You are on page 1of 14

INTERNAL AUDIT CHECKLIST 2008

ISO 9001 Requirements What to look for Compl y

Pg. 1 of 14 Auditor notes and evidence

ESC-2 INTERNAL AUDIT CHECKLIST 2008 Top Management Use as appropriate; not all topics may apply equally to all program areas. AUDITORS SHOULD ADD PROGRAM-SPECIFIC QUESTIONS BASED ON THE PROCEDURES AND WORK DONE IN ASSIGNED PROGRAM AREAS.

ISO 9001 Clause Reference

Requirements (Paraphrased Brief)

What to look for; questions

(C) in compliance; (R) more research needed; (NC) nonconformity; (OI) Opportunity for Improvement

Evidence and Auditor Notes

4.2.3 4.2.3

Control of documents Define (in a written procedure) the controls needed to approve documents prior to issue, review, update and re-approved documents, identify changes and current revisions of documents, make relevant and current documents available at points of use, ensure that documents are legible and identifiable, identify and control the distribution of documents of external origin, and identify retained obsolete documents and prevent their unintended use.

Check all relevant program-area/centerlevel procedures. Are they up-to-date? Are any changes correctly made (listed in revision history, correct revision version shown in footer)? Are any program/departmentgenerated forms maintained properly (with revised date footer) and correctly listed on the Index of Forms?

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 4.2.4 4.2.4 Requirements Control of Records Establish and maintain records to provide evidence of conformity and effectiveness of the quality management system. Check that required records listed in the Index of Records for a given program area or department are being properly kept in the location shown and that all other information listed in the Index of Records is correct. What to look for Compl y

Pg. 2 of 14 Auditor notes and evidence

4.2.4

Establish documented procedure for the identification, storage, protection, retrieval, retention time and disposition of records. Ensure that records remain legible, readily identifiable and retrievable. Are records listed for the program easily accessible? Are records readily retrievable (test by asking for retrieval of specific records)? a. Has the ISO 9001 QMS been beneficial, neutral, or a hindrance to the efficiency of ESC-2 operations? b. If I were an outsider looking in, knowing nothing about this organization, what would I see from this group that would make me think that you are committed to improving this organization and the systems that drive it? c. What improvements to the ISO QMS are you considering for the coming year? d. Tell me about your management reviews. How often are they conducted? Can you show me a record of one review?

4.2.4

5.1

Management Commitment top management shall provide evidence of its commitment to the development and implementation of the QMS and continually improving its effectiveness

5.2

Customer Focus. Top management shall ensure that customer requirements are determined and

Describe to me the processes that are in place that you manage that ensures that customer needs are met?

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 Requirements met with aim of enhancing customer satisfaction. What to look for Compl y

Pg. 3 of 14 Auditor notes and evidence

Would you say that process is effective? Can you show me data that indicates it is effective? (Can you prove it?) Have you considered how might this process be improved? If so, can you show me a record that indicates such a consideration? If not, why not?

5.3 5.3

Quality Policy The quality policy shall be appropriate to the purpose of the organization, include a commitment to comply with requirements and continually improve the quality management system, provide a framework for establishing the quality objectives, be communicated and be understood throughout the organization, and be reviewed for continuing suitability. On a scale of 1-10, how would you rate the effectiveness of our QMS and why would you give it that rating? What have you done/are you doing as a team to improve that rating? Can you show me records of those actions?

5.4
5.4.1 5.4.2

Planning
Quality Objectives Quality management system planning Do you think that our Quality Objectives need tweaking? If yes, can you show me a record of those issues being addressed in a management review? If no, why not?

5.5

Responsibility, authority and communication

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 5.5.3 Requirements Establish communication processes and ensure that information and data regarding the effectiveness of the quality management system are effectively communicated. What to look for As a team, what do you do to let the rest of us know about how ISO and our QMS have improved the service that we deliver to our customers? Can you think of ways or have you discussed ways that communication could be improved? If so, can you show me a record of that discussion? If not, why not? Since we implemented the QMS and ISO standardization, has a nonmanagement person ever suggested a way that we could improve our organization? If so, how was it handled? Is there a record of any of those suggestions? Is there any evidence that anything was ever done to address the suggestion? Do you believe that employees understand and are comfortable with using the QMS tools to report problems and make suggestions for improvement? If not, what have you done/are you doing to change that? 5.6.1 When was the last time the cabinet mad a change to the QMS? (One example is Procedure for Protection of Customer Property dated 4/11/08) Tel me about any change that has been made in the last year to improve the QMS and our organization. 5.6.2 Show me a record of a management review. Compl y

Pg. 4 of 14 Auditor notes and evidence

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 Requirements What to look for What inputs were used to this review? What outputs (actions) resulted from this review? Was follow-up required for any items? Can you show me when/where the followup occurred? I noticed that the Customer Property procedure was update in April of this year. Can you show me the management review records of when and why that was done? 6 6.1 6.1. a, b Resource Management Provision of resources Provide adequate resources to implement, maintain and improve the quality management system. Provide adequate resources to meet customer requirements and enhance customer satisfaction. What resources would you say are lacking in our organization that might make us more effective? How do you determine which resources to provide and which ones to deny? How do you determine if a given resource will contribute to meeting customer needs and enhancing customer satisfaction? Compl y

Pg. 5 of 14 Auditor notes and evidence

6.2

Human resources

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 6.2.1 6.2.2.a 6.2.2.b 6.2.2.c 6.2.2.e Requirements Ensure that personnel performing work affecting product quality have appropriate education, training, skills and experience; and maintain records of their qualifications. Determine the necessary competence requirements for personnel, provide training or take other actions to satisfy these needs, and evaluate the effectiveness of the training provided (or other actions taken). What to look for We have a procedure for required training. How do you think that is working? As a member of top management, how are you involved in employee training decisions? Do you have a role in evaluating the effectiveness of training provided to employees? If so, what is it? If you have a role in evaluating effectiveness of training, I would like to see a record of your involvement (job performance evaluation) Are there ways that we could improve our training procedure to make it work better? Have those things been discussed in a cabinet meeting? Are you aware that we have a number of new employees who have been here longer than 6 months that have not completed the required training established by the QMS? Has this issue been addressed in a management review? Can you show me a record of that review? What actions has the cabinet taken to resolve this issue? I understand that there is also an issue of employees attending training and that training not showing up in their training records for several months. Are you Compl y

Pg. 6 of 14 Auditor notes and evidence

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 Requirements What to look for aware of that issue? Has the cabinet addressed it in a management review? Can you show me the records of that review and the outputs and follow-up that occurred? Compl y

Pg. 7 of 14 Auditor notes and evidence

6.2.2.d

Ensure that personnel are aware of the relevance and importance of their work and how they contribute to the achievement of quality objectives. Product Realization Planning of product realization Determine quality objectives and requirements for the product. Establish production processes and documentation, and provide adequate equipment, operators and other resources specific to the product. Customer-related processes Determine product requirements specified by the customer (including delivery and postdelivery); not stated by the customer, but necessary for specified or intended use; Tell me about our processes for determining customer needs. Can you show me some minutes of some advisory committee meetings? Do you have any other documentation

7 7.1 7.1 7.1

7.2 7.2.1

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 Requirements statutory and regulatory requirements related to the product; and any additional requirements determined by the company. 7.2.2 Prior to the commitment to supply product, review requirements related to the product to ensure that requirements are defined, any discrepancies and ambiguities are resolved, and company is able to meet the requirements. Maintain review records. What to look for related to determining customer needs? (surveys, etc) Compl y

Pg. 8 of 14 Auditor notes and evidence

Much of our QMS is related to delivering a quality product to our clients that meets the requirements and needs. How do you feel we are doing on that front? Are there areas that we can improve? Be specific? Have any of those areas been addressed in a management review? What outputs did that review result in? Have they been/will they be implemented?

7.2.3.a 7.2.3.b

Determine and implement arrangements for communicating product information, handling enquiries, orders and change orders. Determine and implement effective arrangements for communicating with customers regarding customer feedback and customer complaints. Design and development Plan design product design activities, to include the design stages; the review, verification and validation activities appropriate to each stage; and Thinking about the region improvement plan and the process that is followed to create it, how do you think that is working? Have changes been made to the process in the last year? If so, tell me about the Tell me about customer complaints. How are they handled when they happen? Is that process/procedure documented anywhere?

7.2.3.c

7.3 7.3.1

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 Requirements assignment of responsibilities and authorities. changes. How did those changes come about? What areas of concern do you related to the regional improvement plan process? Do you foresee any major changes for the upcoming year? 7.3.2 Determine, document, review and approve design inputs, to include, as applicable, functional and performance requirements, statutory and regulatory requirements, and information from previous similar designs. Perform systematic design reviews to evaluate whether the design is on track toward meeting input requirements, and to identify any problems and propose necessary actions. Maintain records of the reviews and the resulting actions. Carry out design verification to ensure that design outputs have met the design input requirements. Maintain records of the verification results and any related actions. Again thinking about the Regional Improvement plan, what steps or processes are in place to make sure that what we say we are going to do will meet the needs of the customer WHILE the plan is being written and AFTER it has been completed? From your perspective, is the header system an effective method for making sure that workshops meet the needs that they were intended to meet? If not, what needs to change? Has the cabinet addressed those issues? What has been done? Is it documented? What to look for Compl y

Pg. 9 of 14 Auditor notes and evidence

7.3.4

7.3.5

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 7.3.6 Requirements Prior to delivery or implementation of the product, perform design validation to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use. Maintain records of the validation results and any related actions. What to look for Compl y

Pg. 10 of 14 Auditor notes and evidence

7.3.7

Review, verify, validate, as appropriate, and approve design changes before implementation. Evaluate the effect of the changes on constituent parts and on product already delivered. Maintain records of changes and of their reviews/evaluations and any necessary actions.

It seems that we have a lot of changes to workshop headers after they have been created. Do those changes ever affect clients? If so, how? What procedures are in place to minimize or manage changes and their impact on clients? Do you think those procedures are effective and how might we improve them?

7.4 7.4.1

Purchasing Control suppliers and the purchased product to ensure that the product conforms to specified purchase requirements. Our business procedures manual has some very detailed guidelines for purchasing and for hiring outside consultants. Can you think of any problems that we have had in the last year related to those two items? Are there things that we can do to improve those procedures or do you think they are working fine just as they are?

10

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 7.4.2 Requirements Purchasing information shall describe the product to be purchased. In purchasing specifications include where appropriate requirements for approval of product, procedures, processes and equipment; requirements for approval of personnel, and quality management system requirements. Ensure adequacy of purchasing specifications before they are forwarded to suppliers. Establish and implement activities for ensuring that purchased products meet specified purchase requirements. Production and service provision Ensure the use of suitable equipment. Identify, verify, protect and safeguard customer property provided for use or incorporation into the product; and report to customers any event of loss, damage or unsuitability of their property. Talk to me about the new Procedures for Protection of Customer Property. How is that working? I know it is pretty new, but do you think it is going to work, might need some changes? To you knowledge, has any customer property been lost or damaged since the adoption of this procedure? Did it seem to help in that situation? 7.5.5 Protect and preserve the conformity of product during delivery to the intended destination. Measurement, analysis and improvement General What to look for Any problems with the purchasing system that need to be looked at? Have any changes been made in those procedures/processes in the last year? Compl y

Pg. 11 of 14 Auditor notes and evidence

7.4.3

7.5 7.5.1 7.5.4

8 8.1

11

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 8.1 Requirements Plan and implement measurement, analysis and improvement processes to demonstrate conformity of the product, to ensure conformity of the QMS, and to continually improve the effectiveness of the QMS. Determine applicable methods, including statistical techniques, required for the measurement, analysis and improvement processes. Monitoring and measurement Monitor information relating to customer satisfaction. Determine methods for obtaining and using this information. Monitor and measure processes and product characteristics to verify their conformity with requirements. Maintain records of process and product conformity and the person(s) authorizing release of product. Prevent the release of product until all planned production and verification activities have been completed. What to look for We have a system for evaluating our product. Describe that system to me. What happens to those product evaluations after they are completed? Is the data every analyzed? Is the data ever used to make products better? Do we have records of that? Are there ways that you can think of that we might improve our evaluation system? Compl y

Pg. 12 of 14 Auditor notes and evidence

8.2 8.2.1

8.2.3 8.2.4 8.2.4

8.3

Control of nonconforming product

12

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 8.3 Requirements What to look for Compl y

Pg. 13 of 14 Auditor notes and evidence

Identify and control nonconforming Do you think that the nonconformity product to prevent its unintended use system is working as an effective tool or delivery. to help us improve? How, how not, why not? What are the barriers to this system working better? What changes need to be made? Have those changes been addressed at the cabinet level? If so, what has resulted from those discussions?

8.3

Re-verify reworked or repaired products to demonstrate their conformity. Analysis of data Collect and analyze data on the performance of the quality management system, to include customer satisfaction, product conformity, characteristics and trends of processes and products (including opportunities for preventive actions), and suppliers.

Review previous audit nonconformities of program, as well as the list of corrective actions org-wide to verify conformity, as applicable.

8.4 8.4

8.5 8.5.1

Improvement and corrective/preventive action Continually improve the effectiveness of the quality management system through the use of quality policy quality objectives, audit results, We have been living with and working under the QMS for a couple of years now. What kinds of changes have taken place in the QMS during that time? What kind of changes do you think need to take place going forward?

13

INTERNAL AUDIT CHECKLIST 2008


ISO 9001 Requirements analysis of data, corrective and preventive actions, and management reviews. 8.5.2 The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered. A documented procedure shall be established to define requirements for: reviewing nonconformities (and customer complaints), determining the causes of nonconformities, evaluating the need for action to ensure that nonconformities do not recur, determining and implementing action needed, records of the results of action taken, and reviewing corrective action taken. Establish documented procedure for determining potential nonconformities and causes, evaluating the need for preventive action, determining and implementing preventive actions, recording the results of actions taken, and reviewing preventive actions. As a cabinet have you ever instituted a corrective action? If so, has the problem that led to the non-conformity ever recurred? What to look for Compl y

Pg. 14 of 14 Auditor notes and evidence

8.5.3

Talk to me about any potential problem areas that you feel may eventually lead to a deficiency in meeting customer requirements. Have you as a team, discussed what can be done to prevent those things from occurring? Have you documented those discussions? Has a non-conformity report been completed related to that/those issues?

14