Quality Assurance: Audit Procedures

Quality assurance audit procedures define the structured sequence of activities through which an organization's quality management system is evaluated against established standards, regulatory requirements, and internal criteria. This reference covers the mechanics, classification, regulatory framing, and known tensions in QA audit practice across industrial, healthcare, software, and manufacturing sectors. Audit procedures sit at the intersection of compliance obligation and operational improvement, making their correct application consequential for certification status, legal standing, and product safety.

Definition and scope

A quality assurance audit is a systematic, independent, and documented examination of quality-related activities and their results (ISO 9000:2015, clause 3.13.1). The ISO definition distinguishes audits from inspections: inspections measure conformance of a product or process output, while audits evaluate whether the system generating those outputs is operating as intended. This boundary matters for regulatory compliance — the U.S. Food and Drug Administration's Quality System Regulation (21 CFR Part 820) requires both forms, and conflating them can create gaps in audit coverage that trigger warning letters or consent decrees.

Scope in practice extends across four dimensions: organizational units covered, time period under review, processes subject to examination, and applicable standards or requirements used as audit criteria. Narrowly scoped audits focus on a single procedure or department. Full-scope system audits traverse all clauses of a reference standard, such as all 10 sections of ISO 9001:2015 or all 21 elements of AS9100 Rev D for aerospace quality systems. The quality assurance regulatory framework page documents the specific federal and international frameworks that typically set mandatory audit scope requirements.

Core mechanics or structure

The structural backbone of a QA audit follows a phase model codified in ISO 19011:2018, Guidelines for Auditing Management Systems (ISO 19011:2018), which is the primary international reference for audit program management.

Audit program management — The overarching program defines audit frequency, resource allocation, and competence requirements for auditors. ISO 19011:2018 clause 5 requires that audit programs be established, implemented, and reviewed as a managed process, not ad hoc activity.

Audit planning — Individual audit events are planned by identifying objectives, scope, criteria, and the audit team. The audit plan documents logistics, the sequence of activities, and assignment of responsibilities. Audit criteria are the policies, procedures, or requirements against which evidence is compared.

Document review — Before on-site activity, auditors review the documented quality management system — quality manuals, procedures, and records — to assess whether documentation is internally consistent and adequate to meet stated criteria. The quality assurance documentation requirements reference covers what documentation is typically required at this stage.

On-site execution — The opening meeting formally communicates audit scope and method to auditees. Evidence collection proceeds through interviews, observation of processes, and sampling of records. ISO 19011:2018 clause 6.4 describes evidence collection as requiring objective, verifiable information — not auditor opinion.

Findings and nonconformance — Audit findings are classified as conformances, nonconformances (major or minor), or observations/opportunities for improvement. A major nonconformance indicates systemic failure or absence of a required element. A minor nonconformance indicates an isolated deviation that does not indicate system breakdown.

Audit report and closing meeting — Findings are documented in a formal report. The closing meeting communicates findings directly to management. Reports must be retained as quality records under most certification schemes; FDA 21 CFR Part 820.22 specifically mandates that internal audit results be documented and reviewed by management.

Follow-up and corrective action — Nonconformances trigger a corrective action process. The audit function verifies effectiveness of corrective actions within a defined timeframe.

Causal relationships or drivers

Three categories of drivers compel QA audit activity: regulatory mandates, certification requirements, and risk management objectives.

Regulatory mandates attach legal consequence to audit performance. The FDA's Quality System Regulation (21 CFR Part 820) requires manufacturers of medical devices to conduct audits at defined intervals and retain results. The U.S. Department of Defense's MIL-SPEC and MIL-STD contract clauses impose audit requirements on defense suppliers. The Nuclear Regulatory Commission's 10 CFR Part 50, Appendix B requires audits of quality assurance programs for nuclear facility construction and operation.

Certification requirements drive voluntary but commercially necessary audit cycles. ISO 9001:2015 certification, held by over 1 million organizations across 170 countries as of the ISO Survey 2022, requires internal audits at planned intervals (clause 9.2) and surveillance audits by accredited certification bodies, typically annually, with recertification every 3 years.

Operational risk drives audit frequency beyond the minimum required. Sectors with high consequence of failure — aerospace, pharmaceutical, nuclear — apply risk-based audit frequency models where higher-risk processes or suppliers receive more frequent and deeper audit coverage than lower-risk ones.

Classification boundaries

QA audits are classified along three primary axes:

By relationship of auditor to auditee:
- First-party audits (internal audits): Conducted by or on behalf of the organization itself. Governed by ISO 19011:2018 and internal procedure requirements.
- Second-party audits: Conducted by a customer or their representative on a supplier. Common in aerospace, automotive (per IATF 16949:2016), and defense supply chains.
- Third-party audits: Conducted by an independent certification or regulatory body. These carry external certification or regulatory consequence.

By subject matter:
- System audits: Evaluate the overall QMS against a standard.
- Process audits: Evaluate a specific process against defined criteria.
- Product audits: Evaluate a product or service against specifications (distinct from inspection — the audit evaluates whether the process that produced the product conforms, not merely the product itself).

By timing:
- Scheduled audits: Planned as part of the audit program calendar.
- Unannounced audits: Conducted without prior notice; common in FDA inspections and food safety certification schemes such as FSSC 22000.
- Special-purpose audits: Triggered by specific events — customer complaints, nonconformance trends, or process changes.

Tradeoffs and tensions

Auditor independence versus organizational knowledge. ISO 19011:2018 clause 7.2.3 requires auditors to be objective and impartial. Auditors with deep organizational knowledge are better at detecting subtle nonconformances but face independence risks when auditing processes they helped design. This tension is structurally unresolvable within small quality teams and is managed through documented conflict-of-interest protocols.

Audit depth versus audit breadth. A fixed audit duration forces a tradeoff between covering all processes at a surface level and deeply examining fewer processes. Risk-based audit planning mitigates this by concentrating depth on high-risk areas, but the selection of what constitutes "high-risk" introduces subjectivity.

Compliance-focused versus improvement-focused framing. Audits structured primarily to find nonconformances to close for certification purposes tend to produce defensive auditee behavior that limits disclosure. Audits framed as improvement-seeking generate more candid evidence but may produce fewer formal findings, which can appear to external registrars as insufficient rigor.

Documentation of observations. Minor observations — issues not rising to nonconformance — carry no formal corrective action obligation. Organizations may choose not to track them systematically, which can allow degradation trends to go undetected across audit cycles.

Common misconceptions

Misconception: Passing an audit means the QMS is effective. Audit findings reflect the evidence sampled during the audit window. ISO 19011:2018 explicitly states that audit conclusions are based on a sample of available information, and sampling always carries the risk of undetected nonconformances. Certification audits conducted by accredited bodies confirm conformance to the standard at the time of audit — they do not certify product quality or operational outcomes.

Misconception: Internal audits are less rigorous than third-party audits. Rigor is a function of auditor competence, program design, and independence protocols — not audit party. ISO 9001:2015 clause 9.2.2(b) requires internal auditors to ensure objectivity and impartiality but does not require external auditors. Internal audit programs with trained, independent auditors and documented evidence trails can and do identify nonconformances that third-party surveillance audits miss.

Misconception: The audit checklist determines the audit scope. Checklists are tools for ensuring consistent coverage; they are not the scope. Scope is defined in the audit plan per ISO 19011:2018 clause 6.2. An auditor following only a checklist and declining to investigate process deviations observed during evidence collection would be failing their procedural obligation.

Misconception: A closed corrective action demonstrates audit effectiveness. Corrective action closure confirms that a response was documented and implemented. Audit effectiveness is measured by whether the root cause was eliminated and recurrence was prevented — which requires follow-up verification, not just closure signature.

Checklist or steps (non-advisory)

The following sequence reflects the procedural phases codified in ISO 19011:2018 and common practice across ISO 9001, AS9100, and FDA QSR audit programs:

  1. Establish or review the audit program — Confirm audit frequency, auditor assignments, resource availability, and criteria for the period.
  2. Define audit objectives, scope, and criteria — Document the specific standard clauses, regulatory requirements, or internal procedures to be evaluated.
  3. Select and assign the audit team — Confirm auditor competence and independence relative to the processes being audited.
  4. Develop the audit plan — Include schedule, process sequence, document review timing, and auditee notification method.
  5. Conduct document and record review — Assess documented information against audit criteria before on-site activities begin.
  6. Hold opening meeting — Present audit scope, schedule, confidentiality arrangements, and evidence collection methods to auditee management and process owners.
  7. Collect objective evidence — Conduct interviews, observe process execution, and sample records using the audit plan sequence.
  8. Analyze findings — Classify evidence as conforming, nonconforming (major/minor), or observation. Document findings with specific evidence references.
  9. Hold closing meeting — Present findings, confirm factual accuracy with auditees, and communicate next steps.
  10. Prepare and distribute audit report — Issue the formal report within the timeframe specified in the audit program.
  11. Initiate corrective action for nonconformances — Assign responsibility and due dates per the corrective action procedure.
  12. Verify corrective action effectiveness — At a defined interval, confirm that implemented corrections eliminated the root cause.
  13. Update audit program records — Document audit completion, findings status, and any changes to the audit program prompted by results.

Reference table or matrix

Audit Type Conducting Party Primary Standard/Reference Typical Trigger Formal Output
Internal (first-party) Organization's own auditors ISO 19011:2018; ISO 9001:2015 §9.2 Audit program schedule Internal audit report; corrective action records
Customer/supplier (second-party) Customer or designated representative IATF 16949:2016; AS9100 Rev D Supplier qualification; performance event Supplier audit report; SCAR
Certification (third-party) Accredited certification body (e.g., BSI, DNV, Bureau Veritas) ISO 9001:2015; AS9100; IATF 16949 Initial certification; annual surveillance Certificate of conformance; nonconformance report
Regulatory inspection Government agency (FDA, NRC, DOD DCMA) 21 CFR Part 820; 10 CFR Part 50 App B; MIL-STD-1916 Routine; complaint; pre-approval Inspection observation (FDA Form 483); Notice of Violation
Unannounced audit Certification body or regulatory agency FSSC 22000; BRC Global Standard Program requirement; triggered event Audit report with immediate findings
Process audit Internal or second-party AIAG CQI references; AS9101 Process change; nonconformance trend Process audit report; improvement actions

References

Read Next

Quality Assurance: US Regulatory Framework Enforcement authority is distributed across more than a dozen federal agencies, each operating under distinct statutory mandates. Quality Assurance: Documentation Requirements Documentation requirements vary across industries — from FDA-regulated medical device manufacturing under 21 CFR Part 820 to... Quality Assurance: Standards Overview This reference covers the structural landscape of QA standards — the bodies that issue them, how compliance mechanisms...