Was just going through the Elsmar information on auditing and was sort of surprised to recognize a lot of the slides from it are also in our "Preparing for an External Audit" presentation. The guy whose job I'm doing now must have been a Cover.

Anyway, I came across the slide that says you should be careful about going to other departments during an audit and should stick to the scope of your audit. I'm a little torn about this now. I see why you wouldn't want to just show up in someone's department and say "Surprise, we aren't scheduled to be here but we're just going to take a peek at your documentation."

At the same time, I can see the value in finding and following audit trails. I know the key here is balance, and I can personally pretty much see how you can delicately follow an audit trail without making enemies. Still, I'm hoping to spark some discussion in the hopes that it will become clearer how to explain to my internal auditors.

So, what does everyone think?

There should never be any surprises, imo, but that doesn't mean that following a trail needs to involve ambushes. The whole company should be aware that an internal audit is going on, and that there's a possibility that auditors will be looking for documentation or other connections related to the function being directly audited. By the same token, you shouldn't expect the affected department to drop everything and take care of the auditor at that moment. A reasonable amount of time should be allowed for the sought-after documentation to be produced.

If one plans the audit well (e.g., reviewing quality manual, QMS processes and their interrelationships) there is unlikely to be any surprises, since the scope of the audit would be defined as the processes to be audited (and by default, the functions involved in carrying them out). The exception would be situations where there is an indication of a system breakdown, and it indicates that delving into unplanned-for areas are warranted. In such cases one should make it clear to the right level of management that there is a need for this, and get their approval to modify the audit scope in order to properly follow the audit trail. Audit plans are not set in concrete (although unfortunately many auditors believe everything related to QMS to be).

There should never be any surprises, imo, but that doesn't mean that following a trail needs to involve ambushes.

One of the things we have tried to teach everyone is that an audit may require that we check up on information outside of the specific area that the audit was scheduled in. With all the interaction of processes, it really should never come as a surprise that one may need to check something outside the audit area. We often need to check PO's in purchasing, customer PO's in sales, etc. I've never really found any of these little "forays into outside territory" to be a problem. We just give the area a call and let them know we are going to be coming to them to check some information to confirm somoe audit results. By the time we get to the department, they have usually found someone to free up to guide us through their part. Just explain that you are looking at their records to clear up some questions that came about in an audit at such-and-such area. Most of our folks are happy to tell you how their job is done.

I think what is being referring to came out of a specific audit whilst I was working with Motorola some years back. We had internal audits scheduled in different areas on different days. What happened was a team had a scope of a department and they followed a trail out to another department. Not a particular problem, but the audit then ended up focusing on that department (and its systems) outside the scope of the planned audit. It was not a simple matter of tracking a paper to another department. It had been agreed that going outside a department was a 'no no' in part because of the time involved and because any trails to follow to other departments were supposed to be noted and then the audit team as a whole would decide what would be looked at during the following days (it was a week long audit of multiple facilities with multiple teams).

Needless to say, the audit raised a lot of problems because the department they went to was not in the scope and when the audit ended up focusing on them and their systems they were not happy campers. They had had their audit a few days earlier and did not think it was appropriate for their department to be focused on again, especially without notice. It was not a situation where the department being audited had a system which was supposed to complete a form and send it to another department and the auditor went there to verify the form was there and completed. It became a situation where the form was found and then the audiors started looking at that departments procedures with regard to that document and how it was further processed.

It depends upon how your audit is planned and its stated scope. Had it been a system audit, the story would have been different because the scope would cover the entire trail of the document through what ever department it travelled through. And no single department would be focused on.

I agree with the replies so far - It shouldn't be a problem looking to see if something (paper or whatever) went to where it is supposed to go, is filled out as it should be (as in the case of a form or such), etc. But if the auditor then proceeds to pick up a different 'scent' and starts looking at a different system the scope of the audit is now expanded. One can say "So what?" Well, if you have planned to audit a specific system or department and you have planned well, included will be a certain amount of time to cover the areas / systems within the scope. Taken to the extreme, the auditors could keep picking up 'scents' and end up (theoretically) auditing every system and every department in the company. That is precisely why a scope is defined.

Example: You are auditing the purchasing system (scope) and the company has a paper system where items ordered are on a paper with the requirements. A copy is sent to receiving because it has the requirements stated on it. So, as a good auditor you cruise to receiving with a number from a paper to see if the required copy is there. It is there. Then the auditor starts asking questions like "What happens when the item comes in? What do you do?" Now the auditor is outside the original stated scope of the audit and is effectively auditing the receiving system. The focus has changed from purchasing to receiving. Taken to an extreme, the auditor could then start asking questions about measurement equipment used in receiving to verify certain dimensions and follow through to the calibration laboratory where the auditor could start looking at calibration records. So -- What happened to purchasing which was the system being audited? Where and when does the auditor stop?

My advice is to stick to the scope of the audit, to follow the audit plan and to intrude outside as little as possible. If one does not want to do that then an audit scope and plan is of no value.

My advice is to stick to the scope of the audit, to follow the audit plan and to intrude outside as little as possible. If one does not want to do that then an audit scope and plan is of no value.
Exactly. You can't have auditors running helter-skelter all over the building; the audit needs to stay focused and stray only when it's necessary to verify something in the function being audited, and then the outside disruption needs to be as unobtrusive--and respectful--as possible.

All right, this makes sense now based on what people are saying. I was thinking more in terms of auditing the assembly department that makes Product A, finding out that they aren’t filling out a form correctly, and going to the department that makes Product B to see if it’s just one department, or if nobody knows how to fill out the form (or if the form isn’t suitable to the purpose).

All right, this makes sense now based on what people are saying. I was thinking more in terms of auditing the assembly department that makes Product A, finding out that they aren’t filling out a form correctly, and going to the department that makes Product B to see if it’s just one department, or if nobody knows how to fill out the form (or if the form isn’t suitable to the purpose).

In the example you give, you audit line A, when the nonconformance is found, communicated, corrective action request initiated it is now up to production or operational management to check to see if there are similar problems in other areas. I usually make a statement to that affect at the closing meetings. "You may want to check to make sure that this is not being done the same way at area x. That way you will not see the same kind of nonconformance there. Thank you." I kind of feel that is part of my job to provide "heads-up" kind of info to management. Otherwise, they will focus so narrowly on a problem that a CAR really doesn't give us system wide improvements.

A couple of thoughts here. First, you are doing an audit of Management Review. As part of Management Review, they review corrective actions. You look at the last review and notice they did in fact, review the closed corrective actions during that review period. While examining the evidence, you notice the corrective actions were horrid! The review, did not mention anything about how bad the C/As were. Should your audit just cover the response to the C/A, or can you write nonconformances against the C/A procedure (which you are not auditing)?

Next: You need to interview the Plant Manager for the Management Review. Her office is in the exact center of the shop. As you walk to her office, you notice a container of parts on the shop floor. There is nothing on the container, or the individual parts that indicate part ID, or status. You know this is a problem, but it is clearly not in the scope of your audit.

In both cases, I would stick to the audit scope. In the first, I might have an issue with the reaction to the C/A, but I would not go into an audit of the C/A process. In both cases, I would schedule a “Supplementary Audit” for the out-of-scope areas, within 30 days or so. We can still react to perceived gaps in the QMS, while maintaining that there are no surprise audits.

Regardless of Audit scope, I would record any and all anomalies associated with the service and or product during audit.
I tend to remind myself a lot, to never lose sight of the product and or service.
Audit scope would be irrelevant if you happened to notice a safety or environemntal issue of concern.
Of course I'm a process freak, and I tend to allow myself to go off in a controled tangent at times during an audit. I've found some interesting issues for sure. The bottom line is, does this issue affect; Safety, environment, Quality, business processes in general and, finally but most importantly, does it affect the product and or service.
JMO.
Wallace ;)