Regarding requirement 8.6.4 of ISO/IEC 17020 (internal audits):
The requirement states that “internal audits must be performed at least annually.” Does this mean that internal audits must be carried out every 12 months, or can we consider it once per calendar year? For example: can an internal audit in March 2023 then a new internal audit in November 2024 be considered compliant with the standard?). It also indicates “The frequency of internal audits can be adjusted according to the effectiveness and demonstrated stability of the management system”. Can we consider that the adjustment is within the period of 12 months/calendar year or beyond this period?
The ISO/IEC 17020 Standard does not use the word “annually”, rather it uses the phrase “every 12 months”, which is taken literally in this case. If your internal audit was conducted in March 2023, the expectation is that it is conducted again by March 2024.
The same clause also allows you to extend your frequency beyond 12 months, if your QMS is stable. Stable generally means no turnover of key personnel, no ownership changes, no findings in your last few internal and external audits, etc. ILAC P15, clauses 8.6.4 n1/n2 provide examples of when it is or is not appropriate to extend the frequency. It also provides guidance on when the IB should conduct them more frequently. The AB will generally evaluate the frequency vs. the stability during their assessments. If they feel that the frequency is too long (e.g. 5 years) or is not warranted for a variety of reasons, they will identify that and discuss.
The question is related to requirement 8.6.4 where it establishes that “internal audits must be carried out at least once every 12 months” It also defines that the frequency can be adjusted based on the proven effectiveness of the management system and its stability proven”.
What is the justification or criterion for defining an audit frequency as a rule, if it is understood that this activity is control by management to review and evaluate the status of the management system and therefore it would be at their discretion define the frequency taking into account the criteria defined in numeral 8.6.2 and the ILAC P15 guidelines numeral 8.6.4 n1?
Yes, the management of the Inspection Body is ultimately the one to set the frequency. However, if the Accreditation Body does not feel the extended durations are appropriate (e.g. an audit every 5 years), or that the management system is not stable (high turnover or major NCs cited during assessments), they have the responsibility to address that with the IB. If for some reason the two sides cannot not come to a reasonable agreement, the Accreditation Body has the right to terminate the accreditation.
Refer to ILAC P15, clauses 8.6.4 n1/n2 for guidelines on when it would be prudent to decrease the frequency of internal audits, or when it may be permissible to extend the durations past 12 months.
The question is related to requirement 8.6.4 where it establishes that “internal audits must be carried out at least once every 12 months” It also defines that the frequency can be adjusted based on the proven effectiveness of the management system and its stability proven”.
An Accreditation Body may ignore situations such as those described in Q 2 and demand or declare non-compliance with requirement 8.6.4 of the minimum frequency of 12 months, regardless of whether the Inspection Body has adequately documented and justified based on the effectiveness of the system. of management and proven stability and by situations of care of the global contingency of COVID 19?
The accreditation body will evaluate the effectiveness of your management system based on the results of their accreditation activity, and other factors such as turn over of key personnel, changes in location or ownership, major updates to the ISO or ILAC standards, etc.
The question is related to requirement 8.6.4 where it establishes that “internal audits must be carried out at least once every 12 months” It also defines that the frequency can be adjusted based on the proven effectiveness of the management system and its stability proven”. Valid justifications for expanding the audit frequency can be situations such as pandemics (covid 19), legal situations, country regulations, natural situations (hurricanes, earthquakes, other), war situations, death of key personnel, contagion of key personnel, illness of key personnel, among others?
While pandemics, wars and illness can certainly affect the timing, those are not the justifications the standard is referencing. Internal audits can be completed remotely or delayed temporarily. The exception is more of a systemic change in frequencies, not an emergency event.
The question is related to requirement 8.6.4 where it establishes that “internal audits must be carried out at least once every 12 months” It also defines that the frequency can be adjusted based on the proven effectiveness of the management system and its stability proven”. Is it possible for audits to be carried out at frequencies greater than 12 months, if there is justification based on the effectiveness of the management system and proven stability?
Yes, as stated in clause 8.6.4, it is possible to go longer than a 12 month frequency for your Internal Audits. The valid reasons are stated as “demonstrable effectiveness of the management system and its proven stability”. That has to do with if you have had stability with key personnel, have had little or no findings during your internal & external evaluations, and you have a generally stable QMS in place with no major changes.
How can a very small inspection body, e.g. a one-man inspection body, fulfil the requirement for performing internal audits without auditing their own work?
ILAC/IAF Committees FAQs 