Internal Audit Checklist
ISO9001 Toolkit: Version 3 ©CertiKit
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This is a checklist to be used as a prompter for questions during an internal audit.
Areas of the standard addressed The main areas of the ISO9001 standard addressed by this document are: •
9. Performance evaluation o 9.2 Internal audit
General guidance When conducting an internal audit it can be useful to have a list of standard questions to ask, organized according to the sections of the ISO9001 standard. This makes the audit more interesting than simply reading the requirements from a spreadsheet. It’s possible that any one audit will not cover all parts of the standard so you may need to edit this checklist to cover the areas you need. You may also like to add further questions to the lists, depending on the type of organization you are auditing. At each stage, it is important that evidence is reviewed and recorded to prove that procedures etc. are in place.
Review frequency We would recommend that this document is reviewed annually.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
Version 1
Page 2 of 21
[Insert date]
To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Version 1
Page 3 of 21
[Insert date]
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 21
[Insert date]
Internal Audit Checklist
Audit details Audit: Audit scope: Auditor(s): Date of audit:
4 Context of the organization 4.1 Understanding the organization and its context REF
RECOMMENDED QUESTIONS
1.
What are the internal and external issues that are relevant to the QMS?
2.
How do they affect its ability to achieve its intended outcome?
3.
What does the organization do (in broad terms) and how might errors and non-conformities affect its activities?
4.
What is the purpose of the QMS?
Version 1
AUDIT FINDINGS
Page 5 of 21
EVIDENCE REVIEWED
[Insert date]
4.2 Understanding the needs and expectations of interested parties REF
RECOMMENDED QUESTIONS
1.
Who are the interested parties?
2.
What are their requirements?
3.
How have their requirements been established?
4.
What are the main legal and regulatory requirements that the organization must meet?
5.
How is the understanding of these requirements kept up to date?
Version 1
AUDIT FINDINGS
Page 6 of 21
EVIDENCE REVIEWED
[Insert date]
4.3 Determining the scope of the QMS REF
RECOMMENDED QUESTIONS
1.
What is the scope of the QMS?
2.
How is it defined?
3.
Ae any exclusions explained?
4.
Does it consider the relevant issues and requirements?
5.
Is the scope documented?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
4.4 QMS and its processes REF
RECOMMENDED QUESTIONS
1.
How established is the QMS?
2.
How long has it been running for?
3.
How much evidence has been collected so far, for example, records?
4.
What are the processes of the QMS?
5.
How are the processes documented?
6.
How much detail is given for each process?
Version 1
Page 7 of 21
[Insert date]
5 Leadership 5.1 Leadership and commitment REF
RECOMMENDED QUESTIONS
1.
Who is defined as top management within the scope of the QMS?
2.
How does top management demonstrate leadership and commitment, in practical terms?
3.
How well are customer requirements understood?
4.
How is customer satisfaction ensured?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
5.2 Policy REF
RECOMMENDED QUESTIONS
1.
Can I review the QMS policy?
2.
Is it appropriate and does it cover the required areas?
3.
Does it include the required commitments?
4.
How has it been communicated and distributed - and to whom?
5.
When was it last reviewed?
Version 1
Page 8 of 21
[Insert date]
5.3 Organizational roles, responsibilities and authorities REF
RECOMMENDED QUESTIONS
1.
What are the roles within the QMS?
2.
Does everyone understand what their responsibilities and authorities are?
3.
Who has the responsibility and authority for conformance and reporting?
4.
Who takes the lead on customer focus?
Version 1
AUDIT FINDINGS
Page 9 of 21
EVIDENCE REVIEWED
[Insert date]
6 Planning 6.1 Actions to address risks and opportunities REF
RECOMMENDED QUESTIONS
AUDIT FINDINGS
1.
What are the main risks to the QMS?
2.
What actions are or have been taken to address them?
3.
How effective have these actions been?
EVIDENCE REVIEWED
6.2 Quality objectives and plans to achieve them REF
RECOMMENDED QUESTIONS
1.
Are there documented quality objectives?
2.
Do the objectives comply with section 6.2.1 a) to g)?
3.
Is there a plan to achieve the objectives?
4.
Does the plan include the who, what, when and how?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
6.3 Planning of changes REF
RECOMMENDED QUESTIONS
1.
What changes have been made to the QMS in the last 12 months?
2.
How were these changes planned and managed?
Version 1
Page 10 of 21
[Insert date]
7 Support 7.1 Resources REF
RECOMMENDED QUESTIONS
1.
How are the resources needed for the QMS determined?
2.
Are the required resources, including people, infrastructure and work environment, provided?
3.
What external resources are used?
4.
What resources are allocated to monitoring and measuring?
5.
Is there a requirement for measurement traceability and, if so, how is it achieved?
6.
What knowledge is needed within the organization, and how is it maintained?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
7.2 Competence REF
RECOMMENDED QUESTIONS
1.
Have the necessary competences been determined?
2.
How has the competence of the people involved in the QMS been established?
3.
What actions have been identified to acquire the necessary competence?
4.
Have they been completed, and is there evidence of this?
Version 1
Page 11 of 21
[Insert date]
7.3 Awareness REF
RECOMMENDED QUESTIONS
1.
What approach has been taken to providing awareness of the quality policy, contribution to the QMS and implications of not conforming?
2.
Has everyone been covered?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
7.4 Communication REF
RECOMMENDED QUESTIONS
1.
How has the need for communication been established?
2.
What regular methods are used for communication?
Version 1
Page 12 of 21
[Insert date]
7.5 Documented information REF
RECOMMENDED QUESTIONS
1.
Is all the documented information required by the standard in place?
2.
Is the level of other documentation reasonable for the size of QMS?
3.
Are appropriate documentation standards, for example, identification and format, in place?
4.
Are the standards applied in a uniform way?
5.
Are appropriate controls in place to address the activities listed in 7.5.3.2?
6.
How are documents of external origin handled?
7.
How is the documentation protected?
Version 1
AUDIT FINDINGS
Page 13 of 21
EVIDENCE REVIEWED
[Insert date]
8 Operation 8.1 Operational planning and control REF
RECOMMENDED QUESTIONS
AUDIT FINDINGS
1.
What processes are used to meet requirements?
2.
How are the requirements for products and services determined?
3.
What level of documented information is kept about the operation of the processes?
4.
What planned changes have taken place recently, and how were they controlled?
5.
What processes are outsourced?
6.
How are they controlled?
EVIDENCE REVIEWED
8.2 Emergency preparedness and response REF
RECOMMENDED QUESTIONS
1.
What types of customer communication take place?
2.
How are applicable statutory and regulatory requirements defined?
3.
Is a review carried out to check that customer requirements can be met before a commitment to supply is given?
4.
What happens when the requirements for products and services are changed?
Version 1
AUDIT FINDINGS
Page 14 of 21
EVIDENCE REVIEWED
[Insert date]
8.3 Design and development of products and services REF
RECOMMENDED QUESTIONS
1.
Is there a defined design and development process?
2.
What factors are taken into account when determining the stages and controls for design and development?
3.
What information is input to the design and development process?
4.
Is this information documented?
5.
What controls are applied to the design and development process?
6.
How are the outputs of design and development evaluated?
7.
What happens when changes are made during or after design and development?
Version 1
AUDIT FINDINGS
Page 15 of 21
EVIDENCE REVIEWED
[Insert date]
8.4 Control of externally provided processes, products and services REF
RECOMMENDED QUESTIONS
1.
What processes, products or services are externally provided?
2.
What controls are applied to these?
3.
How are external providers managed?
4.
How is it ensured that external providers deliver to requirements?
5.
What information is communicated to external providers?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
8.5 Production and service provision REF
RECOMMENDED QUESTIONS
1.
What conditions are in place to control production and service provision?
2.
Are outputs identified?
3.
How are any outputs that must be traceable controlled?
4.
How is property belonging to customers or external providers managed and protected?
5.
If outputs need to be preserved, how is this achieved?
6.
What post-delivery activities are provided?
Version 1
Page 16 of 21
[Insert date]
7.
What happens when things change during production or service provision?
8.6 Release of products and services REF
RECOMMENDED QUESTIONS
1.
How are products and services verified to ensure they meet requirements, before being released?
2.
What documented information is maintained on the release of products and services?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
8.7 Control of nonconforming outputs REF
RECOMMENDED QUESTIONS
1.
How are outputs that don’t conform to requirements identified?
2.
What happens when a nonconformity is found?
3.
What documented information is recorded about nonconformities?
Version 1
Page 17 of 21
[Insert date]
9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation REF
RECOMMENDED QUESTIONS
1.
How is it determined what should be monitored and measured?
2.
May I review evidence of monitoring and measurement?
3.
How are results reported?
4.
How is customer satisfaction monitored?
5.
What have been the recent conclusions from analysis of monitoring and measurement information?
AUDIT FINDINGS
EVIDENCE REVIEWED
AUDIT FINDINGS
EVIDENCE REVIEWED
9.2 Internal audit REF
RECOMMENDED QUESTIONS
1.
How often are internal audits carried out?
2.
Who carries them out?
3.
Are the auditors objective and impartial?
4.
May I review the most recent internal audit report?
5.
Have any nonconformities resulting from previous audits been addressed?
Version 1
Page 18 of 21
[Insert date]
6.
Does the audit programme cover the complete scope of the QMS?
9.3 Management review REF
RECOMMENDED QUESTIONS
1.
How often are management reviews carried out?
2.
Who attends them?
3.
Are they minuted?
4.
Are all areas in 9.3 .2 covered at management reviews?
5.
May I review the results of the most recent one?
6.
What outputs resulted from it?
7.
Does the management review represent a reasonable assessment of the health of the QMS?
Version 1
AUDIT FINDINGS
Page 19 of 21
EVIDENCE REVIEWED
[Insert date]
10 Improvement 10.1 General REF
RECOMMENDED QUESTIONS
1.
How are opportunities for improvement identified?
2.
What improvement actions have been completed recently?
3.
What effect have these improvements had on the QMS?
AUDIT FINDINGS
EVIDENCE REVIEWED
10.2 Incident, nonconformity and corrective action REF
RECOMMENDED QUESTIONS
1.
How are nonconformities identified?
2.
How are they recorded?
3.
May I review the records of a recent nonconformity?
4.
Was appropriate action taken to correct it and address the underlying causes?
5.
Was the effectiveness of the corrective action reviewed?
Version 1
AUDIT FINDINGS
Page 20 of 21
EVIDENCE REVIEWED
[Insert date]
10.3 Continual improvement REF
RECOMMENDED QUESTIONS
1.
What evidence of continual improvement can be demonstrated?
2.
What are the main sources of improvements?
Version 1
AUDIT FINDINGS
Page 21 of 21
EVIDENCE REVIEWED
[Insert date]
