Download ISO 9001-2015 R0 Internal Audit Checklist.xlsx and more Slides Quality Management in PDF only on Docsity!
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
Client:
Client ID:
Date:
Auditor
Clause
Requirement
Comply
Auditor Notes / Evidence
The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction andthat affect its ability to achieve the intended result(s) of its quality management system.The organization shall monitor and review information about these external and internal issues. NOTE 1
Issues can include positive and negative factors or conditions for consideration.
NOTE 2
Understanding the external context can be facilitated by considering issues arising from legal,
technological, competitive, market, cultural, social and economic environments, whether international, national, regional orlocal.NOTE 3
Understanding the internal context can be facilitated by considering issues related to values, culture,
knowledge and performance of the organization. Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meetcustomer and applicable statutory and regulatory requirements, the organization shall determine:a)^
the interested parties that are relevant to the quality management system; b)^
the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements.The organization shall determine the boundaries and applicability of the quality management system to establish its scope.When determining this scope, the organization shall consider:a)^
the external and internal issues referred to in 4.1; b)^
the requirements of relevant interested parties referred to in 4.2; c)^
the products and services of the organization. The organization shall apply all the requirements of this International Standard if they are applicable within the determinedscope of its quality management system.The scope of the organization’s quality management system shall be available and be maintained as documentedinformation. The scope shall state the types of products and services covered, and provide justification for any requirementof this International Standard that the organization determines is not applicable to the scope of its quality managementsystem.Conformity to this International Standard may only be claimed if the requirements determined as not being applicable donot affect the organization’s ability or responsibility to ensure the conformity of its products and services and theenhancement of customer satisfaction. 4.4.
The organization shall establish, implement, maintain and continually improve a quality management
system, including the processes needed and their interactions, in accordance with the requirements of this InternationalStandard.The organization shall determine the processes needed for the quality management system and their applicationthroughout the organization, and shall:a)^
determine the inputs required and the outputs expected from these processes; b)^
determine the sequence and interaction of these processes;
Audit Report Key - SAT: Satisfactory; OBS: Observation; NC: Nonconformance; N/A: Not Applicable at this time
Context of the organization 4.
Understanding the organization and its context 4.
Understanding the needs and expectations of interested parties 4.
Determining the scope of the quality management system 4.
Quality management system and its processes
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
c)^
determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;d)^
determine the resources needed for these processes and ensure their availability; e)^
assign the responsibilities and authorities for these processes; f)^
address the risks and opportunities as determined in accordance with the requirements of
g)^
evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;h)^
improve the processes and the quality management system. 4.4.
To the extent necessary, the organization shall:
a)^
maintain documented information to support the operation of its processes; b)^
retain documented information to have confidence that the processes are being carried out as planned. Top management shall demonstrate leadership and commitment with respect to the quality management systemby:a)^
taking accountability for the effectiveness of the quality management system; b)^
ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization;c)^
ensuring the integration of the quality management system requirements into the organization’s business processes; d)^
promoting the use of the process approach and risk-based thinking; e)^
ensuring that the resources needed for the quality management system are available; f)^
communicating the importance of effective quality management and of conforming to the quality management system requirements;g)^
ensuring that the quality management system achieves its intended results; h)^
engaging, directing and supporting persons to contribute to the effectiveness of the quality management system;i)^
promoting improvement; j)^
supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. NOTE
Reference to “business” in this International Standard can be interpreted broadly to mean those activities that
are core to the purposes of the organization’s existence, whether the organization is public, private, for profit or not forprofit. Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:a)^
customer and applicable statutory and regulatory requirements are determined, understood and consistently met; b)^
the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed;c)^
the focus on enhancing customer satisfaction is maintained. Top management shall establish, implement and maintain a quality policy that:a)^
is appropriate to the purpose and context of the organization and supports its strategic direction; b)^
provides a framework for setting quality objectives;
Leadership 5.
Leadership and commitment 5.1.
General
5.1.
Customer focus
5.
Policy 5.2.
Developing the quality policy
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
c)^
take into account applicable requirements; d)^
be relevant to conformity of products and services and to enhancement of customer satisfaction; e)^
be monitored; f)^
be communicated; g)^
be updated as appropriate. The organization shall maintain documented information on the quality objectives. 6.2.
When planning how to achieve its quality objectives, the organization shall determine:
a)^
what will be done; b)^
what resources will be required; c)^
who will be responsible; d)^
when it will be completed; e)^
how the results will be evaluated. When the organization determines the need for changes to the quality management system, the changes shall be carriedout in a planned manner (see 4.4).The organization shall consider:a)^
the purpose of the changes and their potential consequences; b)^
the integrity of the quality management system; c)^
the availability of resources; d)^
the allocation or reallocation of responsibilities and authorities. The
organization
shall
determine
and
provide
the
resources
needed
for
the
establishment, implementation,
maintenance and continual improvement of the quality management system. The organization shall consider:a)^
the capabilities of, and constraints on, existing internal resources; b)^
what needs to be obtained from external providers. The organization shall determine and provide the persons necessary for the effective implementation of its qualitymanagement system and for the operation and control of its processes.The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes andto achieve conformity of products and services. NOTE
Infrastructure can include:
a) buildings and associated utilities;b) equipment, including hardware and software;c) transportation resources;d) information and communication technology. The organization shall determine, provide and maintain the environment necessary for the operation of its processes andto achieve conformity of products and services. NOTE
A suitable environment can be a combination of human and physical factors, such as:
a) social (e.g. non-discriminatory, calm, non-confrontational);b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective);c)^
physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise). These factors can differ substantially depending on the products and services provided.
General
7.1.
People
7.1.
Infrastructure
7.1.
Environment for the operation of processes
7.1.
Monitoring and measuring resources
6.
Planning of changes 7
Support 7.
Resources
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring ormeasuring is used to verify the conformity of products and services to requirements. The organization shall ensure that theresources provided:a)^
are suitable for the specific type of monitoring and measurement activities being undertaken; b)^
are maintained to ensure their continuing fitness for their purpose. The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring andmeasurement resources.When measurement traceability is a requirement, or is considered by the organization to be an essential part of providingconfidence in the validity of measurement results, measuring equipment shall be:a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable tointernational or national measurement standards; when no such standards exist, the basis used for calibration orverification shall be retained as documented information;b)^
identified in order to determine their status; c)^
safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results.The organization shall determine if the validity of previous measurement results has been adversely affected whenmeasuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary.The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity ofproducts and services.This knowledge shall be maintained and be made available to the extent necessary.When addressing changing needs and trends, the organization shall consider its current knowledge and determine how toacquire or access any necessary additional knowledge and required updates. NOTE 1
Organizational knowledge is knowledge specific to the organization; it is gained by experience. It is information
that is used and shared to achieve the organization’s objectives.NOTE 2
Organizational knowledge can be based on:
a)^
internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements inprocesses, products and services);b)^
external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers). The organization shall:a)^
determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system;b)^
ensurethat thesepersonsarecompetentonthebasisofappropriate education, training, orexperience; c)^
where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;d)^
retain appropriate documented information as evidence of competence. NOTE
Applicable actions can include, for example, the provision of training to, the mentoring of, or the re-
assignment of currently employed persons; or the hiring or contracting of competent persons. The organization shall ensure that persons doing work under the organization’s control are aware of:a)^
the quality policy; b)^
relevant quality objectives;
General
Measurement traceability
Organizational knowledge
7.
Competence 7.
Awareness
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for theprovision of products and services, and to implement the actions determined in
Clause 6, by:
a)^
determining the requirements for the products and services; b)^
establishing criteria for: 1)^
the processes; 2)^
the acceptance of products and services; c)^
determining the resources needed to achieve conformity to the product and service requirements; d)^
implementing control of the processes in accordance with the criteria; e)^
determining and keeping documented information to the extent necessary: 1)^
to have confidence that the processes have been carried out as planned; 2)^
to demonstrate the conformity of products and services to their requirements. NOTE
“Keeping” implies both the maintaining and the retaining of documented information.
The output of this planning shall be suitable for the organization’s operations.The organization shall control planned changes and review the consequences of unintended changes, taking action tomitigate any adverse effects, as necessary.The organization shall ensure that outsourced processes are controlled (see 8.4).Communication with customers shall include:a)^
providing information relating to products and services; b)^
handling enquiries, contracts or orders, including changes; c)^
obtaining customer feedback relating to products and services, including customer complaints; d)^
handling or controlling customer property; e)^
establishing specific requirements for contingency actions, when relevant. When determining the requirements for the products and services to be offered to customers, the organization shallensure that:a)^
the requirements for the products and services are defined, including: 1)^
any applicable statutory and regulatory requirements; 2)^
those considered necessary by the organization; b)^
the organization can meet the claims for the products and services it offers. 8.2.3.
The organization shall ensure that it has the ability to meet the requirements for products and services to be
offered to customers. The organization shall conduct a review before committing to supply products and services to acustomer, to include:a)^
requirements specified by the customer, including the requirements for delivery and post-delivery activities; b)^
requirements not stated by the customer, but necessary for the specified or intended use, when known; c)^
requirements specified by the organization; d)^
statutory and regulatory requirements applicable to the products and services; e)^
contract or order requirements differing from those previously expressed. The organization shall ensure that contract or order requirements differing from those previously defined are resolved.The customer’s requirements shall be confirmed by the organization before acceptance, when the customer does notprovide a documented statement of their requirements.
Determining the requirements related to products and services
8.
Requirements for products and services 8.2.
Customer communication
8.2.
Review of requirements related to products and services
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
NOTE
In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review
can cover relevant product information, such as catalogues or advertising material. 8.2.3.
The organization shall retain documented information, as applicable:
a)^
on the results of the review; b)^
on any new requirements for the products and services. The organization shall ensure that relevant documented information is amended, and that relevant persons are madeaware of the changed requirements, when the requirements for products and services are changed.The organization shall establish, implement and maintain a design and development process that isappropriate to ensure the subsequent provision of products and services.In determining the stages and controls for design and development, the organization shall consider:a)^
the nature, duration and complexity of the design and development activities; b)^
the required process stages, including applicable design and development reviews; c)^
the required design and development verification and validation activities; d)^
the responsibilities and authorities involved in the design and development process; e)^
the internal and external resource needs for the design and development of products and services; f)^
the need to control interfaces between persons involved in the design and development process; g)^
the need for involvement of customers and users in the design and development process; h)^
the requirements for subsequent provision of products and services; i)^
the level of control expected for the design and development process by customers and other relevant interested parties;j)^
the documented information needed to demonstrate that design and development requirements have been met. The organization shall determine the requirements essential for the specific types of products andservices to be designed and developed. The organization shall consider:a)^
functional and performance requirements; b)^
information derived from previous similar design and development activities; c)^
statutory and regulatory requirements; d)^
standards or codes of practice that the organization has committed to implement; e)^
potential consequences of failure due to the nature of the products and services. Inputs shall be adequate for design and development purposes, complete and unambiguous. Conflicting design anddevelopment inputs shall be resolved.The organization shall retain documented information on design and development inputs.The organization shall apply controls to the design and development process to ensure that:a)^
the results to be achieved are defined; b)^
reviews are conducted to evaluate the ability of the results of design and development to meet requirements; c)^
verification activities are conducted to ensure that the design and development outputs meet the input requirements; d)^
validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use;
Design and development of products and services 8.2.
Changes to requirements for products and services
8.3.
General
8.3.
Design and development planning
8.3.
Design and development inputs
8.3.
Design and development controls
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
b)^
define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;c)^
take into consideration:
- the potential impact of the externally provided processes, products and services on the organization’s ability toconsistently meet customer and applicable statutory and regulatory requirements;2)^
the effectiveness of the controls applied by the external provider; d)^
determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.The organization shall ensure the adequacy of requirements prior to their communication to the external provider.The organization shall communicate to external providers its requirements for:a)^
the processes, products and services to be provided; b)^
the approval of: 1)^
products and services; 2)^
methods, processes and equipment; 3)^
the release of products and services; c)^
competence, including any required qualification of persons; d)^
the external providers’ interactions with the organization; e)^
control and monitoring of the external providers’ performance to be applied by the organization; f)^
verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises.The organization shall implement production and service provision under controlled conditions.Controlled conditions shall include, as applicable:a)^
the availability of documented information that defines: 1)^
the characteristics of the products to be produced, the services to be provided, or the activities to be performed; 2)^
the results to be achieved; b)^
the availability and use of suitable monitoring and measuring resources; c) the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control ofprocesses or outputs, and acceptance criteria for products and services, have been met;d)^
the use of suitable infrastructure and environment for the operation of processes; e)^
the appointment of competent persons, including any required qualification; f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production andservice provision, where the resulting output cannot be verified by subsequent monitoring or measurement;g)^
the implementation of actions to prevent human error; h)^
the implementation of release, delivery and post-delivery activities. The organization shall use suitable means to identify outputs when it is necessary to ensure the conformity of products andservices.The organization shall identify the status of outputs with respect to monitoring and measurement requirements throughoutproduction and service provision.
Production and service provision 8.4.
Information for external providers
8.5.
Control of production and service provision
8.5.
Identification and traceability
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retainthe documented information necessary to enable traceability.The organization shall exercise care with property belonging to customers or external providers while it is under theorganization’s control or being used by the organization.The organization shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use orincorporation into the products and services.When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, theorganization shall report this to the customer or external provider and retain documented information on what hasoccurred. NOTE
A customer’s or external provider’s property can include material, components, tools and equipment,
premises, intellectual property and personal data. The organization shall preserve the outputs during production and service provision, to the extent necessary to ensureconformity to requirements. NOTE
Preservation
can
include
identification,
handling,
contamination
control,
packaging,
storage,
transmission or transportation, and protection. The organization shall meet requirements for post-delivery activities associated with the products and services.In determining the extent of post-delivery activities that are required, the organization shall consider:a)^
statutory and regulatory requirements; b)^
the potential undesired consequences associated with its products and services; c)^
the nature, use and intended lifetime of its products and services; d)^
customer requirements; e)^
customer feedback. NOTE
Post-delivery activities can include actions under warranty provisions, contractual obligations such as
maintenance services, and supplementary services such as recycling or final disposal. The organization shall review and control changes for production or service provision, to the extent necessary to ensurecontinuing conformity with requirements.The organization shall retain documented information describing the results of the review of changes, the person(s)authorizing the change, and any necessary actions arising from the review.The organization shall implement planned arrangements, at appropriate stages, to verify that the product and servicerequirements have been met.The release of products and services to the customer shall not proceed until the planned arrangements have beensatisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer.The organization shall retain documented information on the release of products and services. The documentedinformation shall include:a)^
evidence of conformity with the acceptance criteria; b)^
traceability to the person(s) authorizing the release. 8.7.
The organization shall ensure that outputs that do not conform to their requirements are identified and controlled
to prevent their unintended use or delivery.
Post-delivery activities
8.5.
Control of changes
8.
Release of products and services 8.
Control of nonconforming outputs 8.5.
Property belonging to customers or external providers
8.5.
Preservation
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
2)^
the requirements of this International Standard; b)^
is effectively implemented and maintained. 9.2.
The organization shall:
a)^
plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned,changes affecting the organization, and the results of previous audits;b)^
define the audit criteria and scope for each audit; c)^
select auditors and conduct audits to ensure objectivity and the impartiality of the audit process; d)^
ensure that the results of the audits are reported to relevant management; e)^
take appropriate correction and corrective actions without undue delay; f)^
retain documented information as evidence of the implementation of the audit programme and the audit results. NOTE
See ISO 19011 for guidance.
Top management shall review the organization’s quality management system, at planned intervals, to ensure itscontinuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization.The management review shall be planned and carried out taking into consideration:a)^
the status of actions from previous management reviews; b)^
changes in external and internal issues that are relevant to the quality management system; c)^
information on the performance and effectiveness of the quality management system, including trends in: 1)^
customer satisfaction and feedback from relevant interested parties; 2)^
the extent to which quality objectives have been met; 3)^
process performance and conformity of products and services; 4)^
nonconformities and corrective actions; 5)^
monitoring and measurement results; 6)^
audit results; 7)^
the performance of external providers; d)^
the adequacy of resources; e)^
the effectiveness of actions taken to address risks and opportunities (see 6.1); f)
opportunities for improvement.
The outputs of the management review shall include decisions and actions related to:a)^
opportunities for improvement; b)^
any need for changes to the quality management system; c)^
resource needs. The organization shall retain documented information as evidence of the results of management reviews.The organization shall determine and select opportunities for improvement and implement any necessary actions tomeet customer requirements and enhance customer satisfaction.These shall include:a)^
improving products and services to meet requirements as well as to address future needs and expectations; b)^
correcting, preventing or reducing undesired effects;
Management review outputs
9.3.
General
9.3.
Management review inputs
9.
Management review 10 Improvement10.1 General
ISO 9001:
Internal Audit Checklist
AC.9001-2015 R
c)^
improving the performance and effectiveness of the quality management system. NOTE
Examples
of
improvement
can
include
correction,
corrective
action,
continual
improvement,
breakthrough change, innovation and re-organization. 10.2.
When a nonconformity occurs, including any arising from complaints, the organization shall: a)^
react to the nonconformity and, as applicable: 1)^
take action to control and correct it; 2)^
deal with the consequences; b)^
evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:1)^
reviewing and analysing the nonconformity; 2)^
determining the causes of the nonconformity; 3)^
determining if similar nonconformities exist, or could potentially occur; c)^
implement any action needed; d)^
review the effectiveness of any corrective action taken; e)^
update risks and opportunities determined during planning, if necessary; f)
make changes to the quality
management system, if necessary.Corrective actions shall be appropriate to the effects of the nonconformities encountered. 10.2.
The organization shall retain documented information as evidence of: a)^
the nature of the nonconformities and any subsequent actions taken; b)^
the results of any corrective action. The organization shall continually improve the suitability, adequacy and effectiveness of the quality management system.The organization shall consider the results of analysis and evaluation, and the outputs from management review, todetermine if there are needs or opportunities that shall be addressed as part of continual improvement.
10.2 Nonconformity and corrective action 10.3 Continual improvement
