An ISO 9001 audit checklist is a tool, one of many in the auditor's toolbox, used to assess an organization's quality management system. Consider an analogy comparing the QMS to a carpenter's blueprint and the auditor to a construction inspector. The goal is to assess the work that's being done in comparison to how the blueprint says it should be done and also in comparison with the building codes -- or, in this case, the ISO 9001 requirements. Checklists should be designed to help with that assessment, not to add red tape.
A checklist can be designed to perform a documentation review. After confirming that the organization's document control procedure as written meets ISO 9001 requirements, design the checklist by pulling specific items from that procedure. Focus the questions on document control itself, with only one or two questions addressing the ISO 9001 requirements specific to the process being audited. It is enough to ask: "Which ISO 9001 clause(s) apply to Process ABC?" and "Does Process ABC meet those requirements?" It is not necessary to rewrite the entire standard as questions on checklists.
Management Responsibility & Commitment
A checklist can be designed specifically for a management audit. The checklist can identify each clause that states a requirement as a direct responsibility of top management and other pertinent items, such as human resource and infrastructure planning. This checklist can be used initially during a management interview and then completed through the course of the audit as evidence is assessed across the organization.
Training & Competence
A checklist can prompt auditors to remember universally applicable requirements, such as training and competence. When following an audit trail covering other clauses, these requirements can sometimes be overlooked and require follow-up activity before the audit can be closed. A checklist can help ensure that auditors look for evidence that employees are competent for the jobs they perform based on education, training, skills and experience. Equally important is to confirm that action plans are developed and carried out to ensure that employees achieve the levels of competence needed.
Checklist items should cover outsourced processes. This may be combined with the universally applicable requirements noted above. The adage "out of sight, out of mind" can cause both auditees and auditors to forget that warehousing for Programs A, B and C is still done on site, but for Program X that function is now performed by a third-party logistics provider. ISO 9001 specifically requires that outsourced processes be controlled to ensure that they meet the organization's own QMS requirements.
Monitoring & Measurement
Checklists should address measuring process effectiveness and monitoring trends to assess the capability of the QMS. Measures can include complex statistical process control data or can be as simple as the number of internal or external customer complaints. Checklists should enable auditors to identify what metrics are in place and what trends those metrics have revealed since the previous audit. Checklists should also remind auditors to look for evidence of action taken to correct negative trends.
Audit checklists should add value rather than exist for the mere sake of meeting an internal audit process requirement. It is more important for an auditor to follow an audit trail that presents itself during the audit than to follow a checklist. Inexperienced auditors can lose sight of such trails when they rely too heavily on checklists.
- Mel Stoutsenberger/iStock/Getty Images