The Quality Management System (QMS)
Internal Audit ProcessFirst off, your QMS should have procedures and processes covering internal audits. You need to conduct your internal audits in conformity with that. If those procedures/processes are deficient then you should write up an appropriate finding. The audit process as laid out in your QMS should include something about having a schedule of internal audits. A good practice is to have an internal audit every quarter of the year where each audit covers at least a quarter or more of the QMS. Your internal audit should follow a plan that you, the lead auditor have drawn up based on the scheduled content of internal audits. This plan is reviewed and approved by top management in the organization before the opening meeting of your internal audit.
Corrective Action (CA)
TransparencyRemember, an important rule of auditing is that an auditor may not audit their own work. If you are the Sales Manager in the organization, or in charge of Quality Control, then you may not audit those departments if you have performed or signed off on any of the work that is being audited. This means that you will need to train one or more other people in your organization to be part of an audit team which you would lead. They do not need to have Third Party Lead Auditor training; they do need to have some introductory training in the requirements of the ISO 9001 standard and familiarity with the QMS. To preserve their freedom to audit without fear of repercussion, they should not be in your reporting structure. Even if you are well respected, there should be no perception of a conflict of interest. When you move on, your replacement in the organization may not be such a nice person as you. In the meantime, while you are the only auditor, you can begin auditing other parts of the organization. For all the same reasons, it is not a good idea for you to interview personnel who report directly to you.
The Audit ReportLook for the positive - where people are doing a good job, and where the QMS is working well for the organization. Make sure that this comes out in the beginning of your audit report. Very importantly, remember that we AUDIT THE SYSTEM, NOT THE PEOPLE. If there is an NC it is because the system has allowed it to happen. Ensure that people associated with an NC are given an opportunity to explain why it might not be an NC, or that they agree that it is, indeed, a nonconformity. They will, in all likelihood, be involved in the corrective action and so the organization needs them to be on board during root cause analysis.
Have you watched my video, A Common Mistake in ISO training?
Nothing else that I can tell you is more important that what I say there!
"EVERY SYSTEM IS PERFECTLY DESIGNED TO GET THE RESULTS IT GETS"
- W. Edwards Deming quoting Arthur Jones.