William A. Stimson, Ph.D.  |  11/01/2001

William A. Stimson, Ph.D.’s default image

Internal Quality Auditing

Meeting the Challenge of ISO 9000:2000

One of the most important objectives of an internal quality audit is measuring the effectiveness of an organization's quality management system. For this to happen, executive management must first meet its overriding responsibility of establishing and maintaining a system regarding quality policy, goals, resources, processes and effective performance--including monitoring and measuring the system's effectiveness and efficiency.

ISO 9001:2000 delineates this responsibility into three distinct areas: 4.1 General requirements, 4.2 Documentation requirements and 4.3 Quality management principles. If an organization's executive management isn't active in these three areas, then they won't be addressed and the quality system will be ineffective. Let's look at them one at a time, first in terms of their meaning and then as auditable characteristics.

Management system general requirements

With respect to quality, an organization's fundamental responsibility is to define the management system used to ensure and safeguard quality. This task begins by identifying the process applications that will be part of the quality system. These should be integrated and coordinated to achieve system objectives; i.e., the processes must be organized in a process approach and supported with necessary resources. Also, the quality system's performance must be continually measured for effectiveness and efficiency, and active improvement structures must be developed.

A quality management system is profound in its application, extending to each level of company activity that affects product and service quality. Yet it also includes customer and supplier participation and is, therefore, very broad in its scope. At this point, it's understandable to wonder if anything as all-inclusive in its reach and high-minded in its goals can even be auditable. The answer is that nothing is auditable until it's implemented, but once implemented, everything's auditable.

Section 4.1 of the ISO 9001:2000 standard describes quality system requirements, but with the exception of documentation, implementing the system is affected in other sections. In other words, when all the requirements described in Section 4.2 and in sections 5-8 have been audited, the quality system has been audited. Therefore, we'll instead consider the standard's documentation requirements.

Documentation requirements: the quality manual

Past versions of ISO 9000 were often criticized because of their heavy emphasis on documentation. The 2000 revision has reduced this requirement to just a few areas: control of documents and quality records; internal audit records; and records of nonconforming product, correction and prevention. However, to achieve control, there must be structure, and the structure of documentation is defined in the company's quality manual.

In the general scheme of ISO 9001, a quality system consists of two parts: documented and implemented. The documented element (i.e., the quality manual) includes or refers to all those documents--be they policies, plans, procedures or instructions--that affect the quality of the product or service. The manual needn't be a formal volume or set of volumes but rather a combination of printed matter and software programs. All these documents must be defined and controlled both to ensure that current documents are available where and when needed and to keep documentation from getting out of hand.

The entire document assembly can be considered the quality manual; indeed, the standard refers to the manual as all documentation used to specify the quality system. However, many companies assemble a variety of documents and software as their total quality documentation and present just a small policy document that they call the "quality manual." The document is justified as a quality manual as long as it formally refers to the total quality system documentation.

This system is referred to as a "tiered documentation structure." Tier one, the quality manual, contains policies and responsibilities related to ISO 9001 requirements and expresses top management's written commitment to quality. It also contains the list of tier-two quality documents and associated revision lists and defines the manual's distribution list. The manual also may contain a few company-level procedures, such as steering committee procedures.

Tier two, department procedures, explains responsibilities, provides the department's organization chart and describes the input and output interfaces of its processes. Also, just as the quality manual in tier one provided an index of tier-two documentation, tier two provides an index of the department's tier-three procedures.

Tier three describes work instructions and standard operating procedures. A work instruction, sometimes called a "standard operating procedure," describes step-by-step how a task is to be done. To avoid confusion, a work instruction should be distinguished from a "job description," which describes what tasks an employee performs. For example, a work instruction for a lathe doesn't describe how to do machining; it describes how to set the machine up. Similarly, running a test on a centrifugal chiller requires highly skilled electronic technicians. Despite their skill, the tests also require work instructions (e.g., loop-temperature and pump-pressure ranges) that describe test-station setup for the particular kind of chiller under test. The purpose of work instructions is to establish conformance between the machine's or equipment's range of operation and the specifications on the job order.

Not every task requires a work instruction. Internal auditors can determine whether a task requires a work instruction by asking two questions: (1) If the task is done incorrectly, will it affect the quality of the product? (2) Are the task's instructions self-evident to a new employee? Yes to the first question means that a work instruction is required. Yes to the second means that a work instruction probably isn't needed, except possibly to provide data. For example, engineers don't need work instructions to design things; the task is self-evident based upon their qualifications.

Auditing the quality manual

Companies are given a great deal of latitude in defining and designing their quality manuals. And though it's possible to nitpick a manual forever, this isn't constructive. Internal quality auditors should be concerned with only three matters: Does the manual cover the quality system? Is it controlled? Can people get it when they need it?

Given the quality manual's scope, an auditor might feel overwhelmed by its sheer volume, but the naturally tiered structure of operational documentation helps to get a grasp on it. It's best to start at the top and examine documents on a sampling basis.

As the illustrated pyramid suggests, the number of documents increases greatly as you descend the tiers, but the total is united by an index system. The quality manual will index tier-two documentation. Each department procedure will index its own tier-three documentation. Choose a sampling method before you examine the indexes; then select documents randomly within the constraints of the audit scope.

Verify that the appropriate content is complete, as described in preceding paragraphs. A company isn't obliged to follow ISO 9001's format in its quality manual format; indeed, those that followed the 1994 standard's format will be out of order with that of ISO 9001:2000, which is radically different. Admittedly, a format that follows the format of the standard's current version makes the audit easier, but the manual's usefulness to those who use it is the primary concern.

ISO 9001:2000 requires auditors to verify exclusions, which are declarations in the policy manual that certain requirements don't apply to the company's operations. For example, in the past, a company that had no design function would seek compliance to ISO 9002. But this standard no longer exists. Such a company must now comply with ISO 9001:2000 but may exclude design requirements in its quality manual. Exclusion also applies to processes that the company does have but which it claims have no pertinence to the quality of the products or services that it provides to customers.

Auditing document control

ISO 9001:2000 requires distribution control of all documents and data related to quality, with associated procedures describing the method of control. Quality documents are those that attest to the quality level of product and process performance, including specifications, procedures, drawings, blueprints and many types of records. To avoid nitpicking, auditors must understand document control's purpose and keep the big picture in mind.

By definition, document control ensures both that current and correct documents are available where and when needed and that they are used. From this, we can construct the following necessary controls for quality documents:

  •   Identification
  •   Collection
  •   Indexing
  •   Disposition
  •   Amendment

"Identification" refers to the document's title and revision date. Every quality document is assigned an "owner" who is responsible for its control. The owner and users identify each document by a name and control number. Documents and data can be in hard-copy form or stored in a computer.

"Collection" means the orderly and accountable distribution of documents. For each document, the owner and users determine the minimum number of copies needed for effective use and where each copy is to be kept. Only controlled copies are to be used, and copies must be easily available to users.

"Indexing" requires keeping a master list of current documents, each having a revision date, revision number and approval signature to ensure document validity. As we described earlier, the master list of tier-two documents resides in the policy or quality manual, and the master list of tier-three documents resides in the tier-two document associated with it. For example, the index of work instructions within a department will reside in the departmental procedures book.

"Disposition" is the issuance of new or revised documents and the removal of obsolete ones. Auditors must verify that a policy and procedure exist for the removal of obsolete documents and then ensure during onsite visits that only current documents are in use in the various work areas. Old documents aren't always discarded, and if they have an operator's notes in them, they may be saved deliberately. But the presence of an outdated document at a workstation is a nonconformity.

"Amendment" refers to making changes to controlled documents, for which there must be a procedure. This procedure should describe how changes are identified within the document, how and when current revisions are identified and the number of revisions before a document is reissued. Some documents, such as test reports and purchase orders, seldom change. But there are those, such as drawings, procedures and specifications, that change often and, therefore, require revision levels. The process for revision is to: (1) identify the level of the document, (2) review and approve changes to documents at the same level, (3) identify the nature of the changes, (4) maintain a master list and (5) reissue the document after a practical number of revisions.

Examples of documents that require control are drawings, specifications, blueprints, test procedures, inspection instructions, work instructions, operation forms (when filled out), quality manuals, operational procedures and quality assurance procedures. Companies can choose which documents they wish to control, but there must be a policy and a procedure to describe the criteria and selection process.

Auditing quality records

Quality records are those documents that demonstrate conformance to the specifications and the effectiveness of the quality system. How do auditors distinguish between documents and records? A document exists before the fact; a record exists after the fact. A document is a written or graphical description of an activity's policy, procedure or instruction. A record contains data and information resulting from that activity. Each company may choose to define its own quality records. Examples include executive management reviews, designs or contracts, test and inspection results, calibration records, supplier evaluations and, last but not least, audit reports.

The quality records should be defined in the quality manual, together with the responsible storekeeper and retention times. A company will determine some logical retention period appropriate to its business, but this period must be stated. In many cases the retention period is indicated by the storage purpose--for example, ensuring that product quality was verified at the time of delivery. In such a case, consequently, the warranty period suggests the retention time.

Finally, storage must be secure and environmentally sound to protect records from abuse and deterioration. Software is the best storage option because stored data are easy to retrieve, and ease of retrieval is an audit concern.

Using quality management principles

A standard is an agreement between participants to conduct their activities in a certain way. This simple truth is not always clear, and from time to time we hear from a quality industry heretic who advocates "really tough standards." Such people fail to understand that a truly tough set of rules would find few participants and, therefore, could not be a standard. Nevertheless, through the years, certain management practices have become generally recognized as good ideas and have achieved the status of principles.

These principles are enumerated in Section 4.3 of ISO 9000:2000 as eight well-recognized practices used by managers to ensure a successful quality system. We've already mentioned three of them: customer focus, the process approach and continual improvement. Again, principles are not auditable, but their implementation is.

Improving documentation

Everyone wants to lighten the burden of documentation. Generally, this has been taken to mean reducing the amount of paperwork necessary to conduct business. Intuitively, we understand that we need documents of some sort, such as records, but reducing the amount of documentation seems to be a reasonable improvement strategy. In recent years, for example, there's been much discussion of a paperless information system as the ultimate goal of any organization.

However, companies need to think carefully about improving a documentation system, lest they suffer too much of a good thing. Documentation is closely associated with information (ISO 9000 defines a document as information and its supporting medium), and a reduction in one can lead to a reduction in the other, which might be no improvement at all.

The U.S. Navy, for example, has long sought a paperless information system to relieve its burden of logistical and technical documentation. It's now near the point where it can document almost all its ships and shore bases on a computer network and its entire technical publication repertory could be eliminated. Yet, the sailors themselves have resisted this effort because, in many cases, they work in confined areas where technical manuals are needed onsite. The inconvenience of having to troubleshoot a problem at one place while going to another place to refer to a technical computer readout is self-defeating and cumbersome.

Being paperless implies that all information is available as a computerized record. The Internet carries this idea to its penultimate development and provides a good glimpse of information saturation. Hence, we begin to understand that although being paperless has its virtues, it also carries constraints and limitations. So a more profound notion of improvement in documentation systems must be developed.

It should be clear that improving documentation is a complex task. Auditors can start by determining how their companies define improvement and what their objectives are. Auditors should examine their companies' approach to the following issues regarding improving documentation systems:

  •   The definition of documentation
  •   Delineating documentation and information
  •   Effective information media
  •   Efficient records
  •   Easy access to information

On the first issue, most readers will agree that paper is not the only documentation medium, as software is now generally included here. Although spatially conservative, software can be every bit as invasive and saturating as paper. Whatever the medium, a company should have as its goals the effective provision of information when and where it's needed, an efficient and effective system of keeping records and media that permit easy access to information.

Indeed, auditors can't separate the requirements of documentation and information, even though the first responsibility falls within Section 4.2 and the second within Section 6.5. This is one of those occasions when conducting simultaneous assessments will prove the most effective and efficient means of auditing.


The quality management system is supported by a documentation system that attests to its quality policies and objectives, includes a quality manual with a system of procedures and instructions, maintains required quality records and provides information necessary to operating effectively and efficiently all processes in the quality system. This documentation system includes bootstrap and feedback structures to ensure that the information is current and available to users and interested parties everywhere in the system.


About The Author

William A. Stimson, Ph.D.’s default image

William A. Stimson, Ph.D.

William A. Stimson, Ph.D., is a certified quality auditor and consultant in ISO 9000 requirements, statistical process control and quality management. He has more than 30 years of experience in industry, 20 of them as an engineer and manager. In addition, Stimson spent 10 years as a lead auditor with the U.S. Navy, responsible for the qualification of defense contractors and shipyards under Mil-Q-9858.