Note: ISO 10011 was replaced by ISO 19011 in 2003. However, at present the 2000 Version of ISO 9001 only refers to ISO 10011.

ISO 190011 describes the controls of :

• The requirements of auditors. That is, their previous qualification and experience and the training that they must undergo before conducting audits. Also, their independence and ability must be considered.
• The requirements of auditing. That is, how they must be planned, conducted and recorded. Also, what proofs must be gathered during the audits and what records must be kept of the audits.

These requirements are one of the biggest causes of misunderstanding in the whole ISO 9000 arena. A few common misconceptions can be dispelled here :

1. You do not have to use fully-trained and qualified auditors. (However, it may be much more expensive to do it yourself, as described below)
2. Auditors do not have to be unfriendly, humourless monsters. There is no problem with an auditor being friendly and cheerful.
3. You do not need a full-time department full of auditors in order to meet the requirements of ISO 9000 / ISO 19011 (unless your organisation is VERY large). You can either use a trained person occasionally (not the best solution - see below) or an external auditor who can perform the Internal Audits for you.
4. Internal Quality Auditors (that is, persons performing the auditors for you, rather than the external audits performed by your Assessment Body / Quality Registrar) can offer advice if you wish.
5. HOWEVER, if the Auditor from your Quality Registrar offers advice (that is, tells you what to do, how to do it or any other form of guidance), then you must immediately suspect the auditor of being inadequate/unsuitable and report him to the Assessment Body / Quality Registrar concerned.

Consider this scenario : Your Assessment Body's Auditor advises you perform a certain task. When the next auditor comes along, and he tells you that it is not acceptable, your immediate reply will be "Well, you told us to do it!". As a result, his independence is immediately compromised and his audit findings are unreliable and cannot be accepted by anyone else.

A worse scenario would be if you followed his advice and then lost money. The Assessment Body would deny responsibility and your auditor's professional indemnity insurance would not pay up for this, as he is not supposed to offer consultancy or advice.

The Principles of Auditing

(If you want a very good, step by step explanation of how to conduct your own ISO 9000 Internal Quality Audits, you can get a copy of my CD, which contains examples, forms for you to use, plus a thorough, but easy to understand explanation of the process).

Although it is quite possible to conduct Internal Quality Auditing using in-house staff or a dedicated department, there a number of reasons why this might not be very effective :

• Cost : It is quite expensive to send your staff on a suitable training course. The course is likely to consist of two to three days duration, plus several days preliminary study. Your staff will be unavailable during this time and you must also allow for the costs of the training course. Typically, it costs as much to send one person on a training course as to use an external auditor (such as myself - ahem!) for two years.
• Experience : Your in-house auditor will not have the continual practice that an external auditor will have. In my own case, I perform audits on approximately 125 days each year. I cover a wide range of industries and as a result can contribute ideas on best practice which would not be available to an in-house auditor.
• Intimidation : An in-house auditor may find it difficult to point out the mistakes of his superiors and even more so of his work-mates. An external auditor will not have this problem.
• More Cost : Whilst your in-house auditor is auditing, he / she will not be conducting their usual work. In addition, your in-house auditor will take longer to conduct the same audits than an external auditor - guaranteed!
  • He / she will be called away for important meetings, phone calls, etc.
  • He / she will need to remember how to conduct the audits each time, following the gap since the last set of audits.
• Credibility : an external auditor will have far more credibility than an in-house auditor. Most organisations realise that the recommendations of an external person are listened to with more attention than if the same recommendations were presented by an in-house person.
• Much More Cost : Your assessment body (Quality Registrar) will place more reliance upon the audits of an external auditor who is known to them at a number of sites. This can reduce the costs of their assessments quite considerably. This can save much more than the cost of using an external auditor.
• Even More Cost : An external auditor can often see where your system could be improved, far more easily than an in-house person could. This is often the case where the accepted practices become so ingrained that no-one considers how they might be improved.

You may well be saying to yourself "well, he would say that, wouldn't he?", and to some extent that may be true. It is, after all, how I earn my bread and butter. However, most of my Clients use me to conduct audits long after we have finished obtaining ISO 9000, and the most common reason given is that I come along and gently bully them into keeping their system going. I am more thorough than the assessment body, and probably more feared! But, that's my job.

Conduct Your Own 
ISO 9000 Internal Quality Audits

If you feel that you must do it yourself, here is Terry' guide to auditing :

In order to perform audits, you need a number of things :

• a trained, experienced auditor

Although not essential to the requirements of ISO 9000, it is strongly recommended that your Internal Quality Auditor should have passed an Internal Auditors course, which should be accredited by a reputable organisation, such as the International Register of Certified Auditors (IRCA). Although it is possible to perform audits without such training, your assessment body will be entitled to place less reliance upon such audits, which may well result in more assessment visits, which will be expensive.

In addition to the training, your auditor should perform a regular amount of auditing, perhaps at least fifty auditing days or more per year, in order to ensure that the training is developed by ongoing practice. A common mistake is for a member of an organisation to attend a training course, then not perform enough audits to keep in practice. This is an almost certain route to failure.

• a written standard against which to audit

All auditors must have a documented standard against which the audit must be performed. In the case of ISO 9001, this would be ISO 9001 and your own written procedures, instructions and Quality Manual.

• something to audit

Another common failing is for auditors to begin audits before there is sufficient records to enable a meaningful audit to take place. This does not mean that your organisation must wait for six months before conducting audits. It may be sufficient to conduct audits after only a few weeks, provided that there are adequate records for the auditor to check the entire process.

Planning of Audits

There should be a schedule of audits, perhaps covering a single year, or some other relevant period. The schedule should show which aspects of the system will be checked and when. The schedule should be reviewed, perhaps during the Management Review Meetings, in order to ensure that it is being adhered to, and to make changes as applicable.

Prior to commencing each audit, your auditor should write down what he is going to check and why. (e.g. "trace a contract form quotation through production and subsequent delivery, so that traceability of the process can be confirmed as adequate")

Conducting the Audits

As the audit is conducted, you auditor should write down enough data to prove that the audit was conducted, and which could be used to conduct the same audit again if necessary. This would include details of who was spoken to, what records were checked and what was found.

At the end of the audit, any nonconformances must be clearly identified and brought to the attention of the relevant person. Corrective action (to fix the immediate problem) and any necessary preventive action (to stop it happening again or to prevent it happening in similar circumstances, etc) must be agreed and recorded, including the date by which the action must be conducted and the responsibility for ensuring that it is conducted.

Re-auditing

After an appropriate interval, the nonconformance must be re-audited. This may be after a few weeks, months or even longer, depending upon when there will be sufficient proof that the action has worked or not. The re-audit could consist of a number of re-audits or could be a single re-audit.