The initial audit of the new ISO 9001:2015 QMS should proceed as any standard audit. An agenda should be created that reflects the areas where the new additions affect the QMS and the interplay of the new additions in existing sections of the standard (i.e. the association and assessment of risk throughout the QMS).
The auditor should possess a new checklist that emphasizes the new additions, as well as, the enhanced sections of the new standard. Many of the sections of ISO 9001:2015 are enhanced versions or sections from their counterpart in ISO 9001:2008. Special attention should be paid to these enhancements in that they may encompass new required conduct or add to the requirements of a particular process step.
For example, section 4.1 Understanding the organization and its context. The standard requires that the organization determine the external and internal issues that are relevant to its purpose and strategic direction and that affect its ability to achieve the intended results of its QMS. These, as well as, section 4.2 Understanding the needs and expectations of Interested Parties should be documented in some form. Lack of documentation can cause confusion and make objective evidence gathering difficult and could lead to findings on the auditor’s behalf if he/she is unable to adequately observe the required determinations. While some organizations may push-back against required documentation of procedures, etc., it is highly recommended that processes and procedures be documented in some form to ease the transition process and provide a foundation for objective evidence to be handily available to all parties that may request or need it.
The audit checklist should specifically breakdown all required conduct (documentation) in each section of the new standard. This will allow the auditor to focus on what to look for and observe as evidence of an organization’s compliance with the new and required conduct under the new standard. The auditor should look not only for documented processes and procedures but also how the organization is documenting required conduct, i.e how does the organization document or show how it is ensuring compliance to the new standard. Objective evidence can take many forms but must evidence compliance with the required conduct or a finding may (and probably should) occur.
A good example of this is how the organization has defined and assessed risk and opportunities (Section 6.1.1 and 6.1.2).
- Has the organization documented its internal process for this requirement?
- Has the organization assigned risk priority numbers to a particular, pre-defined risk?
- How did the organization justify its risk priority numbering system?
- How does the organization monitor and measure its risk?
- How is risk defined and integrated in the operations of the organization?
- What type of documentation, if any, exists as objective evidence of the afore-mentioned activities?
These are samples of the types of questions an auditor should employ to find objective evidence that the organization is complying, or attempting to comply, with the requirements of the new standard.
If the organization does document is processes and procedures, as well as a quality manual, the documentation of these should be substantial in content and not simply a structured re-hash of the language contained in the new standard.
The organization should set forth its required compliance steps and delineate specifically:
- what it intends to do,
- who is responsible for required conduct,
- how the conduct is monitored and measured and
- how is leadership informed of the results of the afore-mentioned?
This, coupled with the organization’s monitoring of its processes, should afford the auditor with a trove of evidence with which he/she can document compliance on the organizations behalf.
Corrective Action on Internal Audit Findings
Corrective action should be taken on all findings as quickly as possible so the organization can operate for a minimal period of three months after performing the Internal Audit and gather data of its’ QMS operations under the new standard. Remember: the organization should be operating an ISO 9001:2015 system at least 4-6 months prior to an upgrade of its QMS by the organization’s registrar.
The organization should contact its registrar as soon as is practicable so an audit date may be scheduled for its transition from ISO 9001:2008 to 9001:2015.
Caveat: It should be noted that registrars are most likely to have heavy audit schedules after the beginning of 2018 and this could lead to problems if the organization waits for an undue amount of time before attempting to schedule the upgrade audit of its new QMS.