. They should be reviewed with the auditee to obtain acknowledgment that the audit evidence is accurate and that they are understood.

Evidence gathering process

In order to gain the facts and enough of them from which to come to a conclusion, auditors have to examine samples of documents, items, products, etc. Only the auditors can decide how many samples should be taken. It would obviously be dangerous to see one example of a system in a correct operation (when there are hundreds of examples that could also be looked at) and assume that because one had been seen the system was correct all the time. Similarly, it would also be wrong, particularly if a minor aspect is being considered, to look at every single example. Typically, the sample size can vary between 6 –30 items. In most cases, this small number will be sufficient as long as some attempt has been made to make it representative. To make a sample representative, it needs to be chosen at random. Certain systems, for example, those for documentation control, are company-wide and every department has examples of documents. The auditor needs to be clear about who is responsible for what when verifying the correctness of the documents seen in any given department. Auditors should always seek the help of local personnel affected by the system in question in understanding the evidence. Naturally, the kind of evidence often being produced is that which will show a failure of the system or a lack of management control. Provided that the auditor has remained objective, has been open with the people contacted, and has invariably been polite in requests for information, there should be no difficulty in reaching an agreement on such points with the responsible persons.

Taking Notes

Only the most experienced auditors make sufficient notes of all the relevant things seen and heard during an audit. It is obviously an extremely important technique to develop. The auditors must record enough information to make an informed judgment based on an adequate set of notes containing considerable facts. Notes need to be taken of references to documents, item identification, batch numbers, job numbers, statements, who said them, job titles, relevant questions asked, etc. This information needs to be legible and needs to be retrievable. Much of it might be referenced in subsequent audits, either in the next department to be visited, or in a department to be visited by another member of the audit team. Whichever format they use, auditors must safeguard the confidentiality of the information they gain during the audit.

Control of the Audit

At all times, the team leader is responsible for maintaining control of the audit. Experience helps auditors to develop their own way of working in an area and then adapting various techniques as each situation demands. On entering an area and being introduced to the departmental representative, the team leader should go over the audit plan for that area with the departmental representative and the guide. Their advice as to the best sequence to follow can usually be taken. The items on the checklist are then worked through in a systematic manner. The amount of time the auditor has to spend talking to management in each area about their system will vary according to how much information was originally made available to the auditors. Where there was very little detail, then more time may have to be spent determining some of the basic controls. In order to understand some of these controls, the auditor will not only speak to management, but also to the people doing the work. If the auditors find no evidence of nonconformities, they can and should proceed quickly. Having covered their sample, they should move on. If there are problems, the auditors must examine the evidence to the depth necessary to gain objective evidence.

Recording Nonconformities

As the audit proceeds, there might arise situations where the facts indicate there is a failure, either partially or wholly, of the quality management system, such a situation is called “a nonconformity”.

What is nonconformity?

• a condition adverse to Quality
• the non-fulfillment of a requirement

Examples of requirements:

• Conditions of contract
• ISO 9001 standard
• QMS documentation
• Regulatory and industry

There may be nonconformity for one of three reasons:

1. the procedure or defined process does not conform to ISO 9001 requirements
2. the procedure or process has not been put into practice in the described way
3. the practice, what is actually done, is not effective (planned results not achieved).

Many situations arise during an audit with the potential to become nonconformities. As soon as the facts are indicative of nonconformity, the auditors should immediately voice their thoughts to the departmental representative. The auditee should agree with the facts at this point (and certainly before the auditors leave the area for another part of the audit). The statement of nonconformity needs to be in a format understandable both to people in the audit and to those who were not. People who were not present at the audit will often be assigned to take the necessary corrective action. This need alone defines some rules for the recording of nonconformities:

1. Exact observation of the facts. Only the facts are needed and the reporting of them needs to be exact.
2. Where was it found? The statement needs to identify exactly where it was found, otherwise, it may not be found again.
3. What was found? It needs to be clear so that people understand what aspect of the system is nonconforming.
4. Why it is a nonconformity? The statement needs to make it clear what the specified requirement has not been met.
5. What is the objective evidence of the nonconformity? What audit evidence do we have – records, documents, statements or observations for our nonconformity findings?
6. Who was involved? The statement often has no need to involve specific people, but where the objective evidence was based on a statement, then the statement and the originator(s) need to be clear. Job titles rather than names should be used.
7. Use local terminology. The industry has its own names for certain activities, documents, etc.  These unique terms should be used for clarity.
8. Make it retrievable. Someone has to go back after the audit and put it right, possibly after a considerable period of time.
9. Make it helpful. To be helpful, nonconformity statements should be complete, correct, concise and clear. Suggestions, particularly on external audits, are not recommended, nor are they the auditor’s duty. Some examples of typical nonconformities will allow at least some of the above points to be made, assuming these are from audits to ISO 9001.

The number of nonconformities that can arise during an audit can be numerous. However, it is unlikely that they are all equally serious. The auditor needs to be able to differentiate between those that are serious and those that are less so. In order to help with this analysis, there are three questions the auditor can ask:

1.  What could go wrong if the deficiency remains uncorrected?
2.  What is the likelihood of such a thing going wrong?
3.  Is it likely the system would detect it before the customer is affected?

It is also common practice for auditors to raise opportunities for improvement that are points of concern, but for which there is insufficient objective evidence to raise a nonconformity. Opportunities for improvement are an additional way by which auditors can be seen as being helpful.

Minor Nonconformity

The definition of a MINOR nonconformity:

• Failure to conform to a requirement which (based on judgment and experience) is not likely to result in QMS failure
• A single observed lapse or isolated incident
• Minimal risk of nonconforming product or service

Examples:

• A drawing marked up with unauthorized changes
• A purchase order released without review and approval
• An inspection instrument passed its calibration date
• A training record not available

Minor nonconformities have little likelihood of allowing non-conforming products or services to be delivered or causing a breakdown of system control. It does indicate that there are occasional lapses that must be formally addressed through corrective action.

Major Nonconformity

The definition of a MAJOR nonconformity:

• The total breakdown of the system, control, or procedure
• Absence of an ISO 9001 requirement
• A number of minors related to the same clause
• A nonconformity that would result in the probable shipment of nonconformity or un-inspected product
• A condition that may result in the failure or materially reduce the usability of the product for the intended purpose;
• A nonconformity that experience and judgment indicate will likely result in QMS failure or materially reduce its ability to assure controlled processes and products
• Between these two extremes a number of less serious nonconformities, when considered together, may identify a system failure and hence a Major nonconformity.

Examples:

• No documented information for any required element of the standard
• Document changes routinely carried out in an unauthorized manner
• Critical purchases made from unevaluated suppliers
• Product shipped without required inspection and tests
• Majors represent serious problems in the system that must be addressed with attention and resources on a priority basis. It puts the business at risk with customers and the Registrar.

In an internal audit, many organization does not differentiate between major and minor nonconformance.  The auditors need to consider all the evidence available to see whether there a process or sub-system of the QMS is failing. It is the combination of all the evidence that will contribute to the informed judgment that the auditors will be required to present to the organization.

Some Examples of Major Non-Conformance, Minor Nonconformance, and Opportunities for improvement. 

1. In an XYZ company, while auditing in the Insurance claims manager’s office, the auditor saw an office file titled “Insurance Process Guide” lying on a shelf. The auditor was told that these are important Standard Operating He promptly glanced through work procedure No. PWP02, PWP04 & PWP06 contained in the “Insurance Process Guide’” section A, PWP 2,4,&6 which were at revision status 01. The auditor cross-checked these SOPs on the company’s central server and noted that PWP02 & PWP04 were at revision status 02 and PWP0 6 at revision status 03.
The company under Audit: XYZ
Non Conformity Number: 5
Minor NC
The area under review:  Insurance claims’ Manager office ISO  9001 clause number: 7.5.3.2(c)
Nonconformity statement: In the Insurance claims’ Manager’s office, and Office file titled ”Insurance Process Guide” was found without version control with no suitable identification.  There was no control to prevent unintended use of this obsolete document and apply suitable identification to this document.

2. In a material procurement department, the purchasing process describes that all the purchase orders must contain complete details of the material ordered. While sampling, the auditor selected 10 purchase orders and found that P.O No. A-10, B-44 & K-22 contain insufficient information relating to material specifications. The materials manager explained that there is no need to incorporate these details since these are our regular suppliers and are well aware of material specifications.
The company under Audit: XYZ
Non Conformity Number: 6
Major NC
The area under review:  material procurement department
ISO 9001 clause number: 8.4.2
Nonconformity statement: In the material procurement department, P.O No. A-10, B-44 & K-22 contain insufficient information relating to material specifications.   P.O No. A-10, B-44 & K-22 do not describe the purchase requirements for the purchased product.

3. In a laboratory, the samples are identified by a unique sample code. The auditor examines the records, which are held in a computer database. Each database record has five columns, one each of the following: 1. Sample code, 2. Date, 3. Test Results, 4 Decision on next action, 5. Approval for decision. In a representative sample of 20 records, 18 records are fully identified but on 2 records, the last two columns relating to the decision are blank.
There is no sufficient evidence of nonconformity to indicate that the person authorizing the release of the product has not been recorded. I would try to find evidence of

1. If there are any other records that indicate the person(s) authorizing the release of the product for delivery to the customer.
2. Records provide evidence of conformity to requirements.
3. Has the organization established a documented procedure to define the controls needed for identification, storage, protection, retrieval, retention, and disposition of records?
4. Are Records controlled?
5. Have the characteristics of the product been monitored and measured to verify that the product requirements have been met?
6. Is the release of the product to the customer taking place before the planned arrangement has been satisfactorily completed or unless otherwise approved by a relevant authority and where applicable, by the customer?
7. Does the organization ensure that the product which does not conform to the product requirements is identified and controlled to prevent their further use?
8. Does the personnel working in the laboratory have the necessary competence on the basis of appropriate education, training, skills, and experience?

4. After the recently concluded internal audit of a company, the auditor noted that the quality manager had compiled a summary of NCR’s which showed 100 NCRs. The sales department had a maximum NCR’s to the tune of 75%, the rest of NCR’s were evenly distributed among 5 other departments, 2 departments received no NCRs. The Quality Manager explained that the corrective and preventive actions have been already initiated and six-monthly intervals of internal audit are being adhered to ever since the system is put in place 3 years ago. The sales department deals with the review of product requirements.

The company under Audit: XYZ
Non Conformity Number: 6
Major NC
The area under review:  Internal audit
ISO 9001 clause number: 9.2.2(a)
Nonconformity statement: After the recently concluded internal audit of a company, the auditor noted that the quality manager had compiled a summary of NCR’s which showed 100 NCRs. The sales department had a maximum NCR’s to the tune of 75%, the rest of NCR’s were evenly distributed among 5 other departments, 2 departments received no NCRs. The audit program was planned without taking into consideration the status as well as the results of the previous audits.

5. In a packing section of a food processing unit, the auditor notes that 6 out of 18 people are not wearing company-issued nylon headgear, which is contrary to the work procedure OCP 13, Issue 2.

Company under Audit: Food processing unit
Non Conformity Number: 7
Minor NC
The area under review:  packing section
ISO 9001 clause number: 7.3(d)
Nonconformity statement: In a packing section of a food processing unit, 6 out of 18 people are not wearing company-issued nylon headgear, which is contrary to the work procedure OCP 13, Issue 2. Personnel performing work affecting conformity to product requirements are not aware of the implications of not conforming with QMS requirements

Reaction of Auditees

If an experienced auditor cares to look back over several different types of audits they have done, the likelihood is they will be able to recall a whole range of auditee reactions they have experienced, from outright hostility to willing cooperation. The auditor has to be prepared to meet and deal with this range of reaction. In general, top management will set the “tone” by their general interest and involvement in quality assurance (or lack of it). Although it must be said that as organizations realize more and more the full benefits of ISO 9001, auditee reactions are very much on the decline and normally occur when faced by a negative auditor. Let’s look at some possible reactions.

1. Authority – This can work both ways. Some auditees become protective of their departments or company and try to “browbeat” the auditor. The auditor must insist firmly, but politely, on being given respect (provided, of course, the auditor gives it first). Some auditees feel “inferior” to the auditors, and because the auditors are a representation of authority, become nervous. The auditor must use patience and politeness, and where appropriate, be empathetic.
2. Antagonism  – For whatever reason, auditees may occasionally become hostile and aggressive towards the auditor. Naturally, the auditor must ignore any rudeness from the auditee. However, they may have to spend slightly longer in the area using patience, firmness, and politeness as their main defenses.
3. Diversionary tactics – These tactics can be many and varied. Anything that uses up time that was otherwise planned for auditing can be included here. People may sometimes be very well-meaning, but if they spend a lot of time explaining things that the auditors have not asked them for, they must be politely stopped. Videos about the company can be very interesting and sometimes useful, but if not relevant to the audit, should be avoided (as should the interesting machine or process). Auditees will sometimes appeal to your curiosity and want to show the “latest thing”. It is not always a deliberate ploy, but the departmental representative can waste a lot of time “just going off to get what you want”. The auditor should accompany the person, or perhaps arrangements can be made to get it later. A lot of time can also be wasted while the auditee answers the telephone, or involves the employees in a lot of discussion about matters external to the audit. Sometimes, auditors are kept waiting for information, or for auditee representatives to appear, because they are on the telephone or in a meeting. If this does happen, then above all do not get angry, be firm yet polite, refrain from critical comments and confrontation, continue with the audit plan and point out that there are many areas still to be covered in the remaining time. If the problem arises again, speak to the management representative.
4. Volunteered information – Auditors receive a lot of data during an audit. They hope to get the information they want in an effective manner. Sometimes, people give them the information they have not asked for, maybe about a failure in part of the quality system. The auditor is now in a quandary. Do they follow up that lead now, later, or do they ignore it? It may be a “red herring”, taking up a lot of time and leading nowhere. It may be important and relate to the audit objective. Only experienced auditors will tend to make the right decision here. There is no right answer and it is just one of the many things an auditor has to consider while performing an audit.
5. Internal conflicts – Audits can be stressful on all involved and sometimes findings during an audit provoke an argument between members of the organization. The audit is not the place for this and the auditor needs to use a little tact in smoothing the situation, without getting involved, and continue with the audit. Seek objective evidence without being seen to take sides.
6. Continual challenge – The auditee has the right, and indeed the duty, to challenge auditors that reach conclusions on the basis of unsound information. This can happen where auditors are not fully briefed about contract conditions, product requirements, or where they stray from objective evidence. However, it is for the auditor to continually put up a strong and factual case for all conclusions reached so that the auditee accepts them.
7. Enlisting help – In some companies, the Quality Assurance staff often guides auditors around during an audit, and frequently a good rapport is developed. If the Quality Assurance people are having difficulty in getting the corrective action taken, they may “lead” the auditors to deficient areas. While not exactly volunteering information, the auditee is enlisting the (powerful) support of customer representatives. The auditors may use this information by gaining facts (considering how to protect their sources) so that any nonconformities found are indisputable.

Audit Team Meeting: 

An audit team meeting should be held after the auditing process completes so the team leader can plan the closing meeting in detail, and ensure the team knows what is going to be presented to the organization in the way of nonconformities and a summary. The team leader chairs the audit team meeting and has some points that must be covered:

1. To complete the recording of all nonconformities with supporting audit evidence
2. To review the audit findings, and any other appropriate information collected during the audit, against the audit objectives
3. To agree on the audit conclusions, taking into account the uncertainty inherent in the audit process
4. To prepare the Audit Summary Report
5. To prepare recommendations, if specified by the audit objectives and
6. To discuss audit follow-up, if included in the audit plan

The team meeting needs to be at least an hour before the closing meeting, or less if some of the work has already been previously completed (for example, the night before).The team leader may present everything in all nonconformities and the summary or the team members may be asked to present the nonconformities they found. The review of nonconformities is important and members should be rigorous in their review of one another’s statements. As a result of the “review team” findings, the team leader prepares an audit summary. This summary reflects the degree to which a company is conforming to its own documented quality management system and the ISO 9001 standard. As a suggestion, a team leader should answer three questions asked about the quality management system in an audit:

1. Is there a documented (and defined) system addressing the clauses of ISO 9001?  to what extent? (audit of documentation)
2. Has this documented system been put into practice?  to what extent? (audit of implementation)
3. Is the quality management system achieving objectives? to what extent? (audit of effectiveness).
   – Are nonconformities being prevented by the existing controls?
   To answer these questions, the nonconformities raised will give some guidance.
   Further questions may be answered by the summary:
4. Do the nonconformities indicate weakness in any particular department, processes or, ISO 9001 clause within the audit scope?
5. Do the nonconformities indicate weakness in any particular part of the QMS?

The team leader also prepares an agenda for the closing meeting and arranges, either through a team member, for copies of all nonconformities to be passed over to the company’s management at the appropriate time. It is ideal, but no means possible on every audit, for the team leader to organize the seating arrangements for the closing meeting.

Audit Conclusions – QMS Effectiveness

As the audit comes towards the end, the auditors should be gradually building up a picture of the organization’s QMS strengths and weaknesses. The team leader has the responsibility for generating this composite picture as their audit conclusion of the degree to which working systems conform to stated requirements and objectives (and the Standard), after consideration of all audit findings. This information comes from the findings during the audit, but it is necessary to “sort” this so that a reasonable conclusion can be reached (assuming nonconformities have been found):

• number of major nonconformities raised
• number of nonconformities raised during the audit of defined processes and documentation (intent)
• number of nonconformities raised during the audit of implementation (practices)
• number of nonconformities related to the effectiveness of the system
• number of nonconformities raised against each clause of the Standard
• number of nonconformities in each department or area of responsibility
• The capability of the management review process to ensure the continuing suitability, adequacy, effectiveness, and improvement of the management system

Based on this, a picture emerges of the kinds of failure found, relative frequency, where found in the company, and the quality management system requirement (clause of the standard) that is weakest. However, this is not the only information the auditor should be considering. A further picture can emerge from examining the following:

• Internal failures How many modifications to drawings, specifications, or purchase orders were made that should have been avoided? How much avoidable product scrap, rework, and concessions or waivers occur?
• External failures How often do customers complain and/or return the product? Is there a large Returns department?
• Past Audits Have recent internal and external audits established many nonconformities?
• Trends Do they consider any or all the above in reviews to establish how their quality management system should be changed to prevent such events in the future? Is the number of nonconformities rising, static, or falling?
• Corrective action Has there been any evidence to show that a strong and consistently effective system operates to correct things that are wrong and monitor it to ensure it stays that way? What techniques are used to establish the causes? Are they shown to work?
• Management attitude Does top management know the results of audits, the level of product defects, and the cost of poor quality? Are they involved rather than only stated to be committed? What evidence is there, if any, that top management takes an interest in the quality management system? Are they proud of their system?
• Staff attitude to management Are the employees positive about their management? Is there an open or closed-door style? Did the management representative have easy access to various managers during the audit? Does the staff have to “dress up” nonconformities for presentation to management? If auditors find information that indicates a distinct lack of management support for the system, then they should say so in their report. Their task is to collate the evidence as fairly and objectively as they can and highlight areas of the greatest risk and least assurance.

Options for recommendation

In the case of internal or second-party audits, audit conclusions can lead to recommendations regarding improvements, business relationships, or future auditing activities.

Closing Meeting

The closing meeting is the concluding meeting of the audit and is the formal presentation by the team of the findings and conclusions of the audit. Participants should include the auditee top management and may also include other parties such as outsourced processes in case they have been audited. In many instances, for example, internal audits in a small organization, the closing meeting may consist of just communicating the audit findings and conclusions. For other audit situations, the meeting should be formal, and minutes, including records of attendance, should be kept. Any diverging opinions regarding the audit findings and/or conclusions between the audit team and the auditee should be discussed and resolved. If not resolved, all opinions should be recorded. If specified by audit objectives, recommendations for improvements should be presented. It should be emphasized that recommendations are not binding. The following points need to be covered in some form:

1. List of Attendees
   The team leader or the second auditor passes around an attendance list with name and position to be entered by each attendee.
2. Thanks
   The team leader should thank the auditee on behalf of the team for their help, time, etc. The team leader should also thank the guides for their assistance.
3. Objectives, Scope, and Criteria
   As a formality, and to ensure that the basis for the audit is not in doubt, the objectives, scope, and criteria should be restated. This is for a number of practical reasons. There is usually no real doubt about this in the organization because it has been discussed and agreed upon before the audit took place.
4. Report
   The audit conclusions on system effectiveness will be formally reported and the results to be given to the auditee should be described.
5. Limitations
   It bears repetition that the audit was a sample of activities and is, therefore, subject to the risks associated with sampling. Not every conforming or nonconforming area was seen, only a representative selection. Therefore, the possibility exists that there are additional nonconformities in areas not covered by this audit.
   It is recommended that the auditors develop a standard statement covering the essence of the above in their own words.
6. Confidentiality
   The lead auditor should reassure the auditee that everything seen or heard during the audit is kept in strict confidence. Any documents provided to the audit team will be returned before the auditors leave the premises.
7. Audit Summary
   The audit results should be summarized for presentation to management. Do not forget to start your presentation with ‘accentuating the positive’. Based on your audit, provide sincere and factual feedback on the QMS strengths – departments, processes, resources, controls, documentation, etc. Nonconformity findings may be grouped by functional area (department), the clause of the standard, and severity level (major, minor, or concern). Findings could also be categorized by type of failure, for example, intent (defined processes and documentation), implementation (practices), or effectiveness (results).
8. Presentation of Nonconformities
   It is recommended that the nonconformities be read out one after the other until they have all been presented, although it might be necessary to give a summary. In some cases, the auditee representatives will have copies of the nonconformities, if some were agreed earlier. Nonconformities may be agreed upon with the authorized person. Signature usually designates acceptance, however, there will be times when the auditee may disagree with a particular nonconformity and not accept it. In this case, the signature may simply denote acknowledgment of receipt of the nonconformity.
9. Agreement
   Each of the nonconformities presented was based on the facts agreed to earlier by a departmental representative. Although the agreement was reached at that time, the wording of the nonconformity is unlikely to have been at its most complete and concise. Either at review meetings or at the Closing Meeting, these nonconformities are signed by the auditee to acknowledge receipt and understanding of the content.
10. Recommendation
    The team leader is responsible for presenting the conclusion reached by the team based on the audit results. This is the “informed judgment” of the auditors. It must consider the seriousness of any nonconformities and whether they indicate a departmental or company-wide breakdown of the system. The conclusion must be balanced with positive findings made during the audit.
11. Clarification
    The auditee must have an opportunity to ask questions about the nonconformities or the summary and it would normally come at this point. The facts as stated should not be in dispute. Assuming the auditee accepts all the nonconformities or the summary, the auditor may be asked what response is necessary for the points raised. The auditors would expect the auditee to propose some corrective action in a given timeframe.
    The closing meeting is not the place to discuss actual corrective action. That should be given very careful consideration by the auditee. The team leader should, therefore, state that a proposed plan of corrective action is necessary within a number of days or weeks after receipt of the report. However, if the recommendation is for a full re-audit, then it will not be necessary to submit a corrective action plan.
12. Departure
    Having presented the findings and discussed them to the auditee’s satisfaction, the audit team can depart, once again thanking the auditee for time, etc.
    However, at various times in the past, and perhaps also to be expected in the future, audit teams are faced with the meeting not going to plan for some reason or another.

Audit Reporting

The report of an external should provide a complete, accurate, concise, and clear record of the audit. It is the major output of the audit process and maybe read and used by people who were not at the audit (and have no other information about the audit). It is, therefore, important that the audit report gives a balanced picture of the whole audit not merely the nonconformities found. The wholeEssentially, the following points are to be addressed in an audit report:

• Unique audit identity (number/ letter, etc.)
• Audit objectives and criteria
• The audit scope, particularly the organizational and functional units or processes audited and time period covered
• Identification of the audit client
• The dates and places where the on-site audit was conducted
• The audit findings and conclusions

The report may also include or refer to the following, as appropriate:

1. The audit plan
2. A list of audit attendees
3. A summary of the audit process, including the uncertainty and/or any obstacles encountered that could decrease the reliability of the audit conclusions
4. Confirmation that the audit objectives have been accomplished within the audit scope in accordance with the audit plan
5. Any areas not covered, although in the audit plan
6. Any unresolved diverging opinions between the audit team and the auditee
7. Recommendations for improvement, if specified in the audit objectives
8. Agreed on follow-up actions if any
9. A statement of the confidential nature of the contents
10. The distribution list for the audit report
11. Applicable quality system requirements (the Standard)
12. Names and positions of team leader and team
13. Summary

There should be a summary statement of the “polished up” version of the one presented at the closing meeting. This summary provides the informed judgment of the auditors.

1. Nonconformities

All audit reports include the nonconformities exactly as they were written and presented to the auditee. If there is a classification system, such as Major or Minor, then this is used. There may also be a reference to a clause in the Standard. If a nonconformity was “closed out” during the audit, then a note is made to that effect.

2. Suggestions for correction of nonconformities

This is becoming less typical as organizations recognize its futility. However, certain companies require auditors to include suggestions for the correction of nonconformities. This is difficult, time-consuming, and risky; it may also be nonconforming with registrar policy and procedures (for reasons previously discussed). The auditors have to be very careful about any suggestions because their knowledge of the auditee’s systems is so very limited. Their ability to make valued criticism is so limited, in fact, that in many cases, it is useless and best omitted.

3. Suggestions for improvement

As part of the value-added approach to auditing, the audit team should provide improvement suggestions relating to:

• Areas of concern where controls are in place and conforming with requirements, but in the auditor’s experience and judgment, appear weak and likely to lead to nonconformity in the future
• Opportunities where organizations can more effectively or efficiently manage, perform or control activity or process, based on the auditor’s experience with similar situations in other organizations. It should be understood that the organization has no obligation to implement such suggestions, but it must be aware of the risks of not doing so.

4 Approval

The report should be signed and dated by the audit team leader as “approved”. Some organizations require a further sign of a senior person before the report is issued. It is important to prepare and issue an audit report within a reasonable timeframe. Records will also be kept of corrective actions to satisfy the “close out” requirements of each nonconformity. Internal audits may not require the same depth of documentation of reporting, but the records retained will include at least the following:

1. Reference and date of the audit
2. Department/office/section audited
3. Audit scope and objective
4. Names of auditor(s), audit plan, and audit checklists plus nonconformities
5. Auditor notes
6. Audit summary and conclusions
7. Corrective actions are taken.

Approving and distributing the audit report

The audit report should be issued within the agreed time period. The audit report should be dated, reviewed, and approved in accordance with audit program procedures. The approved report should then be distributed to the auditee and other recipients as designated by the organization.  The audit report is the property of the organization. The audit team members and all report recipients should respect and maintain the confidentiality of the report.

Completing the audit

The audit is completed when all activities described in the audit plan have been carried out and the approved audit report is distributed. Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with the audit program procedures and applicable statutory, regulatory, and contractual requirements. Unless required by law, the audit team and those responsible for managing the audit program should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the top leadership of the organization and, where appropriate the approval of the auditee.

Conducting audit follow-up

The conclusions of the audit may indicate the need for corrective,  or improvement actions, as applicable. Such actions are usually decided and taken by the auditee within an agreed timeframe and are not considered part of the audit. The auditee should keep the top leadership/process manager informed of the status of these actions. The completion and effectiveness of corrective action should be verified. This verification may be part of a subsequent audit. The audit program may specify follow-up by members of the audit team, which adds value by using their expertise. In such cases, care should be taken to maintain independence in subsequent audit activities.

Auditee post-audit actions

The auditee might have a number of areas that were found to not conform to requirements. These non-conformities must be corrected, the actions verified as effective, and some kind of monitoring implemented to ensure things stay conforming. If the company has only one set of audit results for which to verify corrective actions, its follow-up system may be quite basic. However, some companies may have several nonconformities from external audits, and more from their own internal audits, product reports, and customer complaints. A formal system is necessary to track each nonconformity as it goes towards “close out”. If the external body is returning to check on corrective action taken, the auditee needs a good system to ensure the action has been taken and was effective.

 Auditor post-audit actions

For a small number of minor nonconformities found during an internal audit, the follow-up may be left until the next planned audit within that area, if practical. For second-party audits, a written response to minor nonconformities is required. Based on an acceptable response, the nonconformities would be reviewed and closed out during the next visit. For some of the nonconformities that were purely documentary in nature, it might be possible to deal with them by only a written response. If the auditor is to use the nonconformity statements to follow up on the corrective action, then the nonconformity statements must be very specific and traceable. A summary of the follow-up process is:

1. Identification of nonconformities.
2. Summary report prepared.
3. Corrective action request (CAR) issued.
4. The auditor evaluates response to CAR.
5. Completion of corrective action by the auditee.
6. Evaluation of effectiveness by the auditee.
7. Verification of completion by the auditor.
8. Escalation (if necessary).
9. Records of each stage in this process,

Audit reports need to be read by various people in the company, so a distribution list can be helpful, especially where confidentiality is a major concern.

Corrective Action

The auditor’s responsibility is to make clear to the auditee that corrective action is necessary. The auditor rarely specifies corrective action (that is the auditee’s duty). Since the auditee is likely to propose corrective action, the auditor must have a view about how effective, or otherwise, such an action might be in resolving the situation once and for all. Once a nonconformity is in the system, the auditee must ensure that effective and appropriate corrective action has been taken. After clarifying with the auditor for a clear understanding of the nonconformity, and certainly with people in the area where the nonconformity was found, the best corrective action can be decided. The process of taking, checking, and monitoring the action should be formal it is perhaps the most important “Quality” activity that takes place in a company. It is certainly where the audit system takes a positive aspect rather than a negative one. However, the process of corrective action is not an easy one. The auditee has to get to the root cause of the problem if it is going to be corrected forever. It is very easy to correct the effect of the nonconformance instead of the root cause, so in time the nonconformity will re-appear. The auditee also will have to consider the impact of the corrective action on the rest of the process, as well as, the effect it might have on areas not considered during the audit. The essential features of corrective action are as follows:

1. Identification of nonconformity
2. Establish responsibility for controlling the pertinent process
3. Collect data to establish a root cause for the nonconformity
4. Analyze the data and establish corrective action
5. Monitor effectiveness of this action, including internal auditing
6. Revise the action if ineffective
7. Record all the actions taken
8. Amend system documentation, as necessary

 Perspective On Internal Audits 

The Internal audits or First party audit is an audit carried out by a company on itself to determine whether its systems and procedures are consistently improving products and services, and as a means to evaluate conformity with the procedures and the standard. Each second and third-party audit should consider the first-party audits carried out by the company in question. Ultimately, the only systems that should need to be examined are internal audits and reviews. In fact, the second or third parties themselves have to carry out internal or first-party audits to ensure their own systems and procedures are meeting business objectives. Within any company, therefore, the real benefit to be gained from auditing will come from these “self” audits. The value of an internal auditor is representative of the quality assurance resource of the company. What is the point in someone “independent” doing the auditing, if all the auditing effort is put into ensuring that the business has the right people, materials, resources, systems, etc.? If the effort is put into providing the support necessary to do a good job, why do a bad one? However, it is accepted that some companies still have a long way to go before the above state is reached. The need for an audit system, whether for external or internal audits, is paramount. Audits will be scheduled according to a plan, usually looking at various processes, their sequence, and interaction with other processes within the QMS, with some flexibility built in to allow for realigning a particular effort. There is a need to prepare for each audit with an audit plan and checklist. Formal opening meetings are not typical, except in fairly large organizations. The auditor meets briefly with the department manager and gets on with the audit. The auditor is examining the work and outputs of colleagues. This puts an added strain on the auditor and the auditee. The auditor will sometimes be in a difficult position because of this tension. How can both the auditors and the system be protected? There are two aspects considered here the system that is installed in partnership with everyone in the company – and the credibility of the auditor.

ADDENDUM TO ISO 9001:2015 in January 2024

This addendum takes into account the notion of climate change and concerns clauses 4.1 and 4.2, i.e. the understanding of the organization and its context, as well as the needs and expectations of stakeholders. Non-prescriptive, these changes only require taking into account global warming as a potential problem or as a subject of possible requirements of said stakeholders. ISO has published an amendment to clause 4.1 of ISO 9001 (ISO 9001:2015/ Amd1:2024), along with all other management system standards, adding the requirement for the organisation to determine if climate change is a relevant issue (when determining the issues relevant to its purpose and that affects its ability to achieve the intended results of its management system). The amendment also adds a note to clause 4.2 of the standard, indicating that relevant interested parties may have climate change-related requirements. This change takes effect immediately, and it would appear from the International Accreditation Forum(IAF)’s decision log that there will be no lead-in period for the change for certified organisations, certification bodies(CBs) and accreditation bodies (ABs) and that certification bodies can raise findings about the new requirement with immediate effect. These amendments should not be confused with the current ongoing revision of ISO 9001 which is expected to be published in around 2 years and would then be subject to the usual 3-year transition period. So, what is the real-world impact of this amendment for certified organisations? In a nutshell, you need to be able to demonstrate to your third party that you have specifically determined whether or not climate change is an issue relevant to your management system or or not. There is no actual requirement to document the issues you have determined to be relevant, although many organisations choose to do so. You could include it in your next management review, or schedule an additional review to make this assessment. IAF have indicated that ABs expect to ensure that CBs have assessed how the decision has been made. If it is a relevant issue, or you identify that interested parties do have requirements you would then need to demonstrate how the quality management system is addressing them, if you haven’t done so already.

how could climate change relate to a Quality management system?

Climate change can relate to a Quality Management System (QMS) in several ways, impacting both internal processes and external factors that influence product and service quality. Here are some key ways in which climate change can intersect with a QMS:

1. Resource Management: Climate change can affect the availability and quality of resources used in production processes, such as water, energy, and raw materials. A QMS can incorporate measures to monitor and optimize resource usage to mitigate the impact of climate-related resource constraints or fluctuations.
2. Supply Chain Management: Climate change can disrupt supply chains through extreme weather events, changes in agricultural productivity, transportation disruptions, and shifts in demand patterns. A robust QMS can include risk management processes to identify, assess, and address climate-related risks in the supply chain, ensuring continuity of supply and minimizing disruptions to product quality and delivery schedules.
3. Product Lifecycle Assessment: Climate change considerations can be integrated into product lifecycle assessments within the QMS, evaluating the environmental impacts of products from raw material extraction to end-of-life disposal or recycling. This can involve assessing carbon footprints, energy consumption, emissions, and waste generation associated with products and identifying opportunities for reducing environmental impacts throughout their lifecycle.
4. Regulatory Compliance: Climate change-related regulations, standards, and reporting requirements can impact product design, manufacturing processes, and business operations. A QMS can ensure compliance with relevant environmental regulations and standards, such as emissions limits, energy efficiency requirements, waste management regulations, and carbon reporting obligations.
5. Customer Expectations: Increasingly, customers are demanding environmentally sustainable products and services, driving businesses to adopt greener practices. A QMS can help organizations understand and meet customer expectations related to climate change by incorporating environmental criteria into product specifications, quality criteria, and customer satisfaction metrics.
6. Risk Management: Climate change poses various risks to organizations, including physical risks (e.g., extreme weather events, supply chain disruptions), regulatory risks (e.g., compliance obligations, carbon pricing), reputational risks (e.g., negative public perception, brand damage), and financial risks (e.g., increased costs, market volatility). A QMS can include risk assessment and mitigation processes to proactively identify, evaluate, and manage climate-related risks to ensure business continuity and protect product quality and brand reputation.
7. Continuous Improvement: Climate change adaptation and mitigation efforts require ongoing monitoring, evaluation, and improvement. A QMS facilitates continuous improvement by establishing processes for setting environmental objectives, monitoring performance indicators, conducting audits and reviews, and implementing corrective and preventive actions to enhance environmental sustainability and resilience in response to climate change.

In summary, climate change can significantly impact the effectiveness of a Quality Management System by influencing resource availability, supply chain resilience, regulatory compliance, customer expectations, risk management, and continuous improvement efforts. Integrating climate change considerations into a QMS helps organizations adapt to environmental challenges, enhance product quality, and ensure long-term business sustainability.

ISO 9001:2015/Amd 1:2024(en) Quality management systems — Requirements — AMENDMENT 1: Climate action changes

4.1

Add the following sentence at the end of the subclause:

The organization shall determine whether climate change is a relevant issue.

4.2

Add the following note at the end of the subclause:

NOTE Relevant interested parties can have requirements related to climate change.

Determining whether climate change is a relevant issue

Determining whether climate change is a relevant issue while identifying external and internal issues relevant to the Quality Management System (QMS) involves systematically evaluating factors that may impact the organization’s ability to achieve its quality objectives. Here’s how an organization can determine the relevance of climate change as an issue during this process:

1. External issues:
   • Market Trends and Regulatory Landscape: Assess how climate change may influence market trends, customer preferences, and regulatory requirements relevant to the organization’s products and services. Consider whether there are emerging regulations related to environmental sustainability, greenhouse gas emissions, energy efficiency, or other climate-related issues.
   • Supply Chain Vulnerability: Evaluate the vulnerability of the organization’s supply chain to climate-related risks, such as disruptions in raw material availability, transportation delays, or changes in supplier reliability. Consider whether climate change impacts on suppliers or transportation routes could affect the organization’s ability to deliver quality products and services.
   • Stakeholder Expectations: Consider the expectations of stakeholders, including customers, suppliers, investors, regulators, and communities, regarding the organization’s response to climate change. Assess whether there is increasing pressure from stakeholders for businesses to address environmental sustainability and climate-related risks.
2. Internal Issues:
   • Operational Impacts: Evaluate how climate change may directly or indirectly affect the organization’s operations, facilities, and resources. Consider whether changes in weather patterns, extreme weather events, or resource constraints (e.g., water scarcity) could impact production processes, quality control measures, or infrastructure resilience.
   • Resource Management: Assess the organization’s resource management practices, including energy usage, waste generation, and water consumption, in the context of climate change. Identify opportunities to improve resource efficiency, reduce greenhouse gas emissions, and enhance environmental sustainability as part of the QMS.
   • Risk Management: Evaluate the organization’s risk management processes to identify and mitigate climate-related risks that could impact product quality, customer satisfaction, or business continuity. Consider whether existing risk assessment methodologies adequately address climate-related hazards and vulnerabilities.
3. Integration with QMS:
   • Alignment with Quality Objectives: Determine whether addressing climate change aligns with the organization’s quality objectives, strategic goals, and commitment to customer satisfaction. Consider whether improvements in environmental sustainability and resilience to climate-related risks can contribute to enhancing overall product and service quality.
   • Documentation and Monitoring: Document the organization’s assessment of climate change as a relevant issue within the context of the QMS. Establish mechanisms for monitoring and measuring performance related to climate-related objectives, targets, and key performance indicators (KPIs) to ensure continuous improvement and compliance with relevant standards.

By systematically evaluating the external and internal factors relevant to the QMS, including climate change considerations, organizations can effectively identify and prioritize issues that may impact their ability to deliver quality products and services while managing associated risks and opportunities.

 Relevant interested parties can have requirements related to climate change.

Relevant interested parties in the context of a Quality Management System (QMS) can indeed have requirements related to climate change. Here are some examples of interested parties whose needs and expectations might involve climate change considerations:

1. Customers: Customers may increasingly prioritize environmentally sustainable products and services. They may expect the organization to demonstrate environmental responsibility by minimizing greenhouse gas emissions, reducing energy consumption, using renewable resources, and implementing eco-friendly practices throughout the product lifecycle. Climate change concerns could influence their purchasing decisions, making it essential for organizations to address these expectations to maintain customer satisfaction.
2. Regulators and Government Agencies: Regulatory bodies may impose requirements related to climate change mitigation, adaptation, and reporting. These requirements could include regulations aimed at reducing greenhouse gas emissions, improving energy efficiency, promoting renewable energy sources, managing waste and emissions, or disclosing environmental performance metrics. Organizations must ensure compliance with relevant regulations and anticipate future regulatory developments related to climate change.
3. Investors and Shareholders: Investors and shareholders may consider climate change risks and opportunities when evaluating the organization’s financial performance and sustainability practices. They may expect transparency and disclosure regarding the organization’s exposure to climate-related risks, its resilience strategies, and its commitment to environmental stewardship. Addressing climate change concerns can enhance investor confidence and support long-term financial sustainability.
4. Suppliers and Business Partners: Suppliers and business partners may be subject to climate-related risks and regulatory requirements that could impact their ability to fulfill contractual obligations. Organizations may need to assess the climate resilience of their supply chain, collaborate with suppliers to mitigate shared risks, and incorporate climate considerations into procurement practices and supplier selection criteria.
5. Employees and Labor Organizations: Employees and labor organizations may have concerns about the organization’s environmental impact, workplace safety, and job security in the context of climate change. They may expect the organization to provide a safe and healthy work environment, support sustainable practices, offer training on climate-related issues, and engage in meaningful dialogue and collaboration on environmental initiatives.
6. Local Communities and Non-Governmental Organizations (NGOs): Local communities and NGOs may advocate for climate action and environmental protection initiatives that affect the organization’s operations and reputation. They may expect the organization to be a responsible corporate citizen, engage in community outreach and partnerships, address environmental concerns, and contribute positively to local sustainability efforts.

In summary, understanding the needs and expectations of interested parties in the context of a QMS requires recognizing the relevance of climate change considerations. Organizations must engage with relevant stakeholders, assess their climate-related requirements, and integrate climate change considerations into their quality objectives, processes, and performance measurement mechanisms to effectively address stakeholder expectations and ensure long-term sustainability.

Understanding ISO 9001:2015 Quality Management System.

ISO 9001 is the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements. It is the most popular standard in the ISO 9000 series and the only standard in the series to which organizations can certify. Successful businesses understand the value of an effective Quality Management System that ensures the organization is focused on meeting customer requirements and they are satisfied with the products and services that they receive. ISO 9001 is the world’s most recognized management system standard and is used by over a million organizations across the world. .ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an international agency composed of the national standards bodies of more than 160 countries. The current version of ISO 9001 was released in September 2015.  ISO 9001:2015 applies to any organization, regardless of size or industry. More than one million organizations from more than 160 countries have applied the ISO 9001 standard requirements to their quality management systems.  Organizations of all types and sizes find that using the ISO 9001 standard helps them organize processes, improve the efficiency of processes, and continually improve. You can integrate ISO 9001:2015 with other management system standards such as ISO 14001:2015, ISO 45001:2018, ISO 27001:2022, etc. lIt bring quality and continual improvement into the heart of the organization and increase the involvement of the leadership team. It also introduces risk and opportunity into the management system. It’s an agile business improvement tool that makes it relevant to the requirements of your own organization to gain sustainable business improvements. It brings quality management and continual improvement into the heart of an organization. This gives an opportunity for organizations to align their strategic direction with their quality management system. The starting point of the new version of ISO 9001 is to identify internal and external parties who support the QMS. This means that it can be used to help enhance and monitor the performance of an organization. It will help you become a more consistent competitor in the marketplace. It will also help you to meet present and identify future customer needs. This increases efficiency that will save you time, money, and resources. It  Improves operational performance that will cut errors and improves profits. It will motivate, engage,  and involve staff with more efficient internal processes. It will help you win more high-value customers, and achieve improved customer retention with better customer service. It will broaden business opportunities by demonstrating compliance

All ISO management system standards are subject to a regular review under the rules by which they are written. Following a substantial user survey the committee decided that a review was appropriate and created the following objectives to maintain its relevance in today’s marketplace:

• Integrate with other management systems
• Provide an integrated approach to organizational management
• Provide a consistent foundation for the next 10 years
• Reflect the increasingly complex environments in which organizations’ operate
• Ensure the new standard reflects the needs of all potential user groups
• Enhance an organization’s ability to satisfy its customers

The structure is based on the mandate that Annex SL from the ISO Directives is applied to management system standards. The clause structure in ISO 9001:2015 is being aligned with other management system standards. The structure is to provide a presentation of requirements. It is not a model for the document for documenting the organization’s policies, objectives, and processes. There is no requirement for the structure of an organization’s quality management system documentation to mirror that of this International Standard.

 Structure of ISO 9001:2015

ISO 9001:2015 is based on Annex SL – the high-level structure. This is a common framework for all ISO management systems. This helps to keep consistency, align different management system standards, offer matching sub-clauses against the top-level structure, and apply common language across all standards. It will be easier for organizations to incorporate their QMS into core business processes and get more involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all processes and to the quality management system as a whole. The reason for the change is to adopt the common approach outlined in Annex SL, the new document that all ISO management system standards, including ISO 9001, ISO 14001, and the recently released ISO 27001, must follow. Currently, ISO 9001 contains 8 sections, of which four attempts to approximate “plan, do check, act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “PLAN, DO, CHECK, ACT.” All new management system standards will have this common structure. Here is the new structure:

Clause 1.Scope

This section describes the scope of the management system standard and will be unique to the individual standard. Clause 1 details the scope of the standard

Clause 2. Normative References

This section references other relevant standards, which are indispensable for the application of the document and will also be unique.ISO 9000, Quality Management System – Fundamental, and vocabulary is referenced and provides valuable guidance.

Clause 3. Terms and Definitions

Section three contains definitions, and while some of these are common terms related to Annex SL, other definitions will be unique to the management system standard. All the terms and definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and vocabulary. In ISO 9001:2015 the term products and services include all output categories such as hardware, services, software, and processed materials. The term services are to highlight the difference between products and services in the application of some requirements. In most cases, the terms are used together. In some cases, the word product is only used to specify a certain requirement.

Clause 4: Context of the Organization

An organization’s context involves its “operating environment.” The context must be determined both within the organization and external to the organization. This part is about understanding the organization’s purpose, the management system, and who the stakeholders are. It describes how to set up the management system and requires a broader understanding of the situation and needs of the business. It establishes the context of the QMS and how the business strategy supports this. The ‘context of the organization’ is the clause that underpins the rest of the standard. It gives an organization the opportunity to identify and understand the factors and parties in their environment that support the quality management system. To establish the context means to define the external and internal factors that the organizations must consider when they manage risks. An organization’s external context includes its outside stakeholders, its local operating environment, as well as any external factors that influence the selection of its objectives (goals and targets) or its ability to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to governance, its contractual relationships with its customers, and its capabilities and culture. Firstly, the organization will need to determine external and internal issues that are relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact on what the organization does, or that would affect its ability to achieve the intended outcomes of its management system. It should be noted that the term “issue” covers not only problems that would have been the subject of preventive action in previous standards, but also important topics for the management system to address, such as any market assurance and governance goals that the organization might set. Secondly, an organization will also need to identify the “interested parties” that are relevant to their QMS. These groups could include shareholders, employees, customers, suppliers, and even pressure groups and regulatory bodies. Each organization will identify its own unique set of “interested parties” and over time these may change in line with the strategic direction of the organization. Next, the scope of the QMS must be determined. This could include the whole of the organization or specifically identified functions. Any outsourced functions or processes will also need to be considered in the organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to establish, implement, maintain, and continually improve the QMS in accordance with the requirements of the standard. This requires the adoption of a process approach and although every organization will be different, documented information such as process diagrams or written procedures could be used to support this.

There are two clauses relating to the context of the organization, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact the planning of the quality management system. Interested parties cannot go beyond the scope of ISO 9001. There is no requirement to go beyond interested parties that are relevant to the quality management system. Consider the impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. Organizations can go beyond the minimum requirements to determine additional needs and expectations for interested parties that would not be “relevant” at the discretion of the organization and should be clear in the quality management system.

4.1 Understanding the organization and its context.

This requirement requires a greater union between the QMS and wider business planning activities. it requires organizations to ascertain, monitor, and review both internal and external issues that are relevant to its purpose and strategic direction, and have the ability to impact the QMS and its intended results.  The organization should determine external and internal issues for the organization relevant to its purpose, strategic planning, and which affect the organization’s ability to achieve its objectives. The Organization should monitor and review the information about external and internal issues. Management Review required the monitoring of external and internal issues. The organization must consider issues related to values, cultural knowledge, and performance of the organization for the understanding of internal issues. The organization must consider issues related to arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional, or local for the understanding of external context. The internal context may include, but is not limited to:

• Product and service offerings
• Governance, organizational structure, roles, and accountability.
• Regulatory requirements
• Policies and goals, and the strategies that are in place to achieve them.
• Assets like facilities, property, equipment, and technology
• Capabilities understood in terms of resources and knowledge like capital, time, people, processes, systems, and technologies.
• Information systems, information flows, and decision-making processes (both formal and informal).
• Relationships of the staff/volunteers/members and the perceptions and values of their internal stakeholders including suppliers and partners.
• Organization’s culture.
• Standards, guidelines, and models adopted by the organization and
• Form and extent of the organization’s contractual relationships.

The external context’s micro-environment consists of the organization’s immediate operations and how they affect its performance and decision-making. Some of the micro-environmental context factors

• Customers – Organizations must attract and retain customers by offering products services that meet their needs along with providing excellent customer service

• Employees/Members/Volunteers – There must be the availability of people with the motivation to remain as contributing members of the organization and develop the skills necessary to provide a competitive edge

• Suppliers – Suppliers provide organizations with the resources they need to carry out their activities. If a supplier provides bad service, this affects the way the organization operates. Close supplier relationships are an effective way to remain competitive and secure the resources needed

• Investors – All organizations require investment to grow. They may borrow the money from a bank or have people invest in their work. Relationships with investors need to be managed carefully as problems can detrimentally affect the long term success of the organization

• Media – Positive media attention can bring success to the organization by maintaining its reputational strength. Managing the media (including the presence in social media) is a challenge.

• Competitors – Members of the organization need to have a sense of belonging. Can the organization offer benefits that are better than those offered by the competitors? Is there a strong value proposition? Competitor analysis and monitoring are crucial if an organization is to maintain or improve its position in the competitive landscape of the community. The organization must always be aware of its competitor’s activities. The landscape can change quickly.

4.2 Understanding the needs and expectations of interested parties.

A broadening of scope beyond just customers. Requires the organization to determine “the relevant requirements” of “relevant interested parties” e.g. a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.

The organization shall determine relevant interested parties and the requirements of relevant interested parties. Interested parties include Customers, Partners, Persons in the organization, External providers. Relevant interested parties to be considered are those that potentially could impact the organization’s ability to provide products and services that meet requirements. Monitor and review information related to interested parties and relevant requirements. Management Review requires the monitoring of relevant interested parties.

4.3 Determining the scope of the QMS.

The scope statement must state the products and services covered. The organization must establish the scope of the quality management system by determining the boundaries and applicability of the quality management system. While determining the scope the organization must consider the internal and external issues determined in 4.1., the requirements of relevant interested parties in 4.2. and the products and services of the organization.

Requirements that can be applied by the organization shall be applied. Requirements that cannot be applied cannot affect the organization’s ability to provide products and services that meet requirements. The organization must maintain scope as documented information stating the Products and services covered by the QMS and any Justification where a requirement cannot be applied. Any interested party which is not relevant to the quality management system need not be considered and similarly, any requirement of the interested party need not be considered. Determining what is relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization can decide to determine additional needs and expectations that will meet its quality objectives. However, it is at the organization’s discretion whether or not to accept additional requirements to satisfy interested parties beyond what is required by this Standard.

 Applicability

The revised standard will focus on the application and not just the exclusions. There are no limits to which clauses where the application can be determined. Justification will be required as documented information to ensure that limited application does not affect the organization’s ability to provide for the provision of products and services. The application of requirements may vary. Where a requirement can be applied within the scope of its quality management system, the organization cannot decide that it is not applicable. Where a requirement cannot be applied (for example where the relevant process is not carried out) the organization can determine that the requirement is not applicable. However, this non-applicability cannot be allowed to result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction. A manufacturing organization that does not have any monitoring and measuring resources could determine requirements in 7.1.5 do not apply. Organizations that build from a customer-provided design could determine requirements for design in 8.3 do not apply. Organizations could not determine that requirements such as competence are not applicable since this directly affects the ability to provide a product that meets requirements.

4.4 Quality Management System and its processes.

A major change specifies the number of factors to be considered when planning the processes that make up the QMS. Although a process-planning approach has been previously expressed in earlier standards, this greatly reinforces the requirement. The standard requires the organization to establish a process-based management system. This is required to be maintained and continually improved. The clause sets out high-level requirements for the design of such a process-based management system.  These processes are integral and also there are support processes that underpin the operation of the entire QMS. It does not mean that you have to fill your quality manual with flowcharts. If flowcharts work for you then use them.
Process
The process is a set of interrelated activities that transform activity inputs into outputs. For example The process of converting a box of components into a working security system.

Process approach

The process approach is a management strategy that requires organizations to manage their processes and the interactions between them. Thus you need to consider each major process of the company and its supporting processes.
All processes have:

• inputs;
• outputs;
• operational control;
• appropriate measurement & monitoring

Each process will have support processes that underpin and enable the process to become realized. So, for example, a typical alarm company will take inquiries/sales and convert them into working alarm systems. Below is a block diagram of a typical alarm company’s processes with support processes and other considerations.

Example support processes and considerations:

Example of other processes and considerations:

Questions to ask:

• What are the inputs to the process?
• Where do the inputs come from?
• What are the outputs of the process?
• Where do the outputs go to?
• Is there an effective interrelationship between processes?
• Who plans the process?
• Who conducts the process?
• Are responsibilities and authorities defined?
• Who monitors and measures the process?
• What resources are required for the process? – Materials, people, information, environment, infrastructure, etc.
• What documented information is required for the operation and control over the process?
• What competencies & training are required?
• What awareness and knowledge is required?
• What methods are used to control and run the process?
• What are the risks and opportunities for the process?
• What happens when the process goes wrong or does not yield the correct output or result?
• How can the process be improved?
• Is the process part of the management review process?
• Is the process subject to internal audit?

The answers to the questions above form the basis of the process, its control, measurement, and improvement.

5. Leadership

This clause provides requirements for commitment, policy, and responsibilities. The emphasis is more on leadership than on management.  This clause places requirements on “top management”. Top Management is the person or group of people who directs and controls the organization at the highest level. It is no longer the responsibility of an individual or to have a “Management Representative” who is responsible for the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. Top management now has greater involvement in the management system and must ensure that the requirements of it are integrated into the organization’s processes and that the policy and objectives are compatible with the strategic direction of the organization. The quality policy should be a living document, at the heart of the organization. To ensure this, top management is accountable and has a responsibility to ensure the QMS is made available, communicated,  maintained, and understood by all parties. There is also a greater focus on top management to enhance customer satisfaction by identifying and addressing risks and opportunities that could affect this. Top management needs to demonstrate consistent customer focus by showing how they meet customer requirements, regulatory and statutory requirements, and also how the organization maintains enhanced customer satisfaction. In the same context, they need to have a grasp of the organization’s internal strengths and weaknesses and how these could have an impact to deliver products or services. This will strengthen the concept of business process management. In addition, top management needs to demonstrate an understanding of the key risks associated with each process and the approach taken to manage, reduce, or transfer the risk. Finally, the clause places requirements on top management to assign QMS relevant responsibilities and authorities but must remain accountable for the effectiveness of the QMS.

5.1 Leadership and commitment.

Greater emphasis is placed on the role of top management. Requires top management to “demonstrate leadership and commitment”, and suggests that a more hands-on approach is expected. ISO 9001:2015 requires top management to be much more “hands-on” with respect to their QMS. Where the word “ensuring” is used in sub-clause 5.1.1, top management may still assign this task to others for completion. Where the words “promoting”, “taking”, “engaging” or “supporting” appear, these activities cannot be delegated and must be undertaken by top management themselves. Top management must:

• have accountability for the effectiveness of their organization’s quality management system;
• ensure that their organization’s quality policy and quality objectives are consistent with the organization’s overall strategic direction and the context in which the organization is operating;
• work alongside their people in the organization in order to ensure that the quality objectives are achieved;
• ensure that the quality policy is communicated, understood and applied across the organization;
• make sure that the quality management system is achieving the results that are intended;
• lead people to contribute to the effective operation of the system;
• drive continual improvement and innovation and develop leadership in their managers.

The top management is required to ensure that:

• the requirements set out in ISO 9001:2015 are met;
• QMS processes are delivering their intended outcomes;
• reporting on the operation of the QMS and identifying any opportunities for improvement is taking place;
• a customer focus is promoted throughout the organization;
• whenever changes to the QMS are planned and implemented, the integrity of the system is maintained.

Customer focus

The top management should ensure that the organization should have knowledge of the law and is aware of the customer’s expectations and is delivering. Knowing what can go wrong with what you are selling and providing and what opportunities you also have when you deliver this; opens doors, for example, to other workstreams; They should be making sure that the customer is happy.  Understanding customer specifications/ needs. Ensure you know exactly what the customer wants and documenting this from the initial inquiry to commissioning paperwork.

5.2  Policy.

Policy requirements are enhanced. A requirement is introduced that the quality policy is appropriate to the context of the organization and that it is applied throughout the organization. Write the policy to include:

• making sure it reflects your business size, ethos and what you are trying to achieve;
• how you will decide what you are going to achieve and how you will check this;
• committing to doing it the right way (e.g. in line with standards and best practice);
• committing to try to continually improve.

Tell everyone about it.

• Making sure it is written.
• Making sure people know it and understand it.
• Giving it to people who have an interest in your business (e.g. clients/suppliers/manufacturers/staff).
• Publishing it on your website.

The example includes written Quality policy, company induction, basic training, toolbox talks.

5.3 Organizational roles, responsibilities, and authorities.

The requirement for a Management representative is no longer specified. The duties previously assigned to that role may now be assigned to any role or split across several roles. The top Management must ensure that responsibilities are allocated across the organization to maintain the management system to make sure what is supposed to happen is happening. While allocating Roles, Responsibilities, and authorities, the organization must remember the customer at all times and the outcome of the business processes, and how they can be improved. Remembering to update the system as and when you change how you work or the intended process is amended. The organization must be defining job roles prior to recruitment, allocating job descriptions to personnel, and linking this to the processes within the business. For eg A sales administrator might be expected to have 12 months’ experience in writing quotations. When they join there would be a period of training and reinforcing this through a written job description. The output would be a more senior colleague reviewing quotes, confirming they are correct, and ensuring that the customer is being quoted for what they asked for. If a form or process is amended along the way advising the sales administrator and ensuring the new versions are applied.

6.0 Planning

The clause of Planning includes a) risks and opportunities, b) the setting of goals and objectives to achieve plans, and c) resources. It also requires a greater application of goals and objectives to integrate with the management system’s planning and operation to ensure the success of the organization. This clause must be considered along with Clause 4.1 ‘context of the organization’ and Clause 4.2 ‘interested parties. The first part of this clause concerns risk assessment whilst the second part is concerned with risk treatment. When determining actions to identified risks and opportunities these need to be proportionate to the potential impact they may have on the conformity of products and services. Opportunities could, for example, include new product launches, geographical expansion, new partnerships, or new technologies. The organization will need to plan actions to address both risks and opportunities, how to integrate and implement the actions into its management system processes and evaluate the effectiveness of these actions. Actions must be monitored, managed, and communicated across the organization. Another key element of this clause is the need to establish measurable quality objectives. Quality objectives must be consistent with the quality policy, relevant to the conformity of products and services as well as enhancing customer satisfaction. The last part of the clause considers the planning of changes that must be done in a planned and systemic manner. There is a need to identify the potential consequences of changes, determine who is involved when changes are to take place, what resource needs to be allocated.

Risk-based Thinking

The main objectives of ISO 9001 are to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives. ISO 9001 incorporates risk-based thinking in its requirements for the establishment, implementation, maintenance, and continual improvement of the quality management system. Organizations may choose to implement a formal risk management program such as 31000 but are not compelled to do so. The concept of risk is built into the whole management system. Risk-based thinking is also part of the process approach.  Risk-based thinking can also help to identify opportunities. For risk-based thinking, the organization must understand any external and internal issues as given in clause 4 context of the organization. Risks and opportunities are determined in clause 6.1. Implementing Risk-based thinking also assures preventive action. One of the key purposes of a quality management system is to act as a preventive tool. ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive action is controlled through risk-based thinking by managing risks and opportunities identified in clause 6.1

6.1 Actions to address risks and opportunities.

This sub-clause requires a risk-based approach. In addition to this clause, the reference to the terms ‘risk’ and ‘opportunity’ are made throughout the standard. Consider the issues determined in clause 4.1 and the needs and expectations of interested parties in clause 4.2 to determine your risk and opportunity. The organization should determine risks and opportunities to assure that that the quality management system can achieve its objective, prevent or reduce undesired effects, and for continual improvement. The organization shall plan actions to address risks and opportunities. The actions identified should be appropriate to its potential impact on the QMS. The action of risk and opportunities must be integrated and implemented into the QMS processes. The effectiveness of these actions must be evaluated.
NOTE: No formal risk management program is required.

Actions to address the risks – First, the organization should identify the risks and opportunities it wants to address. Then the organization must determine the severity of each risk and opportunity. Understanding the severity, the organization must plan action to address the risk and opportunity. This can be captured in the Risk plan. Plan how all the elements can come together,  and how it will be run, and a means of checking them, and that the plan is on track. Use risk methodologies to ensure that you apply things appropriately.  The greater the risk and the impact on the organization, the greater the control measures, planning, management, etc. If necessary, have a Plan B. Consider how an understood risk can be used in a positive way to look at other ways of doing things or other products.

6.2 Quality objectives and planning to achieve them.

No quality plan can be complete without having measurable quality objectives. An objective should include a description of who is responsible, what is the target, when is it planned to be achieved. Progress must be monitored. Also, requires objectives to be set for relevant processes. Ensure that whatever objectives you implement are SMART

• Specific
• Measurable
• Achievable
• Realistic
• Time-bound

Some  key rules are as follows:

• Make sure they comply with the law and industry standards.
• Make sure they conform with the products and services to make them better.
• Monitor your objectives periodically to check what you are doing.
• Tell the staff what they are and what you expect of them.
• Updated when the management changes something.

Keep records of this. This should be included in the customer SLA and planning should be in place to ensure you can resource this response rate. An example could be Understanding the total number of planned maintenance, the number of reactive maintenance to ensure you calculate the appropriate levels of resources. Organizations need to clearly understand how these will be realized. For example, if your aim is to provide national coverage, how will this be achieved? What resources will you allocate, recruiting staff countrywide? Who will manage it? Have you understood when it needs to be achieved and what will you do to check it is effective?

6.3 Planning of changes.

The clause lists items to be considered in change management. When some changes need to be made in the organization either in the product, service, or process, the impact of the change needs to be considered before a change is made. You will need to demonstrate that you have:
a) considered why are you changing it and what could happen when you make the change;
b) ensured that the QMS doesn’t get affected negatively, e.g. something can’t be done any longer once you have changed a process like you stop recording the number of quotes you are doing and therefore you don’t have an ability to review conversion rates;
c) thought about what you need to achieve it (e.g. people/technology, etc.);
d) considered what changes need to be made in the organization to make it happen.

7.0 SUPPORT

The SUPPORT clause includes most of the expected support processes that exist in an organization. Clause 7 ensures there are the right resources, people, and infrastructure to meet the organizational goals. It requires an organization to determine and provide the necessary resources to establish, implement, maintain, and continually improve the QMS. This requirement covers all QMS resource needs and covers both internal and external resources. There are additional requirements to meet applicable statutory and regulatory requirements. It continues to cover requirements for infrastructure and the environment for the operation of processes. Organizational knowledge is a requirement which deals with requirements for competence, awareness, and communication of the QMS. Organizations are required to examine whether the current knowledge they have is sufficient when planning changes and whether any additional knowledge is required. There is a key requirement for maintaining the knowledge held by an organization to ensure the conformity of products and services. This could include the knowledge held by an individual as well as for example, the intellectual property of an organization.  Personnel must not only be aware of the quality policy, but they must also understand how they contribute to it and what the implications of not conforming are.  The organization requires “documented information”. It includes the terms “documents” and “records”. Organizations need to determine the level of documented information necessary to control the QMS. This will differ between organizations due to size and complexity. In line with the increased importance of information security in organizations, there is also a greater emphasis on controlling access to documented information such as the use of passwords. Organizations should also have systems in place to provide a back-up should IT systems crash. Human resources are renamed as “competence”, and communication, which will require a new approach in most organizations, is given its own section rather than a mention as a management responsibility. Finally, document control has been renamed “documented information.” It now covers both procedure/document control and records control.

7.1 Resources.

The organization must determine and provided the resources needed for the establishment, implementation, maintenance, and continual improvement of the QMS. The organization must have the resources it needs to ensure the effective operation of the QMS. Resources may include raw materials, infrastructure, finance, personnel, and IT, all of which can be either internally or externally provided. The organization must have a clear understanding of:

• what an organization has in house and whether this is sufficient/fit for purpose to achieve its goals and objectives.
• what additional support might be needed externally.

For example Specialist skills that are better outsourced due to the size of the organization (e.g. security screening, health, and safety advice).

1) People

This standard expects an organization to determine and provide the appropriate number of personnel to effectively implement the QMS and for the operation and control of its processes. Allocation of staff in order to achieve the required outcome. This means determining that you have someone to carry out a specific process e.g. recruitment, screening, and training of staff. Dependent on the size of the organization this may be one or two people or a team. The senior management will need to determine the resource needed and maintain this. This will be about ensuring you have the right number of engineers or security officers to provide the service that you have quoted. This will depend on the specifics set out in the contract and terms. e.g. ensuring you have sufficient engineers to respond within 24 hours. Ensuring you have sufficient trained security officers to replace those who may be sick or on holiday.

2) Infrastructure

Essentially a company needs to consider all the things they will need in order to deliver a service and product to the customer. This may  be :

• buildings, water,  gas, electricity, etc.
• equipment such as e computers, operating systems, printers, software, monitoring equipment, etc
•  vehicles that may be needed for engineers, managers, sales and survey staff;
• information such as standards that have to be applied, the internet, mobile phones, tablets, etc.

3) Environment for the operation of processes

The environment for the operation of processes clause ensures that the organization determines, provides, and maintains an environment necessary for the operation of its processes and to achieve conformity. The term environment refers to the work environment and is used to describe the set of conditions in which employees perform their work and under which products and services are produced. Conditions can include physical, social, psychological, and environmental factors (such as temperature, lighting, recognition schemes, social and occupational stress, ergonomics, etc). It can also relate to conditions on how work is actually done (complex, repetitive, creative, interactive, team, etc.) in work processes and procedures. The standard makes reference to the environment that you work in and may include the following:

• Equality Opportunities, whistleblowing, the anti-bullying policy.
• Violence at work, counseling support, lone working.
• Office-based risk assessment, space, noise levels.

4) Monitoring and measuring resources

The organization needs to decide what tools it uses to measure organization performance. It also needs to consider whether these tools will give them everything they need as a result. You may use commissioning paper trail and or electronic processes. For eg to monitor Customer Service, you may take feedback after installing via phone call. Other organizations may have a CRM in place. Some of the Suitable measuring tools may be equipment that is used to test and commission systems such as multimeters, insulation testers, sound pressure level meters, etc. You may be required to do calibration of all the test equipment that you use.

5) Measurement traceability

Measurement traceability is the process of validating the equipment that will be used to measure products and resources. This will give the organization confidence that all measurements are completely correct. You need to establish whether this is relevant to you and meeting all applicable requirements for the product and services.

• Is it required to be calibrated?
• Allocated unique reference numbers and listed on a register of some sort.
• Allocated to personnel as and when needed and a clear process in place to ensure all staff knows how to use it properly.
• Able to identify calibration status
• Protected from an adjustment that could affect results of measurement
• Protected from damages during moving, repairs, or storage
• Non-conforming devices are checked against a conforming device

Organizations are expected to check results from calibration to ensure they are comfortable and have not been tampered with. You may have a Maintenance Register.

6) Organizational knowledge

The organization shall determine the knowledge necessary for the operation of the QMS, ensure the conformity of products and services, enhance customer satisfaction. As necessary the organization is responsible for maintaining, protecting, and making sure the knowledge is available. Knowledge is to be considered when making changes to the organization. Knowledge required depends on the size and complexity of the organization, the risks and opportunities it needs to address, accessibility of knowledge, the process for considering and controlling past, existing, and additional knowledge. As long as the conformity of products and services can be achieved, the balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization. Consideration can be given to whether competent employees have this knowledge

7.2 Competence.

The organization needs to determine the necessary competence of its employees, and ensure those employees are competent on the basis of appropriate education, training, and experience. The organization must have a process for determining the necessary competence and achieving it through training or other means. Determining competence is a necessity in any organization. Working out on the skills your team has and the skills they don’t yet have and the skills they will need to achieve the company’s objectives. For example to achieve the objective of “Increase in sales”, you need to improve the competency of your sales team by training them.

7.3 Awareness.

The clause of Awareness is closely related to the clause of competence. Employees must be made aware of the Quality Policy and its contents. They must also be aware of how their personal performance currently impacts QMS and its objectives or may impact it in the future. They must understand the implications of positives or improved performance, and poor performance may be to the QMS. There is a greater focus on not just communicating the policy but to ensure that it is understood by all the employees and how it affects their work, especially if they deviate from it. They must understand what they contribute and how this can make the organization better. From a QMS point of view, the organization should look to explain policies more clearly so that the staff understands their meaning. It may useful to capture this on a training record,
For Quality Policy the employees:

• Read and understood = insufficient
• Understand companies aim = Yes
• Understand the company’s processes in which they are involved = Yes
• Understand their impact = Yes
• Understand they can have a positive effect = Yes
• Understand they can have a negative effect = Yes

7.4 Communication.

This clause includes both internal and external communication about the QMS. Processes for internal and external communication need to be established within the QMS.

The key elements of Communication that an organization must establish are

• what needs to be communicated?
• when it needs to be communicated?
• how it should be done?
• who needs to receive the communication? and
• who will communicate?

It should be noted here that any communication outputs should be consistent with related information and content generated by the QMS for the sake of consistency. This is a straightforward clause and is simply about effectively communicating to all those within the organization and those affected by it. Internal communications  can include briefings to staff on:

• new policies;
•  new or amended objectives;
•  new or  amended strategies;
• new clients;
• new or amended technology;
• new products;
• issues with suppliers;
•  anything that will have an impact on them.

Designate a person responsible for updates that may be either department heads or Top Management.

7.5 Documented information.

The term “documented information” in the ISO 9001 is basically a combination of the two terms “documents” and “records”. “Documents”, “Documentation” and “Records” are combined to become “Documented information”. It refers to all of the important information within the organization that must be kept organized and controlled. It is a requirement to determine, make available, and maintain knowledge.  It mentions issues such as confidentiality, access, and data integrity. The organization may adopt information security due to the increasing use of electronic documents/data. Documented procedures (e.g. to define, control, or support a process) are now expressed as a requirement to maintain documented information. and records are expressed as a requirement to retain documented information. The current version  ISO 9001 does not require a quality manual or documented procedure as Annex SL does not require documented procedures or a quality manual. The requirements for documented information are spread throughout the standard. In summary, they are:

• 4.3 Scope of the QMS
• 4.4  Support operation of its processes and need for confidence.
• 5.2.2 a) Quality policy
• 6.2.1 Quality objectives
• 7.1.5.1 Monitoring and measuring resource – fitness for purpose
• 7.1.5.2 Basis used for calibration or verification
• 7.2 d) Evidence of competence
• 7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the QMS
• 8.1 e) Extend necessary (for confidence in processes and product/service conformity)
• 8.2.3.2 Review of requirements related to products and services
• 8.2.4 Amended documented information
• 8.3.2 Design and development requirements met
• 8.3.3 Design and development inputs
• 8.3.4 Design and development control activities
• 8.3.5 Design and development outputs
• 8.3.6 Design and development changes/results of reviews etc.
• 8.4.1 Results of evaluations, monitoring, re-evaluations of external providers
• 8.5.1 a) Characteristics of the products/services, activities to be performed, and result achieved.
• 8.5.2 Maintain traceability
• 8.5.3 Reports on what has occurred
• 8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions
• 8.6 Release of products and services – traceability of person(s) authorizing release, evidence of conformity
• 8.7.2 Describes nonconformity, actions taken, concessions, authority
• 9.1.1 Evidence of the monitoring and measurement results
• 9.2 f) Evidence of the audit program  and the audit results
• 9.3.3 Evidence of the results of management reviews
• 10.2.2 Evidence of the results of any corrective action and the nature of the nonconformity

8.0 Operation

 This clause deals with the execution of the plans and processes that enable the organization to meet customer requirements and design products and services. It places a greater emphasis on the control of processes especially planned changes and review of the consequences of unintended changes, and mitigating any adverse effects as necessary. The standard acknowledges the trend towards greater use of subcontractors and outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the performance of these parties in addition to keeping records used to establish selection criteria. The Clauses cover the requirements for products and services. It requires communication with regards to contingency actions where required and also the treatment of customer property. Plan, implement, and control processes need to meet requirements for products and services.

These clauses ensure requirements for products and services are defined and claims for products and services offered are met. It establishes, implements, and maintains an appropriate design and development process. It also ensures externally provided processes, products and services conform to requirements. Production and service provision must be under controlled conditions (identification, verification, and validation). Products and services are not to be released until planned arrangements are completed. Nonconforming outputs are to be identified and controlled. When determining the extent of these activities organizations must consider the risks associated with a product or service, customer requirements, customer feedback, and any statutory requirements.

8.1 Operational planning and control.

In order to meet the requirements for the delivery of products and services, the organization needs to plan, implement, and control its processes. The first step is to determine the requirements for products and services, meaning what features the product or service will have. Then, the organization needs to define how processes will be performed and what criteria the product or service needs to meet to be accepted for release. Finally, the organization needs to determine the resources needed for the processes and the records needed to demonstrate that the processes were carried out as planned. Once they have done their planning for what they are going to sell, they then must plan the detail of how this can be done operationally. The organization may need to :

• Set up supplier accounts/trade accounts.
• Purchase stock.
• Ensure staff have the correct skills and understand the process.
• Purchase tools and vehicles.
• Make sure you have enough staff.
• Issue clear instructions, drawings, procedures risk assessments to enable them to do the job.

The organization needs to show clear control of the process. They will be expected to check that delivery is as expected and when there are deviations that this is managed and negative impacts controlled. The same control should be applied to subcontractors.

8.2 Requirements for products and services.

Requirements for products and services are closely related to communication with customers. This communication must include information related to the products or services, handling inquiries, contracts or orders, customer feedback, handling and controlling customer property, and, if needed, establishing specific requirements for contingency actions. Before offering the product or service to the customer, the organization needs to ensure that the requirements for the products and services are defined and that the organization is able to deliver such products or services. Requirements for products and services include any applicable legislation and the requirements that the organization considers being necessary. After receiving the order, the organization must, prior to delivery, review the requirements related to the product and keep records about the review. If the customer changes its requirements, these also must be reviewed and recorded. In case of changes, the organization must ensure that all documented information is amended and all relevant persons are aware of the changes.

1 Customer communication

This is essentially about how you relate to the customer, to include:
a) what you are selling;
b) how they can expect to be dealt with (e.g. formal quote/email/letter/terms you will work under/within);
c) getting feedback from the customer;
d) looking after their property (e.g. premises whilst you are in there);
e) what plans you put in place for if something goes wrong.

Ensuring the customer has a clear written quotation and specification relating to the services they want. Allocating a specific person/manager to the customer so that they have one key contact for all communication; that way, positive and negative feedback is captured and dealt with. you must give useful information about your products/services. you must provide some mechanism to have your customers ask about the products/services and e a way for customers to inquire about your invoices and fees. The customer must have a way to ask about changes. There should be a way to collect customer complaints and a way to collect feedback. If your customers provide their property as a part of your product/service, they must be able to understand how it is handled. If there are any risks associated with your product or service, your customer must be told of them and how they are handled

2) Determining the requirements for products and services

Organizations need to be clear about what is required in order to sell their products and services. You must review customer requirements before committing to supply the product or service. You need to take into account a few things here. You must consider:

• Delivery
• Installment
• Service
• Warranty
• Applicable acts and regulations
• What to do when providing verbal contracts.
• for legal and industry norm;
• elements the organization determines as necessary for their own needs.

Once all that is considered and reviewed, you need to formally accept the requirements with confirmation back to the customer of what you are going to deliver and when. You need to keep documented information on this review. The organization must be able to deliver what it is selling. Liaise with suppliers, attend open days, read the product literature.

३) Review of the requirements for products and services

Organizations are expected to review whether they can provide what they intend to sell. This review must include taking into account:
a) what the customer orders, the install and any after work, e.g. maintenance / follow up / servicing;
b) elements that need to be completed to ensure the job is fitted correctly – meter reading tests / commissioning forms / standard operational check;
c) anything else the company need to implement;
d) legal and industry standards
e) any variations. If the customer has changed their order, this needs to be defined and the customer must accept this change if they haven’t already confirmed it in writing.

Reviews must be documented. If they want to use new products and services, this must be recorded. Customers should be made aware of the impact of changing products and services, etc. Organizations may choose to do a contract review either using paper or electronic documents, confirmation emails, quote proposals, etc. It must also record any change in technology you might use.

4 ) Changes to requirements for products and services

If there is any change in the Customer order, this needs to be tracked and documented. Someone in the organization who is responsible for executing the customer order must ensure that all related departments related to executing the order are aligned. You should seek and record evidence that your organization has ensured that all relevant documented information relating to changed product or service requirements, is amended and that relevant personnel is made aware of the changed requirements.  Define your organization’s arrangements for amending documented information and communication of changed requirements e.g. updated contract review records, amended orders/contracts, memos, change notices, quality plans, meeting minutes, together with communication to relevant interested parties (persons within or outside the organization that may be impacted by the change).

8.3 Design and development of products and services.

This clause refers to design and development management, from the initial idea to the final acceptance of the product. The definition of design is “a plan or drawing produced to show the look and function or workings of a building, garment, or another object before it is made.” Putting it simply if the organization is creating something be it a tangible product or intangible service, there will certainly be an element of Design. ISO 9000 explains that the terms “design” and “development” are often used as synonyms, and defines the different phases of overall design and development. This means that design can’t be used apart from development and that they represent one single process. During design and development planning, all its phases must be defined with appropriate activities of review, verification, and validation for each phase. ISO 9001 refers to the design and development of the product and not to the design and development of processes. Design and development inputs requirements relate to the product include:

• Functional requirements and product performance requirements
• Legal and regulatory requirements for product
• Information from previous similar projects
• Other requirements relevant to design and development, usually customer requirements, market information, package, etc.

Design and development outputs must be in a form suitable for verification related to input elements and must be approved before acceptance. They can be in the form of a drawing, engineering documentation, plans, etc. The organization also needs to define design and development review activities. The purpose of these activities is to determine whether the design and development process goes in the intended direction. The review must be done in appropriate phases and at the end of the project. The review identifies problems during design and development and suggests actions to resolve them. It can include other interested parties. The design and development review must be recorded. Also, the company needs to identify, review, and control changes during the design and development of products and services. A record should be kept regarding the changes, results of reviews, authorization of the change, and actions taken to prevent adverse effects.

The steps involved in Design and Development includes

1. Planning – The organization must have a plan on how to do the design and development. A design and development plan which will have the project timescales, deliverables, responsibilities of team & individuals, persons of authority for sign-off for an internal, or external customer, design reviews at a relevant phase in the project e.g. start, confirmation of inputs, post verification, post validation, finish, etc., resources required throughout the project, communication with subsequent process owners, and required controls throughout the project and intended use of the output.
2. Inputs – there are many inputs to the process. The inputs may be:
   1. The requirements from the customer like what do they want to achieve and what are their needs & expectations
   2. The parameters & constraints of designs e.g. materials, dimensions, functionality, life cycle, sustainability, etc.
   3. The statutory and regulatory requirements or codes of practice like product and safety directives, building regulations, etc
   4. availability of information from previous designs like a review of learnings – good/bad/potential improvements, etc.
3. Controls – It is a critical step in Design and Development. It helps the organization to determine how the results to be achieved such as what are the project deliverables, how will they be achieved and how will they be measured (acceptance criteria). The reviews have to be conducted throughout the project as mentioned above at the relevant phase in order to meet the input requirements.
4. Verification – Verification helps to establish that the product or service is being designed/developed as intended in relation to the input requirements. This can be done through different types of testing (e.g. prototype, proof, demonstration, inspection, analysis, or acceptance).
5. Validation – The product or service that has been designed or developed that it must fulfill the requirements of its intended use, most likely reviewed once the deliverables have been achieved. For example testing under operating conditions, in order to validate that the product/service meets the customer’s requirements and covers all outputs, including potential risks of use. Conducting reviews post verification and validation in order to iron out any potential issues – these are all critical requirements of design and development controls and must be documented.
6. Outputs – It is the outcome of the Design and Development process. Typical examples of outputs include conceptual designs, technical/engineering drawings, product specifications, manufacturing instructions, bill of materials, information for purchasing, and other subsequent processes.  The output must meet the input requirements ie it has achieved the intended results. The organization must determine that they can move forward in the project using the outputs, and must confirm any necessary equipment for measuring and/or testing and the acceptance criteria.
7. Changes – The organization must have an established formal process for controlling design and development changes throughout the project and during reviews. The changes have to be documented and the results of design and development reviews communicated. There has to a person of authority to authorize the changes. The process must include a mechanism to identify the most up-to-date revisions and mitigate the risk of using superseded versions, Examples of this can be version no /revision no /authorization control on drawings, a design/drawing register, engineering change notes, etc.

8.4 Control of externally provided processes, products, and services.

This clause refers to purchasing. The purchasing includes products and services you acquire from suppliers and outsourced processes. ISO 9001:2015 expresses “suppliers” and “Outsourcing” as external providers of products and services. “Purchasing” and “Purchased products” are referred to as “Externally provided products and services”. Clause 8.4 Control of externally provided products and services addresses all forms of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, through the outsourcing of processes and functions of the organization, or by any other means. The organization needs to establish and document criteria for suppliers’ selection, which includes how crucial the purchased product or service is to the quality of your product. The results of the supplier evaluation must be recorded.  The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services. In order to ensure that externally provided processes, products, and services do not have an adverse effect on the conformance of the organization’s products and services, the organization needs to establish controls including verification and other activities. As part of the controls, the organization needs to communicate to external providers its requirements for:

• the processes, products, and services to be provided
• the approval of methods, processes, and equipment
• Competence
•  verification or validation of the activities that the organization intends to perform

1. Type and extent of control

The organization must evaluate the critical suppliers against a fixed set of criteria. The criteria can include technology, Quality, Responsiveness, Delivery, Cost, Environmental impact. As they use these suppliers they will need to monitor their performance against its requirements. It takes some effort to ensure that the suppliers are performing, but it is time and resources very well spent. As they regularly talk with critical suppliers about the issues and requirements a relationship will be built, one which will be mutually beneficial in the long-term. The organization must ensure outsourced processes are controlled. It must define the controls for the supplier. These controls could be defined through purchase orders, in agreements, or in contracts. In addition, it needs to control the actual product or service they purchase. It could ask for a certificate of conformance, or a test report, or a third-party test. The organization doesn’t require to have “one-size-fits-all” controls for all suppliers. For the critical suppliers that have a significant risk to the organization, they need to put tighter controls in place. For others – not so much. Also, they must ensure that suppliers meet local laws and regulations. Also, they need to inspect the product or service from the supplier.

 2. Information for external providers

This is about ensuring that third-party suppliers and subcontractors have a clear understanding of what they are expected to supply. This is typically done with a purchase order but it could also be by contract or agreement. Other methods of spelling out requirements for suppliers can be inspection and test plans, work briefs, statements of work, and even forecasts.

8.5 Production and service provision.

An expansion on previous requirements e.g. documented information to specify intended results and to determine the nature and extent of any post-delivery (after-sales) activities. The production and services provision process needs to be performed under controlled conditions that will ensure that the product or service delivered is compliant with initial requirements. This includes a sufficient level of documentation, like procedures, work instructions, and records, monitoring and measurement equipment, appropriate infrastructure, etc. The organization must use suitable means to identify outputs when it is necessary to ensure products and services conformance. When traceability is a requirement, the organization needs to control the unique identification of outputs and retain documented information necessary to enable traceability. In cases when the organization uses property belonging to a customer or external provider, it is required to identify, verify, protect, and safeguard this property. When the property of the customer or external provider is lost or damaged, the organization will have to report to the owner and retain documented information on what has occurred. The decision on the extent of post-delivery activities will be affected by the following:

• statutory and regulatory requirements
• potential undesired consequences related to products and services
•  lifetime, use, and the nature of the products and services
•  customer requirements and feedback.

In case of changes in the production and service provision process, the organization must review and control the changes in order to ensure continuing conformity with the requirements.

1. Control of production and service provision: The organization must carry out the activities to provide products or services under controlled conditions. The common controlled conditions that should be used include documented information for products and services, suitable monitoring and measurement resources (including equipment), suitable infrastructure and environment, competent persons, validation of the ability to achieve results, actions to prevent human error, and activities controlling product release, delivery, and post-delivery. As with all other processes, these do not need to be documented procedures unless non-conformances would occur if the procedure was not written down.
2. Identification and traceability: Many industries, such as the food, aerospace, and automotive industries, require the ability to have specific identification of items, and the ability to trace the elemental parts that make up the items. This is normally used when there is a failure of an internal component and you want to know what other items contain components from the same batch of parts. In short, when this is appropriate it needs to be controlled. The organization must also have a method of telling the status of a product or service through the operation process. For example, is a piece of software tested for functionality, is a product tested and ready for use, or is a service ready to be used?
3. Preservation: For products or services, there is a need to use proper handling throughout the process to make sure it does not degrade, including through delivery to the customer. These actions will vary widely depending on the product, but could include such things as reducing moisture exposure on metallic parts that could rust, ensuring electronic media storage is maintained so that a software program is not degraded during delivery to the customer, proper cleaning of parts that are affected by contamination, marking and labeling for safety warnings, and using stock in order of receipt (often called first in-first out or FIFO) for stock that can degrade over time.
4. Property belonging to customers or external providers: This requirement is very important if the organization uses the customer or supplier property. It can come in many forms such as piece parts that will become part of the delivered product, special equipment to perform specific testing for the customer, or even proprietary information that is needed to use to design and deliver the product or service. When a customer or other party has given any property to use in supplying their needs, it is needed to control that property from unintended use and have a way of dealing with that property with external party involvement should there be a problem with it. Records of this activity need to be maintained to show accurate records of customers or external property. In fact, personal data that is provided by the customer and supplier would also need protection.
5. Post-delivery activities: Sometimes there is a need to perform activities on the product or service after it has been delivered to the customer. While the requirements for what needs to be done can vary greatly from one product or service to another. The organization needs to consider statutory and regulatory requirements, any undesired consequences of the product once in use, the nature and lifetime of your products and services, customer requirements, and customer feedback. Taking these into account will give you an idea of what needs to be done after delivery, such as warranty provisions, maintenance services, or even recycling and final disposal services.
6. Control of changes: The organization must implement a process for responding to unplanned changes that are considered essential in order to ensure that products or services continue to meet their specified requirements, in such a way that conformity with requirements is maintained. Changes should be documented and information retained about the changes, including who authorized the change and the actions arising from the change. The organization should make changes in a thoughtful manner and to consider the potential impact to other process, products and possibly the customer. Key items to consider are:
   • Is the impact of the change evaluated to determine its affects to work in process or products already delivered?
   • What process control documentation (procedures, travellers, forms, etc.) will need updating as the result of change to be implemented?
   • Was the change approved prior to implementation including, where applicable, approval by the customer, statutory or regulatory authority?
   • Does retained documented information indicate the source of change and information on necessary actions and approvals?

8.6 Release of products and services.

The release of the products and services shouldn’t be performed until the organization ensures that the products and services are conforming to the requirements. Demonstrating the conformance can be done by documenting evidence of the conformance, which includes criteria for the acceptance and information about the person who authorized the release of the product or service. Just ensure you implement checks that the product and service are delivered as expected (e.g. commissioning paperwork, customer satisfaction/feedback, and signatures).

8.7 Control of nonconforming outputs.

Nonconforming outputs must be prevented from unintended use or delivery, so the organization must identify and control nonconforming outputs that emerge from any phase of production or service delivery. Depending on the nature of the nonconformity, the organization can take one or more of the following actions:

• correction
• segregation, containment, return, or suspension of the provision of products and services
• informing the customer
• obtaining authorization for acceptance under concession

Conformity to the requirements must be verified when the nonconforming output is corrected. The organization also needs to keep documented information that describes the nonconformity, the action taken, concessions obtained, and the authority deciding the action with respect to the nonconformity. You do not need a documented procedure any longer to detail how you will deal with things that go wrong but you do need to do the following:

1. Fix it.
2. Remove it if necessary.
3. Tell the customer.
4. Ask them to accept it.

You should record what you do when things go wrong:

1. About what is wrong.
2. what you did as a result.
3. What concessions you gave? (e.g. did the customer accept it but you altered the cost)
4. Who had the authority to make the change?

9.0 Performance Evaluation

The section on evaluation includes monitoring, measurement, and analysis, internal audits, and management review.  Requirements for monitoring, measurement, analysis, and evaluation are covered and you will need to consider what needs to be measured, methods employed, when data should be analyzed and reported on, and at what intervals. Documented information that provides evidence of this must be retained. There is now an emphasis on directly seeking out information that relates to how customers view the organization. Organizations must actively seek out information on customer perception. This can be achieved in a number of ways including satisfaction surveys, analysis of market share, and complaints lodged. There is now an explicit requirement that organizations must show how the analysis and evaluation of this data are used, especially with regards to the need for improvements to the QMS. As with other ISO standards, Internal audits must also be conducted. There are requirements relating to defining the ‘audit criteria’ and ensuring the results of the audits are reported to ‘relevant’ management’. Management reviews are required. Documented information must be retained as evidence of management reviews.

9.1 Monitoring, measurement, analysis, and evaluation.

There is a new requirement to obtain information relating to customer views and opinions of the organization. This requirement should not be equated with the requirement for managing equipment for monitoring and measuring from clause 7.1.5 of the standard. This is about a wider aspect of monitoring and measuring. Information derived from monitoring, measurement, and analysis represents inputs in the process of improvement and management review. The organization needs to determine what needs to be monitored and measured, how, and when, as well as when the results will be analyzed. It is required to measure your own performance as a supplier in order to get information about user’s observations, and the extent to which you fulfilled their requirements. Monitoring customer satisfaction levels must be constant activity in order to determine trends, and because opinions about your performance can change. Information about customer satisfaction can be collected via phone, interview, or questionnaire, direct contact with the user on the field, etc. Once the monitoring and measuring are performed and the results are gathered, the organization needs to analyze the results in order to evaluate the conformity of products and services, degree of customer satisfaction, the performance of the QMS, the effectiveness of actions taken to address risks and opportunities, the performance of external providers, and need for improvements to the QMS.

9.2 Internal Audit.

There continues to be a need to carry out internal audits and to do it effectively. The goal of an internal audit is not to determine nonconformity; its goal is to check whether your QMS:
a) complies with the requirements of ISO 9001 and the requirements of your organization
b) is effectively implemented and maintained
There is no need for an internal audit procedure but it may be useful to keep it. You do need to define audit criteria. There is more emphasis on how they are done, how feedback should be taken, and audits being corrected in a reasonable time to fix non-conformances identified. Ensuring that all the right people are included in the audit outcome. At the end of the audit, you will get audit results by evaluating the data you collected during the audit. Audit results can be manifested as positive, recommendations for improvements, and nonconformities (major and minor). Verification of actions taken to fix the non-conformity may be needed, and in that case, the next step is a follow-up audit. The audit schedule must take customer feedback into account. The organization can determine the technique of doing internal audits and the length of the intervals between the two audits is up to you. They can decide how the organization conforms to the requirement of QMS and that of ISO 9001. The organization can determine the manner by which it can maintain the system. To conduct the audit the organization must:

1. Plan approach to internal audits based on the importance of the processes.
2. For each audit, work out the scope of what will be covered. You can’t audit 100% of the process, but you do need to cover enough to be satisfied that the important issues have been captured.
3. Make sure the auditors are independent of the process under audit.
4. Report all findings to the relevant managers so there aren’t any surprises.
5. Ensure that the corrective actions from the audit are dealt with.
6. Retain the audit results in a document.

9.3 Management review.

A Management Review is a formal, structured meeting that involves top management and takes place at regular intervals throughout the year. They are a critical and required part of running an ISO 9001 Management System.

The purpose of a Management Review meeting is to review and evaluate the effectiveness of your Management System, helping you to determine its continued suitability and adequacy.  At least once a year, the top-level management must review the QMS in order to determine its:

• Appropriateness – does it serve its purpose and satisfy the needs of the organization?
• Adequacy – does the QMS conform to standard requirements?
• Applicability – are activities performed according to procedures?
• Effectiveness – does it accomplish the planned results?

This review must evaluate possibilities for improvement and needs for changing the QMS, Quality Policy, and objectives. Considering the inputs for the management review, such as the results of the previous management reviews, changes in the context, customer satisfaction survey results, performance of the QMS and suppliers, etc., the top management must make decisions regarding opportunities for improvement, need for changes in the QMS, and resources needed for the upcoming period. A Management Review also ensures that all levels of management are made aware of any changes, updates, revisions, etc. to the day-to-day workings of the Management System itself. The organization will need to decide when it will take place, what will be discussed, and who should attend. You must document when the meetings have occurred and what has been discussed. A Management Review should cover the following topics:

• Discussion on the status of any issues from the previous meeting.
• Changes to external and internal issues that affect the Management System.
• Examination of the performance of the Management System.
• Review of available resources and their adequacy.
• Examination of how effective the actions are taken towards identified risks and opportunities were.
• Identification of further opportunities for improvement.

The inputs to the Management review should be:

• Minutes of previous Management Review meeting
• Management System documentation
• Internal and External Audit Reports
• Relevant records (including customer feedback, corrective action log, etc.)
• Register of Legal and other requirements
• Complaints analysis
• Corrective and preventive actions and close-out of Management Information Reports
• Policies review

In order to keep improving your Management System, you need to be looking for trends both inside and outside of the organization.  Consider looking for trends in the following areas:

• The requirements of external interested parties
• Compliance to legislation, regulations, and other requirements
• Changes to products, services, and processes
• Customer satisfaction and complaint records
• Non-conformances and the effectiveness of any corrective actions taken in response

The output to the management review includes decisions and actions related to:

• Any opportunities for improvement within the organization
• Any changes to the Management System, processes, or policies that are required
• Any revisions to company objectives or Key Performance Indicators (KPIs)
• Any amendments to business plans or budgets
• Any changes to the resources that are needed for the smooth running of the Management System

These types of changes affect day-to-day operations so it is important to keep staff informed of these changes as this will ensure that your Management System is operating effectively.

10.0 Improvement

Improvement covers nonconformity and corrective action, as well as continual improvement, all of which are outlined in clause 8 of the current standard. Preventive action is replaced by “risk” under the clause of planning – improvement is now defined as a proactive planning activity. This clause starts with a new section that organizations should determine and identify opportunities for improvement such as improved processes to enhance customer satisfaction. There is also a need to actively look for opportunities to improve processes, products and services, and the QMS, especially with future customer requirements in mind. However, there are some corrective action requirements. The first is to react to the nonconformities and take action, as applicable, to control and correct the nonconformities and deal with the consequences. The second is to determine whether similar nonconformities exist or could potentially occur. The requirement for continual improvement has been extended to cover the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how an organization achieves this.

10.1 General.

Your organization should actively seek out and realize improvement opportunities that will better enable it to achieve the intended outcomes of its management system. Potential sources of improvement opportunities include the results of analysis and evaluation of quality performance, compliance, internal audits, and management reviews. The actions for improvement can be in the form of corrective actions, training, reorganization, innovation, and so on. Improvement can be achieved through corrective actions. It can be achieved incrementally over time by a step change. It can be a breakthrough process achieved through innovation or by reorganization and transformation. There is now a requirement for organizations to focus clearly on customer satisfaction and customer needs, not only that but to look for ways to improve:
a) products and services, now and for the future.
b) fixing and controlling issues to reduce things going wrong.
c) improving the QMS.
No requirement for a procedure on preventive action. This term is removed.

10.2 Nonconformity and corrective action.

Any nonconformity needs to be reacted upon by taking actions to control it and deal with the consequences. Once identified, a nonconformity should trigger a corrective action in order to remove the cause of the nonconformity and prevent its recurrence. The effectiveness of actions taken must be evaluated and documented, along with the originally reported information about the nonconformity / corrective action and the results achieved. We must also record the nature of nonconformities. On discovering a nonconformity, an explicit requirement is introduced for organizations to determine whether other similar nonconformities actually exist, or could potentially exist.

When something goes wrong you must:

1. react to it by
   • do something / take action / fix it;
   • deal with the impact it had (e.g. upset customer).
2. evaluate what went wrong to prevent it from happening again and check there are no other similar issues that could happen.

The Key now is to update risks and opportunities. Keep records of all non-conformities, what you did to resolve them, implement additional measures, etc.

10.3 Continual improvement.

Continual improvement is a key aspect of the QMS, to achieve and maintain the Quality Management System’s suitability, adequacy, and effectiveness regarding the organization’s objectives. There is now a clearer expectation for organizations to use data from monitoring and measuring to review the organization’s performance and that of the QMS. Organizations should use this information, analyzing it and ensuring that the QMS is adequate for the organization. The impetus for continual improvement must come from the use of as a minimum:

• Policies;
• Risks and opportunities;
• Objectives;
• Analysis and evaluation of data;
• Audit results;
• Management review;
• Non-conformity and corrective action.

Consider using the PDCA cycle (Plan, Do Check, Act) to guide your continuous improvement efforts. Once you’ve identified the improvement action to take, you cycle through the PDCA phases by planning the action (plan), implementing what is planned (do), monitoring the process and reporting results (check), and taking any further actions to improve if necessary (act).

Back to Home Page

If you need assistance or have any doubt and need to ask questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.