The #1 Question Clients Ask Me Before an Audit
I've been auditing companies to ISO 9001 for well over a decade now. By far, the most common question I get before an audit is: "What do you want to see?" There are 20 mandatory records and 3 mandatory documents in ISO 9001:2015, but when I point this out, it doesn't seem to help much. Especially with that sneaky clause 4.4.2 which states you have to: "a) maintain documented information to support the operation of your processes; b) retain documented information to have confidence that the processes are being carried out as planned." Which could be loosely interpreted as "whatever procedures and records the auditor thinks you should have". So in order to help my clients prepare for an audit, I have developed a list of typical documents and records that I expect to review during an audit. I have shared that list below, organized by ISO 9001 section, along with the ISO 9001 clause that applies. These are pretty general, and some may not apply to very small businesses. And of course, if you have exclusions, you can omit those ones. But overall, it should give you a good idea of what documents and records to have handy for an audit. If you're unclear about the difference between documents and records, please see my earlier blog about this topic. I hope you find this helpful.
Documents and records to have available for an ISO 9001 audit:
4.1 - List of internal and external issues.
4.2 - List of interested parties and their expectations of you
4.3 - The scope of the QMS. This must be documented somewhere, and it must match the scope listed on the registrar’s certificate.
Section 5: Leadership
5.2 - Quality policy. The policy should be reviewed regularly for continuing suitability, and be communicated to employees. I would expect that it has been approved by a senior member of management, and is either dated or has a revision number.
5.3 - Organizational chart, or equivalent, that shows responsibilities and authorities within the company have been assigned and communicated. Not necessary if your company has few employees (e.g. 5-10 or less people).
5.3 - Evidence that the role of the Quality Management Representative has been assigned and communicated, e.g. a job profile, or a statement in the Quality Manual, etc.
Section 6: Planning
6.1 - Risk register that lists business risks to your company. These typically include revenue-related risks, expense-related risks, physical risks, and employee-related risks. You could develop a risk register once for the whole company, or you might want to do this project-by-project or customer-by-customer. I also expect to see some way of evaluating the risks against each other to determine what are the highest priorities for your business. Then, I expect to see the actions that have been taken, or are underway, to mitigate those risks. These risks and their associated actions should be reviewed at least once per year.
6.2 - Quality objectives, complete with metrics and targets. I expect there to be at least 2 or 3 of these. There should be a plan in place for achieving the objectives. The objectives should be reviewed regularly for progress (at least twice a year), and be communicated to employees.
Section 7: Support
7.1.3 - A list of the equipment, vehicles and infrastructure that you need to maintain in order to produce the required quality of products or services. Depending on your business, this could include machines, tools, trucks, processing equipment, IT servers, PC’s, laptops, phones, communication systems, etc. For each item that is identified as requiring maintenance, I expect to see a schedule of preventive maintenance, and the corresponding records of maintenance conducted.
7.1.4 - A description of the conditions you need to control in order to produce the required quality of products or services. Depending on your business, this could be temperature or humidity control, sterility, classroom conditions, etc. For an office environment, there might not be anything to control.
7.1.5 - A list of instruments and tools that require calibration or verification. For each instrument, I expect the calibration/verification frequency to be listed, and the corresponding calibration certificates or records of verification to be kept on file. The certificates should list the as-found and as-left conditions, and should state that they are traceable to some kind of national or international standard. If this is not possible, they should state the basis for calibration/verification, which is usually manufacturer’s specifications.
7.2 - Job profiles for all employees, including their responsibilities, and the minimum qualifications required for their job. Evidence that the person filling that position hold those minimum qualifications (e.g. copies of certificates or diplomas)
7.2 - Records of mandatory employee training. This includes the course taken, the date, and the instructor. Some examples include WHMIS training, forklift training, first aid training, on-the-job assembly training, etc.
7.2 - For any training taken by an employee, an evaluation of how effective that training was for that employee. This does NOT have to be a test, it may just be a sign-off by the subject matter expert or supervisor.
Section 8.2: Sales/Orders
8.2 - Sales orders, contracts or agreements with your customer, stating what is to be delivered, how it will be shipped/delivered, by when and at what price. I expect to see terms and conditions for each order (either the client’s or yours). I expect to see evidence of the review and approval of the order.
8.2 - When changes are made to a customer’s order, I expect to see the order, contract or agreement was amended and revision controlled, and communicated to people who need to know about the change.
Section 8.3: Design & Development
8.3.1/ 8.3.2 - Records that line up with your design & development process, to show that you followed your design process.
8.3.2 - Evidence of control of any outsourced design services. This usually means review and approval of design outputs, a communication or transmittal log for formal communications between your company and the outsourced service, meeting minutes, contracts, etc.
8.3.3 - Records about the design basis. This could be a scope of work from your customer, an email from your customer, a proposal written by you, etc. I expect this to include a list of expected deliverables, e.g. drawings, materials, a report, etc. The design basis must include a list of applicable codes and standards.
8.3.4 - Records of verification of design outputs. This is usually approval signatures on calculations, drawings, etc.
8.3.4 - Records of at least one design review (per project). This should include who attended the review, what was discussed, and action items that were generated as a result of the design review, as well as follow up on those action items.
8.3.4 - Records of validation of the design. This could be the results of testing, a 3D model, a field trial, or a prototype. For any of these activities, I expect to see a report summarizing what was done and the conclusions reached. Sometimes, like with smaller construction projects, validation is not possible. In that case, a sign-off from the owner or general contractor will work.
8.3.5 - Records of the final design deliverables.
8.3.6 - Records of any changes made to the design during the course of the project. I expect these records to include an analysis of the expected impact of the change, and evidence that the change was approved before being implemented.
Section 8.4: Procurement and Outsourced Services
8.4.1 - A list of approved suppliers and/or sub-contractors. Records of how these suppliers were evaluated and approved.
8.4.1 - Records of re-evaluation of your critical suppliers and/or subcontractors. Where suppliers/subcontractors have received a poor review, I expect to see that action has been taken.
8.4.2 - Records of incoming inspection.
8.4.3 - Purchase orders that clearly specify what is being purchased, and the conditions of purchase (e.g. delivery dates, terms and conditions, etc.)
Section 8.5: Production or Service Provision
8.5.1 - Documents that are used for production (e.g. work instructions, drawings, BOMs, shop aids, checklists, etc.) or service (work order, installation instructions, specifications, etc.). I would expect that these documents are properly controlled (see clause 7.5) and available at the point of use. (Okay, these aren’t records. But I would expect to see them during an audit.)
8.5.1 - Test records (if applicable). I expect that the acceptance criteria are clearly defined on the record template or test procedure, and that if a record shows a product failed, there should be a record of what was done about the failure. If the test records are captured on paper, I expect that the test records are documented on a controlled template (see clause 7.5), and stored so they are protected from damage and can be retrieved
8.5.1 - Records for controlling “Special Processes”. These are processes where the resulting output cannot be verified without destroying the product, or where failures in the process do not become apparent until well after the product is in use. This includes welding, soldering, anodizing, pickling, coating, painting, curing, phosphating, galvanizing, among others.
8.5.1 - Records of product release. I expect to see that the authority to release product has been defined (e.g. the production manager or quality manager), and that each order is signed off (or equivalent) by that person. There should be a brief description of what that signature means, e.g. “approved by” or “released by”.
8.5.3 - Records about customer property (clause 8.5.3)
8.5.6 - Production/service provision change control records (clause 8.5.6)
8.7 - Records of non-conformances and their disposition. This includes a description of the non-conformance, its disposition, and what the corrective action was. If the disposition was rework or repair, I expect to see a record of inspection of the reworked/repaired results. I also expect to see that the NCR disposition was approved by an authorized individual.
Section 9: Evaluation
9.1.1 - Records of internal monitoring and measurement results. I would expect that you have determined what is important to measure in your company to ensure everything is running successfully. These are NOT financial metrics, but are metrics about your internal processes. It is very specific to each company. This could include things like project reporting (e.g. cost, schedule, % complete), number of change orders per project, win/loss ratio, % rework, DPMO, yield, overtime, cycle time, number of failures, etc.
9.1.2 - Records of how you determine and analyze customer satisfaction. This could be survey results, % of repeat business, market-share analysis, distributor reports, etc.
9.2 - Records of internal audits. I would expect to see a schedule of planned audits (unless you just do one big audit each year). For each audit, I expect to see an audit plan, an audit report, and records of how you followed up on and addressed any audit findings.
9.3 - Records of management reviews. The minutes of the meeting should include the topics that were discussed, the conclusions that were reached, complete with a list of action items and their due dates. I also expect to see the materials that were reviewed at the meeting. It is not enough to say “we reviewed process performance and conformity” - I would expect to see the analysis that was conducted and reviewed during the meeting.
Section 10: Improvement
10.2 - Records of corrective actions, including a description of the non-conformance, a root cause analysis to determine cause(s), a description of what was done to address the root cause, and an explanation of how you know that what you did was effective at solving the original problem.