Mark Hammar
February 17, 2015
If you are thinking of implementing a quality management system (QMS) according to the ISO 9001 requirements, even if you are only starting to investigate what is required, you will likely have heard the terms gap analysis and internal audit. These two topics are often thought to be interchangeable, and although they use similar skills when gathering data, the focus for each is very different. Here is a bit more about these differences.
Even if there is no formal quality management system, every company has some processes in place to interact with customers, take orders, plan and create products or services, and deliver these to customers in order to be paid. If these processes were not in place, a company would not last long. It is this set of processes that is being assessed during a gap analysis.
A gap analysis is mainly done at the beginning of the project to assess what is currently in place against the set of requirements that are going to be used for the implementation. In the case of ISO 9001, you would take each requirement, compare it to what is currently being done, and assess where there is more required for the process currently in place.
For example: ISO 9001 requires that an organization review the requirements that relate to the product or service being produced, and there are certain elements of the ordering process that need to be checked. Do you make sure that the requirements are specified? Do you resolve any differences from the contract or order that are not the same as previously expressed (e.g., you produce products that are black, orange, or red and the customer wants blue)? Can you meet the requirements in the order (e.g., your service takes 3 weeks to complete, but the order requires it to be done in 2 weeks)? The gap analysis is done to see if your current process includes all of these things, and to identify what else needs to be included to fully meet the requirements.
One other use for a gap analysis is to assess an implemented QMS against changes in the requirements. This can take place when you identify additional specifications that apply to your organization; these could be industry-specific obligations such as complying with an aircraft-specific document like CAR 561.07 for Canadian aviation regulations. Another time that this occurs is when there is an update to the standard you use as a framework for your QMS. This is happening with ISO 9001, with a new revision due out later this year. For more information on what changes might be expected in the 2015 release, see ISO 9001:2015 DIS – Overview of 5 main changes.
By comparison, an internal audit is used to assess a process against the procedure that it is supposed to follow, as well as checking that the process complies with the requirements of ISO 9001. It is important to remember that the procedure does not need to be documented, but each process will have some requirements, also called criteria or planned arrangements, that need to be met for the process to be successful. The audit will gather audit evidence and compare it to the criteria for the process to see if the criteria are fulfilled. In other words, if your process says you will do something, do you have the evidence to show that you do? This evidence could come in the form of records, statements of fact, or observing personnel doing the job. This internal audit assessment is done on-site, where the gap analysis is commonly done much more superficially through a questionnaire, document review, or similar tool.
The comparison of the audit evidence against the criteria will result in audit findings, which are either that the process meets the requirements, or that there are corrective actions required. The internal audit is there to ensure that the processes of the QMS conform to the planned arrangements for the processes. For example, if your contract award process requires that you complete a checklist to make sure that all aspects of the contract are correct and properly approved, the audit will verify some of these checklists to ensure they are correctly completed and maintained.
In addition to verifying process conformance, the internal audit is also tasked with making sure that the processes of the QMS are effectively implemented and maintained. This means that the personnel doing the internal audit are responsible for assessing whether the process is being corrected and improved as necessary. Effectiveness can also include the interaction between processes, since this is often where inefficiencies exist.
For more information on internal audits, see ISO 9001 internal audit in 13 steps using ISO 19011.
While both the gap analysis and internal audit involve comparing a process with a set of requirements, the focus of each is very different. The gap analysis is focused on what is missing in the processes compared to a set of requirements (typically before an implementation takes place), while an internal audit is centered on verifying that the process conforms to the requirements and is effective after the process is already in place per the ISO 9001 requirements. A gap analysis deals with identifying missing components of a process, but an internal audit concerns maintaining an effective process once it is in place. Both are very useful and have their place, but it is important to use each when it is appropriate.
To find out how well your quality management compares to ISO 9001, see this ISO 9001 Gap Analysis Tool.