对内部审核有效性的审核

- 1 - 日期：2005 年 7 月 30 日 ISO 9001 审核实践组指南 对内部审核有效性的审核 1. 引言 为使质量管理体系适宜、充分和有效，组织需要进行内部审核以确 保 QMS 发挥预期的作用，而且内部审核能够识别体系的薄弱环节和潜在 的改进机会。内部审核是对最高管理者的反馈机制；它能够就体系是否 符合 ISO 9001：2000 的要求为最高管理者和其他利益相关方提供保证。 如何管理内部审核过程，是确保质量管理体系有效性的关键因素。 2. 要求和指南 2.1 ISO 9001:2000 条款 8.2.2 规定如下： “8.2.2 内部审核” “考虑拟审核的过程和区域的状况和重要性以及以往审核的结果， 组织应对审核方案进行策划。” 这条要求的意图是使内部审核方案关注那些以往曾经发生过问题， 或发生的问题可能仍然存在，以及（或）有可能发生问题（因过程本身 的性质）的过程和区域。这些问题可能因人为因素、过程能力、测量灵 敏度、客户要求变更、工作环境变化等而产生。 内部审核方案应当优先考虑产生缺陷或不符合的风险较大的过程。 如果过程会因诸如下列的因素引发高风险，则应当受到特别关注： - 过程能力失效的严重后果； - 顾客不满意； - 不符合产品（或过程）的法律法规要求。 2.2 ISO 9004:2000 条款 8.2.1.3 - 2 - “最高管理者应当确保建立有效和高效的内部审核过程，以评价质 量管理体系的强项和弱项。内部审核过程可作为独立评定任何指定过程 或活动的管理方面的工具。由于内部审核是评价组织的有效性和效率， 因此内部审核过程可作为独立的工具，用于获取现有的要求得到满足的 客观证据。” 这条指南强调进行内部审核时需要有效地利用资源。 （注：ISO 9004 指南不是 ISO 9001 审核所依据的要求） 3. 审核指南 第三方审核员检查内部审核过程时，应当评价下列方面： - 内部审核需要的能力及其在内审中的应用； - 组织在策划内部审核时进行的风险（如果有）； - 管理者参与内审过程的程度； - ISO 19011 提供的指南（但要注意 ISO 9001:2000 并不要求组织 使用 ISO 19011）； - 组织使用内审结果评价其 QMS 有效性并识别改进机会的方式。 第三方审核员需要： a) 评价组织识别关键区域和其他参数的方法； 例如，组织是否已识别： ■ 影响产品质量的关键过程； ■ 复杂过程或需要特别注意的过程； ■ 需要确认的过程； ■ 需要对人员资格进行评定的过程； ■ 需要密切监视过程参数的过程； ■ 经常需要校准和/或检定的监视和测量活动， ■ 跨多个场所和/或劳动密集型的活动和过程； ■ 曾经发生过问题或存在风险的过程； - 3 - ■ 已确定的对有效性和效率的测量标准做出定义的过程绩效指 标，以及这些测量标准是否和组织的总体目标保持一致？ 组织在确定对这些过程和活动的审核频次时是否使用了上述信息？ b) 评价组织的内部审核员和审核组的能力； 应当有证据表明组织： ■ 确定了对内审员的能力要求； ■ 提供了适宜的培训； ■ 有内部审核员和审核组表现的监视过程； ■ 审核组包括了有适宜专业知识的人员（这样他们就能够识别出 特定过程或活动的偏差可能导致产品质量产生严重后果的情 况）。 如果审核员发现下列问题，还应当评价内审员是否理解内审过程结 果可靠性的内在风险： ■ 未能考虑对审核结果有实质影响的问题； ■ 选择不正确的抽样方案； ■ 不正确地评价所收集的证据； ■ 偏离审核计划和内部审核程序。 c) 评价审核策划。 组织在实施内部审核活动中，应当能够最大程度地利用可用资源。 根据风险来策划内部审核，可以促进资源的有效利用。 审核员应当确定组织（在整个内部审核过程中）是否根据风险来制 定内部审核计划，以确保有效和高效地利用资源。这种基于风险的方式 还将确保最大程度地降低审核过程失效的内在风险和审核结果的内在风 险。 组织应当建立过程，以便在策划以后的内审时利用以前审核的结果。 d) 寻找组织有效实施内部审核方案的证据。 - 4 - 通过考虑上述因素，并检查内部审核过程是否使 QMS 切实得到了改 进，第三方审核员应当能够判断组织是否有效实施了内部审核方案，以 及内部审核结果是否为 QMS 有效性分析提供了证据。 - 5 - Date: 30 July 2005 ISO 9001 Auditing Practices Group Guidance on: Auditing the effectiveness of the internal audit 1. Introduction Organizations seeking a suitable, adequate, and effective quality management system need to conduct internal audits, to ensure that the QMS functions as intended, and that it identifies weak links in the system as well as potential opportunities for improvement. The internal audit acts as a feedback mechanism for the top management; it can give top management, and other interested parties, assurance that the system meets the requirements of ISO 9001:2000. How the internal audit process is managed is a key factor to ensuring the effectiveness of a quality management system. 2. Requirements and Guidance 2.1 ISO 9001:2000 clause 8.2.2 states as follows: 8.2.2 Internal audit “An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits” This requirement is intended to focus the internal audit programme on those processes and areas where past history indicates that problems have occurred, or where problems are likely to be ongoing, and/or are likely to occur (because of the nature of the processes themselves). These problems may result from issues such as human factors, process capability, measurement sensitivity, changing customer requirements, changes in the work environment, etc. The processes with high levels of risk of deficiencies or non conformities should have priority in the internal audit programme. Special attention should be given to processes where the high level of risk is influenced by factors such as: - severe consequences of failure on process capability; - customer dissatisfaction; - non compliance with product (or process) statutory and regulatory requirements. 2.2 ISO 9004:2000 Clause 8.2.1.3 “Top management should ensure the establishment of an effective and efficient internal audit process to assess the strengths and weaknesses of the quality management system. The internal audit process acts as a management tool for independent assessment of any designated process or activity. The internal audit process provides an independent tool for use in obtaining objective evidence that - 6 - the existing requirements are fulfilled, since the internal audit evaluates the effectiveness and efficiency of the organization”. This guidance from ISO 9004 stresses the need for the efficient use of resources when conducting internal audits. (Note, this ISO 9004 guidance is not an auditable requirement for an ISO 9001 assessment). 3. Audit Guidance When third party auditors examine internal audit processes, they should evaluate issues such as: - the competencies that are needed for and applied to the audit, - the risk analysis performed by the organization (if any) in planning internal audits, - the degree of management involvement in the internal audit process, - the guidance provided by ISO 19011 (but note that ISO 9001:2000 does not require the organization to use ISO 19011), and - the way the outcome of the internal audit process is used by the organization to evaluate the effectiveness of its QMS and to identify opportunities for improvements. A third party auditor needs to: a) evaluate the organization's approach to identifying critical areas as well as other parameters; For example, has the organization identified: ƒ its processes that are critical to product quality, ƒ its complex processes, or those that need special attention ƒ its processes that need to be validated ƒ its processes that need personnel to be qualified ƒ its processes that need close monitoring of process parameters ƒ its monitoring and measuring activities that require frequent calibration and/or verification; ƒ its activities and processes that occur across multiple locations and/or which are labour intensive etc. ƒ Processes where problems have occurred or are in risk ƒ and established process performance indicators that define effectiveness and efficiency measures, and do these measures align with the organization's overall goals and objectives.? Does the organization uses such information when establishing the audit frequency of such processes and activities ? b) evaluate the competence of the organization's internal auditors and audit teams; There should be evidence that the organization: ƒ has identified the competence requirements for its internal auditors, ƒ has provided appropriate training ƒ has in place a process for monitoring the performance of its internal auditors and audit teams ƒ includes personnel on its audit teams that have appropriate sector specific knowledge (so that they are able to identify where the likelihood that a deviation in a particular process or activity could lead to a significant consequence for product quality) - 7 - An assessment should also be made of whether the internal auditors understand the inherent risk to the reliance that can be placed on the outcome of the audit process, if they: ƒ fail to consider something which is material to the outcome of the audit, ƒ select an inappropriate sampling regime, ƒ weight the evidence collected inappropriately, or ƒ deviate from the audit plan and internal audit procedures. c) evaluate the planning of audits; The organisation should be able to maximize the use of available resources during the conduct of internal audit activities. This can be facilitated by the adoption of a risk based approach to the planning of internal audits. It should be ascertained whether the organization (through its internal audit process) has considered the use of a risk based approach in developing the internal audit plan, in order to ensure the effective and efficient use of resources, This should also ensure that the inherent risks of audit failure in the audit process, and to audit outcomes, are minimised. The organization should have a process for utilizing past audit results in the planning of future internal audits. d) look for evidence that the organization has implemented an effective internal audit programme. By taking the above factors into account, and by examining whether the internal audit process is leading to any tangible improvements to the QMS, the 3rd party auditor should be able to form a judgement on whether the organization has implemented an effective internal audit programme and if the outcome of internal audits provides evidence for analysis of the effectiveness of the QMS.