By Craig Cochran, Project Manager, Georgia Manufacturing Extension Partnership (GaMEP) at Georgia Tech If you’re preparing to start auditing against ISO 9001:2015, you’ve probably already asked yourself the timeless question: What the heck am I going to ask these people? There’s no worse feeling in the world than being in the middle of an audit and realizing that you don’t have anything to say in the way of questions. Preparation and planning can remedy this, of course, but the fact remains that ISO 9001:2015 includes a lot of new requirements that have never been part of most audits. In order to expedite your thinking, these are what I believe to be the most important audit questions for ISO 9001:2015: What can you tell me about the context of your organization? This question is the starting point of ISO 9001:2015, appearing in section 4.1. The standard uses the clunky term 'context,' but this could easily be substituted by asking about the organization’s internal and external success factors.

Internal Audit Checklist for ISO 9001:2015. ISO 9001:2015 Quality Management System Audit Checklist Page 3 of 49 AUDIT PLAN. Purpose and its strategic. Iso Audit Checklist For Training Department Strategic Plan' title='Iso Audit Checklist For Training Department Strategic Plan' />Iso Audit Checklist For Training Department Strategic Plan Legislation, policies, standards and advice. This page lists whole of government sources, including legislation, policies,.

Questions about context are usually directed at top management or the person leading the QMS (formerly known as the management representative). As an auditor, you’re looking for a clear examination of forces at work within and around the organization. Does this sound broad and a little vague? Thankfully the standard provides some guidance, saying that context must include internal and external issues that are relevant to your organizations’ purpose, strategy, and goals of the QMS.

Many organizations will probably use SWOT analysis (strengths, weaknesses, opportunities, and threats) to help get their arms around context, but it’s not a requirement. What the organization learns with this will be a key input to risk analysis. (NOTE: Not everybody will understand the term ‘context.’ Be prepared to discuss the concept and describe what ISO 9001:2015 is asking for.) Who are your interested parties and what are their requirements? The natural follow‐up to context is interested parties, found in section 4.2. The term 'interested parties' has a bizarre, stalker‐like ring to it, so smart auditors might want to replace it with 'stakeholders.' Remember, effective auditors try to translate the arcane language of ISO 9001:2015 into understandable terms that auditees can grasp.

Typical interested parties are employees, customers, supplier, business owners, debt holders, neighbors, and regulators. As an auditor you’re making sure that a reasonable range of interested parties has been identified, along with their corresponding requirements.

The best way to audit this is as an exploratory discussion. Ask questions about the interested parties, and probe what they’re interested in. If you’ve done some preparation in advance of the audit, then you’ll know whether their examination of interested parties is adequate. That brings up an important planning issue: You will have to do a bit more preparation before an ISO 9001:2015 audit. So you’ll have a grasp of context and interested parties. How can you evaluate their responses if you don’t know what the responses should be?

What risks and opportunities have been identified, and what are you doing about them? Risks and opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer directly to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective, period. Auditors should verify that risks and opportunities include issues that focus on desired outcomes, prevent problems, and drive improvement. Once risks and opportunities are identified, actions must be planned to address them. ISO 9001:2015 does not specifically mention prioritizing risks and opportunities, though it would be wise for organizations to do this.

Risks and opportunities are limitless, but resources are not. What plans have been put in place to achieve quality objectives? Measurable quality objectives have long been a part of ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results.

Auditors should closely examine how the plans have been implemented throughout the organization, and who has knowledge of them. Just as employees should be aware of how they contribute to objectives, they should be familiar with the action plans. How has the QMS been integrated into the organization’s business processes? In other words, how are you using ISO 9001:2015 to help you run the company? This is asked directly of top management (see section 5.1.1c) and is a very revealing question. The point is that ISO 9001 is moving away from being a quality management system standard and becoming a strategic management system.

It’s not just about making sure products or services meet requirements anymore. The standard is about managing every aspect of the business. Remember sections 4.1 and 4.2 of ISO 9001:2015? There we examined the key topics of context and interested parties. These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is intended to be used.

Top management should be able to describe how the QMS is used to run the company, not just pass an audit. How do you manage change? This topic comes up multiple times in ISO 9001:2015.

The first and biggest clause on the topic comes up in section 6.3. Here we identify changes that we know are coming, and develop plan for their implementation. What kind of changes? Nearly anything, but the following changes come to mind as candidates: new or modified products, processes, equipment, tools, employees, regulations. The list is endless. An auditor should review changes that took place, and seek evidence that the change was identified and planned proactively.

Change that happens in a less planned manner is addressed in section 8.5.6. Here the auditor will seek records that the changes met requirements, the results of reviewing changes, who authorized them, and subsequent actions that were necessary. How do you capture and use knowledge? ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, job close‐outs, staff meetings, customer reviews, examination of data, customer feedback. How the organization captures knowledge is up to them, but the process should be clear and functional.

The knowledge should also be maintained and accessible. This almost sounds like it will be “documented” in some way, doesn’t it? That’s exactly right.

One way to audit this would be to inquire about recent failures or successes. How did the organization learn from these events in a way that will help make them more successful? It’s the conversion of raw information to true knowledge, and it just happens to be one of the most difficult things an organization can achieve.

These are by no means the only questions you’ll want to ask. They’re just the starting point. We didn’t even mention management review, corrective action, or improvement—all of which are crucial to an effective QMS. The seven topics discussed here are the biggest new requirements that auditors will need to probe. This is part of a series of articles for manufacturing improvement.

Generally, when something changes, that will be what the auditor is going to focus on; the vindictive auditor will try and catch you out, to show they know more than you, and make themselves look good. The professional auditor will focus on the continual improvement approach and appreciate that management systems change and improve over time.

Either way, to avoid non-conformities, you still need to be prepared. We’ve put together five key questions we think auditors will be asking, and we’ve also suggested how your quality management system could address it. And for you technical “quality types” we’ve added some useful tips to make sure you are fully up to speed. • Understanding the organization and its context – clause 4.1 How have you determined the external and internal issues that are relevant to your business and its strategic direction? If you are a big business – you will have a strategic business plan, now you may not need to show the auditor all of the plan, but you could highlight the parts where it mentions the external forces that are impacting on it as well as its internal strengths and weaknesses. If you are a small business then having Vision and Mission statements should demonstrate where the business is heading – its strategic direction. To show the external and internal issues, then a SWOT analysis is a simple and effective tool to use.

Where SWOT stand for Strengths, Weakness, Opportunities, and Threats. With Strengths and Weakness being internal issues and Opportunities and Threats being external issues. Useful tip: ISO 9001:2015 does not require any of this to be documented the term it uses is determined, but there won’t be many auditors that will be happy if you just explain this to them without showing them anything written down. Useful tip: ISO 9001:2015 does however require documented information as evidence of management reviews and these reviews have to include relevant changes in external and internal issues. • Actions to address risks and opportunities – clause 6.1 How have you determined the quality risks and opportunities that need to be addressed?

If you are a big business – you will most probably already have a risk manager or risk department, and they will be looking at the big picture risks to the business. They may not however be quite so clear on the opportunities for the business – where it could be growing. This is more likely in the business plan. Also, because quality is about the customer, some of these risks and opportunities will need to be related to the customer. The QMS should be integrated with these identified risks and opportunities, so any actions and quality objectives should be aligned and able to be related back. If you are a small business then you may well have a risk register, if you have a safety system you almost certainly will have one. If you don’t have one – create one.

They are normally a spreadsheet or table. To show that you have identified quality risks and opportunities, look at your business through the eyes of your customer or a potential customer, what you would not like if you were a customer (risk), and what would you like the business to be doing if you were a customer (opportunity).

Once you have a list of customer risks and opportunities, identify how you can reduce the negative risks and build on the opportunities. Useful tip: ISO 9001:2015 does not require any of this to be documented the term used is determined, it also does not require a risk register, risk manager or risk department but most auditors will want to see something written down. Useful tip: ISO 9001:2015 requires the actions taken to be proportionate to the risk and opportunity, so BIG risk = BIG action.

Small risk = small action. Useful tip: There is no requirement for an organization to adopt ISO 31000 Risk management – Principles and guidelines. However for organizations who want a more formal approach to managing risk it may be useful.

Useful tip: ISO 9001:2015 does require documented information as evidence of management reviews and these reviews have to include the effectiveness of actions taken to address risks and opportunities. • Planning of changes – clause 6.3 How have you considered the purpose of any changes to the QMS and their potential consequences? If you are a big business – there will most probably be changes occurring at many different levels. Some of the high-level changes may already look at the possible consequences of the change, although nearly always they will focus heavily on the benefits of the change rather than identify any of the negatives that may result. The more lower level, day to day changes will most probably be captured in such things as improvement registers, non-conformance reports, corrective action requests, and these changes will often not be identifying the possible consequences.

In these cases additional fields could be added to identify the consequences of the change. If you are a small business then you most probably do not identify the consequence of any change before it is implemented, but you most probably do have non-conformance reports and some form of improvement or corrective action register. If that is the case just add a column or two to show what you expect to happen as a result of any change, and don’t forget to include the negative as well as the positive. That is also true for any changes that result from meetings – just include the possible consequences along with the actions and responsibilities.

Useful tip: ISO 9001:2015 does not require these possible consequences to be documented the term it uses is considered. However, in other areas of ISO 9001 and generally because of something going wrong documented information is required; • That describes the nonconformity, the actions taken, any concessions obtained, and identifies the authority deciding the action. Clause 8.7.2 • As evidence of the nature of the nonconformity and any actions taken, and the results of any corrective action.

Clause 10.2.2 • When the requirements for products and services are changed. Clause 8.2.4 • On design and development changes. Clause 8.3.6 • Any need for changes to the QMS. Clause 9.3.3 • Quality management system and its processes – clause 4.4.1 How have you determined the inputs required and outputs expected from your QMS processes? Any organization that is already certified against ISO 9001:2008 should have some form of document that describes the sequence and interaction of their processes, in fact the interaction between these processes should already be described in their quality manual (it was a requirement in ISO 9001:2008). But in ISO 9001:2015 you are now required to not only determine the processes needed for the QMS but also determine the inputs required and the outputs expected from these processes.

If you are a big multifaceted organization managing a number of different projects within a matrix structure with many complex process maps, this could be an arduous task identifying the inputs and outputs of each of these individual processes. Auditors could have a field day here. Simplify and streamline your processes to make identifying inputs and outputs easier and your QMS more effective. The Goddess Sekhmet Robert Masters Pdf here.

If you are a small business then you most probably have a relatively straightforward end to end process map, so the identification of the inputs and outputs should be reasonably easy. Useful tip: Managing interrelated processes is one of the keys to a good QMS and the output from one process is most likely the input to another process. Useful tip: There is a lot of talk about the process approach in this version of ISO 9001:2015 however, it was very clearly spelled out as a requirement in ISO 9001:2000 so it’s been around for at least 15 years. If your consultant, quality person or auditor doesn’t know this – get a new one! Useful tip: ISO 9001:2015 does not require a quality manual. This is a good thing.

In most cases it was a poorly written copy of ISO 9001 interspersed with bits from the businesses’ proceduresand nobody reads a quality manual apart from the auditor. • Organizational knowledge – clause 7.1.6 How have you determined the knowledge necessary for the operation of your processes? Firstly, there is a difference between knowledge and competence. Competence is the ability to apply knowledge and skills to achieve intended results.

Competence is often demonstrated through a qualification. Knowledge is part of competence and it is gained by experience, and it is used and shared. Knowledge is based on, • Internal sources – knowledge that is learned within the business; successes, failures, experiences etc. • External sources – knowledge that is gained from; customers, standards, conferences, and even the internet etc. ISO 9001 requires this knowledge to be maintained, made available, and also the business has to consider its current knowledge and how to acquire any additional knowledge it needs.

In most organizations whether large or small there will be such things as; skills matrices, job or position descriptions, and performance review records. Normally these focus purely on a person’s competence or qualification, so these could be adjusted to include any knowledge requirements along with any actions to gain the knowledge where gaps appear. Useful tip: Documented evidence of competence needs to be kept (clause 7. Dual Shock Drivers Exemption more. 2) but not of knowledge.

Useful tip: Be aware there are two types of knowledge. • Explicit knowledge – which is knowledge that can be written down; books, manuals, websites, papers. • Tacit knowledge – is knowledge that’s difficult to write down, visualize or transfer from one person to another; sales, innovation, entrepreneurship, how to speak a language, riding a bike., 3 Comments.