Is there a hole in your internal quality audit programme?

The hole in many internal audit programmes

Quality management systems need checks and maintenance to ensure that they are being effectively implemented to meet requirements. Perhaps the best, structured form of pro-active verification is a programme of internal audits. Not surprisingly, internal audits are a mandatory requirement of standards like ISO 9001. This means that your QMS (Quality management system) cannot be certified without them. In fact, failure to adequately schedule and perform internal audits is one of the most common reasons for nonconformances during certification.

So, any organisation that establishes and implements a QMS based on ISO 9001 includes an internal audit programme as part of that system. Often, internal audits are conducted on say, an annual basis against each documented procedure or each major operational process. While that may have traditionally satisfied the minimum requirements, there is one increasingly important part of the ‘real business’ that is often overlooked when setting out the internal audit programme. That omission is the organisation’s online presence. At the very least, most serious organisations have a basic website, and many would also offer e-Commerce facilities, have a Facebook wall, YouTube channel, and participate in other social media activities.

You may be tempted to ask: What has that all got to do with Quality and ISO 9001? Hopefully, the following bullet points will answer that:

• A website may be considered as part of an organisation’s infrastructure. In particular, an information system that provides a supporting service. This is relevant to ISO 9001 Clause 7.1.3 Infrastructure.
• The responsibility of a management representative can include communication / liaison with external parties on matters relating to the QMS. Basic information about the QMS can be communicated on the organisation’s web site. This will help to provide some assurance to existing and potential customers alike. You might also include mention of any certification held. If asked, your certification body should provide a web-friendly image of their logo for the purpose. This is relevant to ISO 9001 Clauses 5.3 Roles and Responsibilities, and 7.4 Communication.
• Basic functionality of most corporate website includes communicating with customers and potential customers about products/services, and facilitating their enquiries, complaints, and other feedback. Those activities relate specifically to ISO 9001 clause 8.2.1 Customer communication.
• Those with more technical products and services might also include Support or FAQ pages on their web site. Support and guidance information can be considered as post-delivery activities, and those areas of a web site would therefore be relevant to ISO 9001 clauses 8.2.1 Customer communication and 8.5.1 Control of Production and service provision (and potentially other clauses too).
• Any customer data collected by your web site would be relevant to ISO 9001 clause 8.5.3 Property belonging to customers or external providers and 7.5.3 Control of documented information. It would also come into consideration for relevant privacy legislation and regulations, and would be taken into account in information security controls. Such data might include contact details, personal, organisational, or commercial information, and – if the site includes an e-Commerce component - even payment card data. This item is an illustration of the linkage between ISO 9001 Quality and ISO 27001 Information Security / PCIDSS  Payment Card Security - which we'll explore further in another article.

These are just a few examples of how an organisation’s website relates to (or should relate to) its QMS. In any individual circumstance, there may be many others. So, as the web site becomes progressively more critical to business success (and indeed, survival), it makes good sense for the key aspects of that website to become an integral part of the internal audit programme. If it’s critical to business success, it’s worth checking.

Fixing the hole in your programme

So, how do we audit a website? Well, the primary intention should be to verify that the implementation of the website is functional and correct. There may also be a performance element to the audit too. The audit may be performed by the auditor actually checking the web site, interviewing relevant personnel (and possibly customers), and inspecting records that relate to the website’s management and monitoring activities. The following is a sample of items that may be included on an audit checklist. Verify:

• Organisation and contact details are current and correct
• Email and other hyperlinks work
• The design is ‘on brand’ – consistent with any corporate style guides
• Product / service information is current and correct
• Any enquiry or support forms have appropriate options and function correctly
• Time taken to respond to forms submitted
• Appropriateness of response
• Appearance and functionality in supported range of browsers
• Functionality and accessibility on mobile phone screens
• Website performance: Uptime – or % availability over time (assuming site is monitored)
• Website performance: Average Connect time (assuming site is monitored)
• Website performance: Analytics (page views, visitors, click behaviour, bounce rate, visit duration etc.)
• Handling of customer data submitted via the website
• Website update arrangements
• Content backup arrangements

Qudos 3 clients will find an enhanced Web Site Audit Checklist in one of the software's many Audit Templates.

We have restricted this audit checklist to websites only, but if an organisation is engaged in Instagram, Facebook, LinkedIn, YouTube and other social media, there may be a need to also include those activities in its audit programme. Depending on scope and resource availability, that may require a more extensive checklist or a series of separate audits.

Your audit programme and checklist(s) should also be flexible. They should be adjusted to take into account results from previous audits, relevant nonconformances or improvement actions, and events such as changes in technology, usage patterns, or customer expectations.

Auditing the real quality management system

A number of the checklist items in the bullet points above imply the need for relevant planning activities, documented policies, objectives and procedures. For example, verifying “Appearance and functionality in supported range of browsers” is dependent on someone having made a decision on which browsers are to be supported. That choice will change over time as new browsers become popular and existing browsers are updated. The decision on what to support may be part of a planning exercise. If those elements of planning and administering the website are currently missing in your QMS, it may suggest an expansion in the direction of managing the ‘real business’. In many cases, activities surrounding websites and an organisation's wider online presence have developed outside the control of management systems. As those activities become increasingly important, then they also should also be suitably planned, implemented and checked. The lack of any pro-active internal audits of website / online presence is a hole in the audit programme that should definitely be filled!