Procedure 14 Internal Audits
Table of Contents 1 Introduction... 2 2 Audit Planning... 2 2.1 Head Office... 2 2.2 Critical Locations... 3 3 Conducting the Audit... 3 4 Non-conformances... 3 5 Client file audits... 4 6 Internal Auditor Competence... 5 7 Document Revision History... 5 Proc 14 / Issue 14 Uncontrolled if printed Page 1 of 5
1 Introduction This document sets out the procedure for undertaking internal audits of the Quality System of IMS International, to ensure that the assessment and certification process is being effectively implemented and to monitor compliance against the relevant standards to which IMS is accredited. This procedure identifies the requirements for Head Office and any Critical Location offices. 2 Audit Planning 2.1 Head Office The Global Certification Manager is responsible for preparing an Internal Audit Schedule (Doc 11) covering at least the following two calendar years. The Schedule will identify the areas of the System that will be covered in each audit and ensure that over the course of 12 months each scheme is audited at least once and a selection of client files taken. The Schedule will be reviewed, and if necessary revised, at Management Review meetings taking account of the findings of any recent audits and the importance of the processes and areas to be audited. The Internal audit schedule will also include an audit of each critical location office to ensure that systems and procedures are being followed and operational controls are effective. Before the commencement of each audit; a meeting shall be held with a member of the management team and the auditor to discuss and plan the individual audit ensuring audit criteria has been established and the requirements of the annual plan have been met. All areas of the Quality System, including Scheme Documents relating to the various standards to which IMS is accredited, will be audited at least annually. Further Internal Audits may be carried out at the discretion of the Global Certification Manager, for example following repeated non-conformances or customer complaints. The Global Certification Manager will select and appoint appropriate auditors to audit the areas that are set out in the Schedule. Auditors will be independent of direct responsibility for the area being audited, and will be have appropriate qualifications and experience as well as knowledge of ISO 17021 and other additional standards such as AS9104, IAF Documents and ISO 27006. The Global Certification Manager will provide each internal auditor with an audit plan specifying the area(s) to be covered, the standard(s) against which the audit is being carried out, the date, location and scope. The auditor will plan the times and duration of the audit, and identify the personnel required for interview. Proc 14 / Issue 14 Uncontrolled if printed Page 2 of 5
2.2 Critical Locations The Regional Management Representative shall submit an internal audit schedule (Doc 11) to IMS Head Office on an annual basis, typically at the start of each calendar year. The audit schedule shall cover all areas of the Quality Management System to which they are responsible for as highlighted within the Critical Location Procedure (Proc 17) and the schemes which they are conducting audits within. IMS Head Office shall review the audit schedule and request any amendments as necessary to ensure that confidence can be placed within the audits. 3 Conducting the Audit Audits will be carried out according to the audit plan, and will include interviews, observation, and inspection of documents and records. The guidelines set out in ISO 19011 1 will be followed. The internal auditor will carry out the audit against the Quality System documentation and the relevant accreditation standards. Internal Audits will include a random sample of client files to confirm that all certification and registration activities have been correctly completed, that relevant records are in place, and to check that documentation has been correctly used and applied throughout the certification and registration process. Sufficient audit notes shall be taken to demonstrate audit evidence, these can be in hand written form but preference would be given to electronic notes. Non-compliances will be recorded on Non-Conformance and observation reports (Form 12), and referenced in the Internal Audit Report form (Form 17). Observations will be detailed on the Internal Audit Report form, along with overall comments, and a judgement of whether the areas audited conform to the relevant standard(s). Any observations raised during the internal audit shall be transferred onto the Observations and Improvements Log (Form 49) and reviewed by the management team to decide whether or not they are to be introduced. The audit report, along with the auditor s notes will be kept in the Internal Audit folder for a minimum of seven years. The auditor will inform the personnel responsible for the areas audited of the outcome of the audit, and in particular the need for any corrective actions. Further feedback on the outcome or on corrective actions may be provided as relevant following Management Review (see below). 4 Non-conformances Non-conformances are transferred to the Non-conformance form (Form 12) and given to the Regional Management Representative for review and identification of Corrective Action Proc 14 / Issue 14 Uncontrolled if printed Page 3 of 5
completion dates. Typically corrective actions should be identified no more than 28 days after raising, if the non-conformance is of a more serious nature then the time should be reduced. The Non-conformance will then be given to the personnel responsible for the corrective action completion, this could be the responsible manager for the related department. The responsible person shall identify containment, root cause and long term corrective actions within section 2 of the form. When these have been identified, the document shall be returned to the Regional Management Representative for review and approval of the actions. Should they deem the actions not suitable, the report shall be returned to the responsible person for revision and resubmission of the report. The corrective actions shall be completed and progress tracked on the non-conformance report (Form 12) within section 3. When the activity has been completed, the completion dates shall be shown within section 2 of the form. When satisfied that all actions have been completed, the Regional Management Representative shall review the actions and sign off acceptance in section 4. Corrective Actions will be followed-up to ensure that the actions taken are effective and no repeating issues have been identified, depending on the nature of the non-conformance the follow-up action may be performed within 3 months for more serious issues. If not of a serious nature then this can be performed during the next scheduled internal audit. After the follow-up process has been completed, the internal auditor shall sign off within section 5 of the form to show that the actions have been implemented and are effective. 5 Client file audits As well as performing internal audits, each office is required to perform random client file checks using form 46 to ensure that systems and procedures are being followed. At least four client files should be selected each month. These checks do not need to be performed by internal auditors, they can be completed by administration personnel who are aware of the documentation requirements within client files. The person performing the check will select client files at random and complete the checklist, if any areas of concern are identified, these shall be identified on the checklist document and given to the Regional Management Representative for review. Any actions can be dealt with to correct the file without raising a non-conformance form (Form 12). If a trend is identified or the nature of the issue is more serious, then a non-conformance form will be raised and corrective actions taken. Proc 14 / Issue 14 Uncontrolled if printed Page 4 of 5
6 Internal Auditor Competence Internal Auditors shall be competent on the basis of relevant skills and experience and have appropriate qualifications. Internal Auditors shall have successfully completed an IRCA Lead Auditor course, have knowledge of ISO 17021 requirements and the relevant accreditation standard to which they are assessing to such as ISO 27006, AS9104. An awareness of any supporting standards is also required, this includes IAF Documents as identified within the internal audit reports. The Auditor shall have at least 1 years experience in auditing Management Systems to ISO 19011 requirements, as an example this could be ISO 9001, ISO 14001 or OHSAS 18001 audits. Auditors shall have understanding of IMS s procedures and systems and have access to the relevant manuals and procedures. In order to enable this understanding, internal auditors shall receive training on the scheme(s) they are auditing, training presentations have been prepared for this and are available within the training folder held on the server. When the training has been completed, a certificate shall be generated to demonstrate attendance and held on the server in the personnel file. 7 Document Revision History Date Amendment Revision 6 th March 2015 Introduced procedure into IMS standard template 13 Changed General Manager to Global Certification Manager Introduced Global Requirements for auditing Introduced non-conformance section 5 th June 2015 Internal auditor competence section updated to highlight the requirement for internal auditor training to make them aware of IMS procedures and system 14 Proc 14 / Issue 14 Uncontrolled if printed Page 5 of 5