QMS Internal Audit Gap Analysis Checklist

ISO 9001:2008 Company Name Date

ISO9001:2008 Internal Audit and Gap Analysis

CLIENT NAME: ADDRESS OF COMPANY: NAME OF CLIENT CONTACT PERSON: POSITION OF CLIENT CONTACT PERSON: STANDARD: AUDIT START DATE: AUDIT END DATE: AUDITOR: {} {} {} {}

{} {} {} {} NUMBER OF {} EMPLOYEES:

SIGNATUR E:

CLIENT CONTACT PERSON(s) {} SIGNATUR E:

Page 2 of 18

ISO9001:2008 Internal Audit and Gap Analysis

Page 3 of 18

Questions

Statu s
4.1 General Requirements

Actions/Comments

4.0 QUALITY MANAGEMENT SYSTEM 1. Does the organization manage its processes in accordance with the requirements of the ISO 9001 International Standard? 2. Does the organization establish, document, implement, and maintain a quality management system, and continually improve its effectiveness, in accordance with the requirements of the ISO 9001 International Standard? 3. Does the organization identify the control of outsourced processes? 4.2 Documentation Requirements

4.2.1 General
4. Does the quality management system documentation include: Documented statements of a quality policy and quality objectives? A quality manual?

Documented procedures required by the ISO 9001 International Standard?

4.2.2 Quality Manual 5. Has a quality manual been established and maintained that includes: a) The scope of the quality management system, including details of, and justification for, any exclusion (see 1.2)? b) The documented procedures established for the quality management system, or reference to them? c) A description of the interaction between the processes of the quality management system?

ISO9001:2008 Internal Audit and Gap Analysis

4.2.3 Control Of Documents 6. Are documents required by the QMS controlled? Is a documented procedure established to define controls needed:

Approve documents for adequacy prior to issue? update as necessary and re-approve

Review, documents?

Ensure that changes and the current revision status of documents are identified? Ensure that relevant versions of applicable documents are available at points of use?

Ensure that documents remain legible and readily identifiable?

Ensure that documents of external origin are identified and their distribution controlled?

Prevent the unintended use of obsolete documents, and apply suitable identification if they are retained?

4.2.4 Control Of Records 7. Is a documented procedure established to define controls needed? 8. Are records established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system? 9. Is a documented procedure established to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of records?

Page 5 of 18

ISO9001:2008 Internal Audit and Gap Analysis

5.0 MANAGEMENT RESPONSIBILITY 5.1 Management Commitment 1. Does top management provide evidence of its commitment to the development and implementation of the quality management system and continually improving its effectiveness by : Communicating to the organization importance of meeting customer, regulatory and statutory requirements? Establishing the quality policy Ensuring quality objectives are established and attained Conducting management reviews Ensuring availability of resources 5.2 Customer Focus 2. Does top management ensure that customer requirements are determined and are met with the aim of enhancing customer satisfaction? 5.3 Quality Policy 3. Does top management ensure that the quality policy: Is appropriate to the purpose of the organization? Includes a commitment to comply with requirements and to continually improve the effectiveness of the quality management system? Provides a framework for establishing and reviewing quality objectives? Is reviewed for continuing suitability? 5.4 Planning 5.4.1 Quality Objectives 4. Does top management ensure that quality objectives are established at relevant functions and levels within the organization? 5. Are the quality objectives measurable and consistent with the quality policy? 5.4.2 Quality Management System Planning 6. Does top management ensure that:
Page 6 of 18

ISO9001:2008 Internal Audit and Gap Analysis

Resources needed to achieve quality objectives are identified and planned. Is the output of planning documented? (e.g quality manual, procedures, work instructions, quality plans, etc) The integrity of the quality management system is maintained when changes to the quality management system are planned and implemented? 5.5 Responsibility, Authority And Communication 5.5.1 Responsibility And Authority 7. Does top management ensure that the responsibilities and authorities are defined and communicated within the organization? 5.5.2 Management Representative 8. Does top management appoint a member of management who, irrespective of other responsibilities, have responsibility and authority that includes ensuring that processes needed for the QMS are established, implemented and maintained? 5.5.3 Internal Communication 9. Does top management ensure that appropriate communication processes are established within the organization and that communication takes place regarding the effectiveness of the quality management system? 5.6 Management Review 5.6.1 General 10. Does top management review the organizations QMS, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness? 11. Does this review include assessing opportunities for improvement and the need for changes to the quality management system, including the quality policy and quality objectives?
Page 7 of 18

ISO9001:2008 Internal Audit and Gap Analysis

12. Are records from management reviews maintained? (see 4.2.4)? 5.6.2 Review Input

13. Do inputs to management review include information on: Results of audits Customer feedback Process performance and product conformity? Status of preventive and corrective actions? Follow-up actions from previous management reviews? Changes that could affect QMS Recommendations for improvement? 5.6.3 Review Output 14. Do the outputs from the management review include any decisions and actions related to: Improvement of the effectiveness of the quality management system and its processes? Improvement of product related to customer requirements? Resource needs? 6.0 RESOURCE MANAGEMENT 6.1 Provision Of Resources
1.

Does the organization determine and provide the resources needed to: Implement and maintain the QMS and continually improve its effectiveness? Enhance customer satisfaction by meeting customer requirements? 6.2 Human Resources 6.2.1 General

2.

Are personnel competent on the basis of appropriate education, training, skills and experience? 6.2.2 Competence, Awareness And Training
Page 8 of 18

ISO9001:2008 Internal Audit and Gap Analysis

Does the organization: Determine the necessary competence for personnel performing work affecting product quality? Evaluate the effectiveness of the actions taken? Ensure that its personnel are aware of the importance of their activities? 4. Maintain appropriate records of education, training, skills and experience? ( example: OJT, training briefing, post-training evaluation, etc)
3.

6.3 Infrastructure
5.

Does the organization determine, provide and maintain the infrastructure needed to achieve conformity to product requirements? Does it include, as applicable: Buildings, workspace and associated utilities? Process equipment (hardware and software) Supporting services (such as transport communication)?

or

6.4 Work Environment

6.

Does the organization determine and manage the work environment needed to achieve conformity to product requirements? (physical, environmental and other factors such as noise, temperature, humidity, lighting, weather) 7.0 PRODUCT REALISATION (AS APPLICABLE) 7.1 Planning Of Product Realization

Does the organization plan and develop the processes needed for product realization? 2. Does the organization determine the following, as appropriate: Quality objectives and requirements for the product? Is the output of this planning in a form suitable for the organizations method of operations?
1.

7.2 Customer-Related Processes 7.2.1

3.

Determination Of Requirements Related To The Product

Does the organization determine the requirements specified by the customer, including the requirements for
Page 9 of 18

ISO9001:2008 Internal Audit and Gap Analysis

delivery and post-delivery activities? 7.2.2 Review Of Requirements Related To The Product Does the organization review the requirements related to the product? 5. Is this review conducted prior to the organizations commitment to supply a product to the customer (eg. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders )?
4.

7.2.2

CUSTOMER COMMUNICATION

6. Does the organization determine and implement effective arrangements for communicating with customers in relation to: Product information? Inquiries, contracts or order handling, including amendments? 7.3 Design And Development 7.3.1 Design And Development Planning 7. Does the organization plan and control design and development of product? 8. During the design and development planning does the organization determine the: Design and development stages? Review, verification and validation that is appropriate to each design and development stage? Responsibilities and authorities for design and development? 9. Are interfaces between different groups involved in design and development managed to ensure effective communication and clear assignment of responsibility? 10. Is the planning output updated, as appropriate, as the design and/or development progresses? 7.3.2 Design And Development Inputs 11. Are inputs relating to product requirements determined and records maintained (see 4.2.4)? 12. Do these inputs include:
Page 10 of 18

ISO9001:2008 Internal Audit and Gap Analysis

Functional and performance requirements? Applicable statutory and regulatory requirements? Where applicable, information derived from previous similar designs? Other requirements essential for design and development? 13. Are requirements complete, unambiguous and not in conflict with each other? 7.3.3 Design And Development Outputs 14. Are the outputs of design and development process provided in a form that enables verification against the design and development input? 15. Does design and development output: Meet the input requirements? Provide appropriate information for purchasing, production and service provision (see 7.5)? Contain or reference product acceptance criteria? Specify the characteristics of the product that are essential for its safe and proper use? 7.3.4 Design And Development Review 16. At suitable stages, are systematic reviews of design and development performed in accordance with planned arrangements to (see 7.3.1): To evaluate the ability of the results of design and development to meet requirements? To identify any problems and propose necessary actions? 17. Do participants in such reviews include representatives of functions concerned with the design and development stage(s) being reviewed? 18. Are records of the results of the reviews and any necessary actions maintained (see 4.2.4)? 7.3.5 Design And Development Verification 19. Is verification performed in accordance with planned arrangements (see 7.3.1) to ensure the design and development outputs have met the design and development
Page 11 of 18

ISO9001:2008 Internal Audit and Gap Analysis

input requirements? 20. Are records of the results of the verification and any necessary actions maintained (see 4.2.4)? 7.3.6 Design And Development Validation 21. Is design and development validation performed in accordance with planned arrangements to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where known? 7.3.7 Control Of Design And Development Changes 22. Are design and development changes identified and records maintained? 23. Are the changes reviewed, verified and validated, as appropriate, and approved before implementation? 24. Does this review include evaluation of the effect of the changes on constituent parts and product already delivered? 7.4 PURCHASING 7.4.1 Purchasing Process 25. Does the organization ensure that purchased product conforms to specified purchase requirements? 26. Are the type and extent of control applied to the supplier and the purchased product dependent upon the effect of the purchased product on subsequent product realization or final product 7.4.2 Purchasing Information 27. Does purchasing information describe the product to be purchased, including where appropriate: requirements for approval of product, procedures processes and equipment? Requirements for qualification of personnel? QMS requirements? 28. Does the organization ensure the adequacy of specified purchase requirements prior to their communication to the supplier 7.4.3 Verification Of Purchased Product 29. Does the organization establish and implement the inspection or other activities necessary for ensuring that
Page 12 of 18

ISO9001:2008 Internal Audit and Gap Analysis

purchased product meets specified purchase requirements? 30. Where the organization or its customer intends to perform verification at the suppliers premises, does the organization state the intended verification arrangements and method of product release in the purchasing information? 7.5 Production And Service Provision 7.5.1 Control Of Production And Service Provision 31. Does the organization plan and carry out production and service provision under controlled conditions? 7.5.2 Validation Of Processes For Production And Service Provision 32. Does the organization validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement? 33. Does the organization establish arrangements for these processes including, as applicable: Defined criteria for review and approval of the processes? Approval of equipment & qualification of personnel Use of specific methods and procedures? Requirements of records Revalidation? 7.5.3 Identification And Traceability 34. Does the organization identify, where appropriate, the product by suitable means throughout product realization? 35. Does the organization control and record the unique identification of the product, where traceability is a requirement (see 4.2.4)? 36. Are identification and traceability records maintained 7.5.4 Customer Property 37. Does the organization identify, verify, protect and safeguard customer property provided for use or incorporation into the product? 38. Is any customer property that is lost, damaged or
Page 13 of 18

ISO9001:2008 Internal Audit and Gap Analysis

otherwise found to be unsuitable for use reported to the customer and records maintained (see 4.2.4)? NOTE : Customer property can include intellectual property 7.5.5 Preservation Of Product 39. Does the organization preserve the conformity of product during internal processing and delivery to the intended destination? 40. Does this preservation include identification, handling, packaging, storage and protection? 41. Is preservation also applied to the constituent parts of a product? 7.6 Control Of Monitoring And Measuring Devices 42. Does the organization determine the monitoring and measurement to be undertaken and the monitoring and measuring devices needed to provide evidence of conformity of product to determined requirements (see 7.2.1)? (EX: calibration of scales, thermometer, etc) 8.0 MEASUREMENT, ANALYSIS AND IMPROVEMENT 8.1 General 1. Does the organization plan and implement the monitoring, measurement, analysis and improvement processes needed to: Demonstrate conformity of the product? Ensure conformity of the quality management system? to continually improve the effectiveness of the quality management system 2. Have applicable methods including statistical techniques and the extent of their use been determined? 8.2 Monitoring And Measurement 8.2.1 Customer Satisfaction 3. Does the organization monitor information relating to customer perception as to whether the organization has met customer requirements, as one of the measurements of
Page 14 of 18

ISO9001:2008 Internal Audit and Gap Analysis

performance of the quality management system? 4. Are the methods for obtaining and using this information determined? 8.2.2 Internal Audit 5. Is a documented procedure established for internal audit? 6. Does the organization conduct internal audits at planned intervals to determine whether the QMS: Conforms to the planned arrangements, requirements of the current revision of the ISO 9001 Standard? is effectively implemented and maintained? 7. Are the audit criteria, scope, frequency and methods defined? 8. Does the selection of auditors and conduct of audits ensure objectivity and impartiality of the audit process? 9. Do follow-up activities include the verification of the actions taken and the reporting of verification results. 8.2.3 Monitoring And Measurement Of Processes 10. Does the organization apply suitable methods for monitoring, and where applicable, measurement of the QMS processes? 11. Do these methods demonstrate the ability of the processes to achieve planned results? 12. When planned results are not achieved, is correction and corrective action taken, as appropriate, to ensure conformity of the product 8.2.4 Monitoring And Measurement Of Product 13. Does the organization monitor and measure the characteristics of the product to verify that product requirements have been met? 14. Does the organization ensure that product release and service delivery does not proceed until all the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer? 8.3 Control Of Nonconforming Product
Page 15 of 18

ISO9001:2008 Internal Audit and Gap Analysis

15. Has a documented procedure been established to define controls and related responsibilities and authorities for dealing with nonconforming products? 16. Does the organization ensure that product which does not conform to product requirements is identified and controlled to prevent unintended use or delivery? 17. Are records maintained (see 4.2.4) of the nature of nonconformities and any subsequent actions taken, including concessions obtained? 18. When nonconforming product is detected after delivery or use has started, does the organization take action appropriate to the effects, or potential effects, of the nonconformity? 8.3 ANALYSIS OF DATA 19. Does the organization determine, collect and analyze appropriate data to demonstrate the suitability and effectiveness of the QMS and to evaluate where continual improvement of the effectiveness of the QMS can be made? 20. Does this include data generated as a result of monitoring and measurement and from other relevant sources? 21. Does the organization analyze this data to provide information relating to: Customer satisfaction (see 8.2.1)? Conformity to product requirements Characteristics and trends of processes and products including opportunities for preventive action? 8.5 Improvement 8.5.1 Continual Improvement 22. Does the organization continually improve the effectiveness of the QMS through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review?
Page 16 of 18

ISO9001:2008 Internal Audit and Gap Analysis

8.5.2 Corrective Action 23. Does the organization take action to eliminate the cause of nonconformities in order to prevent recurrence? 24. A documented procedure is established to define requirements for: Reviewing nonconformities (including customer complaints). Determining the causes of nonconformities. Evaluating the need for action to ensure that nonconformities do not recur. Determining and implementing action needed. Records of the results of action taken. Reviewing corrective action taken 8.5.3 Preventive Action 1. Does the documented procedure for preventive action define requirements for: Determining potential nonconformities and their causes? Evaluating the need for action to prevent occurrence of nonconformities? Records of results of action taken (see 4.2.4)? 2. Does the organization determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence? 3. Are preventive actions appropriate to the effects of the potential problems?

Page 17 of 18

ISO9001:2008 Internal Audit and Gap Analysis

Page 18 of 18