When you want to verify a system, you should think about how far to go. You can go to the extreme of auditing every procedure and every system in every department yearly. Ask yourself whether you have the resources (human) to do this and whether it makes sense. There is no requirement that every last procedure be audited.
It is my opinion that the vast majority of companies over audit!
When looking at a system, say document control, if you ‘sample’ the system in 3 out of 8 departments, will that give you a sense of security that the system is sound? Or will you only be satisfied if that system is audited in every department which is responsible in some way for compliance with it? I use document control because in almost every company EVERY department has a responsibility to document control. Control of Quality Records is much the same.
This is an example of a Responsibility Matrix. (See Responsibilities_by_Dept.xls - included with this guide).
As you can see, to audit 4.2.4 you can choose from any department because all departments have records of one kind or another which require ‘control’.
On the other hand, if you want to audit 5.4, you don’t have much choice from which to ‘sample’.
NOTE: This is a partially completed matrix. Your company has to define how YOUR functional departments fit in.
ISO 19011 - Quality and Environmental Management Systems Auditing Forum Discussions