This page describes some simple procedures for work outside development projects, which are required by ISO 9001 / TickIT. The intention is that the readers should understand the requirements, and be able to prepare their own procedures.

Information about further procedures will be added.



Corrective and preventive action (ISO 9001 para 4.14)

Internal Quality Audits (ISO 9001 para 4.17)



Preventive action means to systematically use available information about deficiencies and problems to decide how the current competences, procedures and practices should be changed to prevent recurrence of the same or similar deficiencies or problems.

Corrective action means a systematic way to ensure that decided preventive actions and improvements of the current competences, procedures and practices are implemented. Input may come from preventive action, quality audits, suggestions from staff, customer complaints e.t.c.

Procedures for preventive and corrective action should ensure

  1. that all problem reports are analyzed for actions to prevent recurrence and similar problems, and

  2. that decided corrective and preventive actions are implemented.

For example, the preventive action part might be that procedures for error handling require that copies of all problem reports be sent to an appointed person. That person would then be required to analyze the reports and, when suitable, initiate corrective action. The analysis and decision may simply be recorded on the form used for reporting the error.

The corrective action procedure might consist of an "action list" with assigned responsibilities, which is regularly checked, for example in a suitable weekly meeting. Someone must be appointed as responsible for maintaining the action list, and receiving input for corrective action. A decision is then made by e.g. a management meeting, as to what input should be added to the action list. A working system for corrective action can be a very useful tool when introducing procedures step by step. Instead of starting improvement projects, management may decide about individual procedures, assign responsible, and then enter the decision into the ordinary corrective action system. The follow-up and control will then be done in the existing process, which is already running.




Internal quality audits are management's tool for ensuring

  • that the staff are following the procedures of the organisation

  • that these procedures give the intended results

  • that all needed procedures exist and are documented

Each part of an internal quality audits is performed by an independent person (outside the organisation which is audited).

Internal quality audits shall be planned activities. There shall exist a plan for the audits to be done during a certain time period, t.g. the next 12 months. Such a plan might consist of a table with the different parts of the organisation as in the columns, and the different parts of the quality system in the rows. For all parts of the organisation, where a quality audit is planned, there should be a date in the box for each part of the quality system to be audited. Example of part of such a plan:

Q-system part



Human resources

1.1 Roles

Nov 1999

Mar 1999

Apr 1999

2. Steering fora

Nov 1999

Mar 1999

3. Design

Nov 1999

4. Document control

Apr 2000

Mar 1999

The procedure for quality audit should then describe

  • The aim for the audits (see above), including follow-up on reports from previous audits.

  • Minimum auditor qualifications. There are training courses available for quality auditors. The TickIT training might be a suitable level.

  • The requirement for independence of auditors, and how to meet it. For example, persons from different parts of the organisation might audit each other's organisations.

  • Reporting

An audit report should contain the following:

  • Who did the audit, and when

  • What organisational unit was audited

  • Follow-up of findings in previous audit reports

  • Who were interviewed

  • What documents were studied

  • What faults were found

  • For each fault, its kind, e.g. violation of a certain rule, unsuitable procedure, lacking procedure etc.

The audit report should be signed by the auditor. No other approval is needed.

The procedure should say how it is ensured that actions are taken on the audit findings. For example, the audit report might be delivered to a certain person or organisational unit in order to be entered into the corrective and preventive action system.