The Seven Most Important ISO 9001:2015 Audit Questions

Editor’s Note: This piece first appeared in 2016 and has proven to be one of the most popular articles we have ever published here on The Auditor Online. Do you feel that Craig Cochran’s advice still holds up after several years? What questions, if any, have emerged since then that should be included on this list? Please add your comments below and we’ll craft a follow-up article based on this feedback.

By Craig Cochran

If you’re preparing to start auditing to ISO 9001:2015, you’ve probably already asked yourself the timeless question: “What in the heck am I going to ask these people?” There’s no worse feeling in the world than being in the middle of an audit and realizing that you’ve run out of questions. Preparation and planning can remedy this, of course, but the fact remains that ISO 9001:2015 includes a lot of new requirements that have never been part of most audits. To help prepare you for auditing to ISO 9001:2015, I’ve prepared a list of what I consider to be the seven most important audit questions for ISO 9001:2015:

1. What can you tell me about the context of your organization?

This question is the starting point of ISO 9001:2015, appearing in clause 4.1. The standard uses the clunky term “context,” but this could easily be substituted by asking about the organization’s internal and external success factors. Questions about context are usually directed at top management or the person leading the quality management system (QMS)–formerly known as the management representative. As an auditor, you’re looking for a clear examination of forces at work within and around the organization. Does this sound broad and a little vague? It is. Thankfully, the standard provides some guidance, saying that context must include internal and external issues that are relevant to your organization’s purpose, strategy, and QMS goals. Many organizations will probably use a SWOT (strengths, weaknesses, opportunities, and threats) analysis to help get their arms around context, but it’s not a requirement. What the organization learns with this will be a key input to risk analysis. (Note: Not everybody will understand the term “context.” Be prepared to discuss the concept and describe what ISO 9001:2015 is asking for.)

2. Who are your interested parties and what are their requirements?

The natural follow-up to context is interested parties, found in clause 4.2. Just like context, interested parties are a key input to risk. The term “interested parties” has a bizarre, stalker-like ring to it, so smart auditors might want to replace it with “stakeholders.” Remember, effective auditors try to translate the arcane language of ISO 9001:2015 into understandable terms that auditees can grasp. Typical interested parties include employees, customers, suppliers, business owners, debt holders, neighbors, and regulators.

As an auditor, you’re making sure that a reasonable range of interested parties has been identified, along with their corresponding requirements. The best way to audit this is an exploratory discussion. Ask questions about the interested parties, and probe what they’re interested in. If you’ve done some preparation in advance of the audit, you’ll know whether their examination of interested parties is adequate.

This brings up an important planning issue: You’ll have to do a bit more preparation before an ISO 9001:2015 audit. Why? So you’ll have a grasp of context and interested parties. How can you evaluate their responses if you don’t know what the responses should be?

3. What risks and opportunities have been identified, and what are you doing about them?

Risks and opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer directly to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective, period.

Auditors should verify that risks and opportunities include issues that focus on desired outcomes, prevent problems, and drive improvement. Once risks and opportunities are identified, actions must be planned to address them. ISO 9001:2015 doesn’t specifically mention prioritizing risks and opportunities, though it would be wise for organizations to do this. Risks and opportunities are limitless, but resources are not.

4. What plans have been put in place to achieve quality objectives?

Measurable quality objectives have long been a part of ISO 9001. What’s new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results. Auditors should closely examine how the plans have been implemented throughout the organization and who has knowledge of them. Just as employees should be aware of how they contribute to objectives, they should be familiar with the action plans.

5. How has the QMS been integrated into the organization’s business processes?

In other words, how are you using ISO 9001:2015 to help you run the company? This is asked directly of top management (see subclause 5.1.1c) and is a very revealing question. The point is that ISO 9001 is moving away from being a quality management system standard and becoming a strategic management system. It’s not just about making sure products or services meet requirements anymore. The standard is about managing every aspect of the business. Remember clauses 4.1 and 4.2 of ISO 9001:2015? They examine the key topics of context and interested parties. These concepts touch every corner of the organization, and this is exactly how ISO 9001:2015 is intended to be used. Top management should be able to describe how the QMS is used to run the company, not just pass an audit.

6. How do you manage change?

This topic comes up multiple times in ISO 9001:2015. The first and biggest clause on the topic is clause 6.3, Planning of changes. Here we identify changes that we know are coming and develop plans for their implementation. What kind of changes? Nearly anything, but the following changes come to mind as candidates: new or modified products, processes, equipment, tools, employees, regulations. The list is endless. An auditor should review changes that took place and seek evidence that the changes were identified and planned proactively.

Change that happens in a less planned manner is addressed in subclause 8.5.6. Here the auditor will seek records that the changes met requirements, the results of reviewing changes, who authorized them, and subsequent actions that were necessary.

7. How do you capture and use knowledge?

ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, job close-outs, staff meetings, customer reviews, examination of data, and customer feedback. How the organization captures knowledge is up to it, but the process should be clear and functional. The knowledge should also be maintained and accessible. This almost sounds like it will be “documented” in some way, doesn’t it? That’s exactly right. One way to audit this would be to inquire about recent failures or successes. How did the organization learn from these events in a way that will help make it more successful? It’s the conversion of raw information to true knowledge, and it just happens to be one of the most difficult things an organization can achieve.

These are by no means the only questions you’ll want to ask. They’re just the starting point. I didn’t even mention management review, corrective action, or improvement—all of which are crucial to an effective QMS. The seven topics discussed here are the biggest new requirements that auditors need to probe. I would be very interested in hearing from you on this subject. What audit questions do you see as critical in ISO 9001:2015? Please leave your comments below.

About the author

Craig Cochran is the North Metro Regional Manager with Georgia Tech’s Economic Development Institute. He has assisted more than 5,000 companies since 1999 in QMS implementation, problem solving, auditing, and performance improvement. Cochran is a Certified Quality Manager, Certified Quality Engineer, and Certified Quality Auditor through the American Society for Quality. He is certified as a QMS Lead Auditor through Exemplar Global.

He is the author of numerous books, including the newly released ISO 9001:2015 in Plain English , published by Paton Professional .

Related Posts

Climate Action ISO Standard Amendment →

Why ISO 9001 Still Matters →

Four Ways to Get More Value from Your Internal Audits →

The Future of Quality Management Is Business Success, Part 5 →

59 Responses

Hi Craig
I would appreciate the ISO 9001 and 14001-2015 check lists. Kindly advise the costs if any have a great day
Best Regards
Mike Bird

Excellent article. One comment though, to me context is the external and internal “pressures” on the organization and what they do to counter act or respond to these. For example, customers put certain pressures on an organization. What does the organization do because of their customers?

Excellent article. Is there a checklist that can be used for internal audits on ISO 9001 : 2015 and ISO 14001 : 2015 ?

This is a great article, interesting reading
If possible, where can we obtain checklists for the new standards?

Excellent article adding a new dimension to some of the basic questions used to ascertain where an organisation is at.

Same request is there a checklist and if so may I obtain one? I am concerned about acceptable evidence for the new 9001:2015.

How are these executive level discussions handled in terms of audit nonconformances? If the auditor determines in his/her view that the performance is ineffective, how is that documented as “major” or “minor” nonconformances, and is it not open to debate? How are the auditors trained to have these executive level conversations and make these judgments?

1.to answer Q7 about capturing and maintaining knowledge in the organisation one can refer to Cl 7.1.6-organisation knowledge.
2. For other Questions too author can put the relevant sections of ISO 9001:2015
overall excellent coverage for beginners.

Excellent article. It would be appropriate to also include a question about how the organization has internalized the new term of 7.5 documented information.
Best Regards.
Víctor Quispe.
Lima-Perú.

Dear Craig
I trust you are well? I requested some information on January 27th 2016-kindly refer to the first [1st] of eleven responses above. Any luck/information or Joy related to this request.
Have a great day and Best Regards
Mike Bird
Fellow and Foundation Member of QSA
+ 61 408 566 037

Excellent! Please provide knowledge on:
OFI (Opportunities For Improvement)
Standard Reference: ISO 9001: 2015 (Clause wise) Thanks & Regards,
Rajeswar Bomma

Hi Craig
I would appreciate the ISO 9001 and 14001-2015 check lists. Kindly advise.
Have a great day
Best Regards
David.Thia

hi
thanks for describe the requirements of 9001.
may i have example for the organizational knowledge and audit check list?

This is a great article, interesting reading
If possible, where can we obtain checklists for the new standards?

Thank you Craig. I have your book, ” ISO 9001: 2015 in Plain English” . Well explained. I want to get in touch with you. Can you please share your mail id ? Can you please share some examples for Audit exercises? (These can be used for training) That exercise should contain the observation by Auditor and from there we need to identify the Non-Conformities mentioning ISO 9001:2015 clauses. Thank you once again.

Sorry….these are not the most important questions! These will get you less than half the picture of whether a QMS is healthy, robust and functioning as intended!

Very informative write up, indeed. Some of the new requirements, such as knowledge base is very deep and value meaning for the organizations. Even a century ago a few organizations avoided trap of “not reinventing the wheel” (inefficiency) by keeping well structured documents (design, amendments, corrections, improvement etc.) so now a days having information technology, data bases, server etc. retaining and protecting information is not a big issue it used to be. However, the structure of the information is key and it is an art form known to a few not many.

Thank you for your writting! It is easy to understand and detailed. I feel it is interesting, I hope you continue to have such good posts.

Subjective Assignment 1.Read and understand the following scenario
given below; Based on the scenario, state the Non
conformity (NC) and mention the NC clause. State
whether it is a major or minor Non conformity. Write
the Objective evidence for Non conformity.
The supplier development process, “Materials
approval on the incoming inspection,” is out of
control. Further investigation showed that the
major problems were with new suppliers that were
selected without any manufacturing site audit,
as stated in the supplier development procedure
in P7.1, Revision C. According to the purchasing
manager, this problem happened because they did
not have time to evaluate suppliers in the latest
product development. Response* Enter your answer

Appreciate the time you spend in sharing your knowledge and understanding of these standards. There is always something new for us to learn.

Hi craig this article superb . Is there a checklist that can be used for internal audits on ISO 9001 : 2015 and there relevant clause in all the department ? At least for fresher