a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and

b) is effectively implemented and maintained.

An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.

The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).
 
(From BS EN ISO 9001:2000)

An organization’s internal auditing program is the heartbeat of the entire system—if you have a robust internal auditing program, you have the foundation for a great system. Indeed, the purpose of auditing, which must be conducted periodically as appropriate to the organization, is to evaluate the adequacy and the effectiveness of the quality management system in areas such as documentation, conformance to requirements, improvement, etc. (Note: Effectiveness is evaluated by looking at results. Efficiency is evaluated by looking at the use of resources. But efficiency is not an ISO 9001:2000 requirement, only effectiveness is.) You should see the direct connection with customer satisfaction and continual improvement, and you should also note that a documented procedure is required in this clause.

ISO 9001:2000 follows the process approach. That means if you’re conducting a process management approach as required by ISO 9001:2000, you’ll also need to conduct process audits. This adds a new dynamic to the auditing process, which organizations need to understand.

Auditors will need to understand the organization’s processes first, and then, by assessing those processes, they can provide feedback on whether the processes are working and how they might be improved. Auditors should be looking at all aspects of the system, including elements relating to the workplace, health and safety and the environment.

With that in mind, this is also a good place to introduce another standard that will be used with the ISO 9000:2000 series. It is titled, ISO 19011:2002. The concept behind ISO 19011:2002 is integrated auditing, which can lead to tremendous benefits for an organization if done properly. Experts believe this type of auditing is the most cost-effective way to audit an organization now and in the future.

Clause 8.2.2 requires the criteria, scope, frequency and methods be defined by a procedure. They should have been before, but it is now required. Also, the procedure must define the responsibilities and requirements for planning, conducting, reporting and recording audits.

To meet the requirements of this clause, you must have a documented procedure for the planning and execution of internal audits. The plan also must reflect the results of prior audits.

Example: If an area had problems during previous audits, it would be a good idea to step up the frequency of visits until the problems are resolved. However, if you have scheduled three visits per year to an area and it is demonstrated their procedures are being followed and that the procedures are effective, you might want to reduce the number of visits to one per year. Finally, if an area is working to newly introduced procedures, it might be wise to step up the frequency of visits until it is demonstrated that the procedures are effective.

Additionally, a person who is independent (impartial and objective) of the activity he or she is auditing must carry out internal audits. However, auditors may audit their own departments, as long as someone audits their work. This approach might be more flexible for some companies.

Audit results must be recorded and should be classified as records. These results must be presented to the person responsible for the audited area. If any nonconformities were found, the next visit must record that they have been addressed and the corrective action is effective. This, too, is classified as a quality record. Quality audit results must be considered during management reviews (5.6.2.a).