Eli5. What are the basic steps that an ISO 9001 internal auditor should take to conduct an audit of a shipping dept.?


I have no experience with ISO 9001 and my boss volunteered me as an internal auditor this morning in a meeting. I have a week to prepare. How do I go about this? Any advice helps. I’m currently going through the 8 fundamentals of ISO 9001 but I’m not sure how to physically go through this audit?

In: Other

The key to ISO 9001 is documented processes.

In your audit, you will get a list of processes that the company says describe what the “shipping” department does. You will seek out examples of each process. Then you will examine the records for all the instances of work that uses the process to see if any instances didn’t follow the process (perhaps by following a different process). Then you will audit the work that is left, to see if there is work going on for which there is no process (sometimes called orphan work).

All your observations will be written up in an audit report, which the assessors will use (with audit reports from all the company’s other departments) to determine where the company meets the standards and where it does not.

The assessment team will explain how they want this done/documented.

Did you make your boss unhappy or something?

Anyway, the internal auditor should be very familiar with the processes of their organization. Some bosses think of internal auditors as an adversarial or confrontational role. They might believe that the auditor’s role is to find fault and expose problems. This type of thinking is old fashioned at best and destructive at worst. So, at least a conversation with the boss along with the leader of the ISO9001 effort in the organization at large might be useful.

Pretty much everything starts with the QMS for the department. (It shouldn’t be the role of the auditor to write one nor approve one.) The QMS should be completed and formally approved by the required authority within the department (and usually their manager and the QMS/QE leader) – so perhaps the Shipping dept manager and their manager along with the QMS leader in the organization. Without a QMS, there is nothing for an auditor to do.

internal auditor should

a) review the relevant QMS to ensure that it complies to the corporate QMS. If this is a large organization, each department/division will have a QMS in sort of a “tree” to tie to the corporate QMS.

b) review the QMS using the relevant ISO9001 standards as a basis for compliance. This is a check of completeness (eg stuff that ISO requires are included to the right detail)

c) review the associated documentation/procedures that are described in the QMS. The documents must exist and be kept in good order.

d) If the internal auditor’s role is also to assist the dept in ISO compliance, then it is also necessary to ensure that actual practices follow the documentation. ie “Do what you say you do”. Identify training and implementation gaps and update documentation as necessary. (This is not always part of the internal auditor’s role)

e) During the actual audit, the role of the auditor could be as “simple” as pointing out errors of procedure, errors of compliance, errors and incompleteness quality documents and records, etc. It is then the role of the department staff (not the IA) to address those points. A more complete audit will also involve certain “opinion” statements – like best practices, ineffective or inefficient processes (you can be very diligently following a poor process)

f) Internal auditors are supposed to be knowledgeable both of departmental processes, the QMS and the ISO standards themselves. This is a serious and significant role. It is also not unusual for the IA to develop best practices. It is definitely not a role for the most junior in a department. A bad IA can result in a disastrous 3rd party/independent compliance audit.

A quick audit technique is to go to the SOP and highlight everywhere it says shall or must… go find evidence of those requirements being met/not met.

I remember the acronym REO
Requirement – Evidence – Observation
Look for requirements in the SOP
Find the evidence of meeting those requirements To come to your observations

An auditor wants to verify that there is a procedure and/or Work instruction for all work that is being done AND that you guys are using them.

Make sure all employees know this in case they’re queried by an auditor.