Hello folks!

I've been meaning to ask about this, but have not had as much time to lurk here lately. Here is the situation:

We had our renewal audit to 9001:2000 in May. We passed w/ no findings and a few OFI's, so we are in good shape. But one of the 2 auditors (the Lead) brought something up when looking at our internal audit activity. I've put the vast majority of records that our quality department keeps into an electronic format over the last 2 or 3 years, including NC's, CA, PA, product returns, continual improvement projects, and...audits. Process audits, qms audits, and dock audits are all recorded into an Access database, which get back up nightly for security purposes. We use a controlled audit form to assist us in the audit with asking questions, leading the audit, and recording answers. All of this is transcribed into our program afterwards, and I toss the handwritten forms. If we take copies of orders or other records for the audit, or take pictures, they go to file, but not the audit form.

I did this with the idea to cut down on paper to handle and to save trees. The audit can be pulled up and printed out with the click of a mouse.

The problem is, the auditor warned me that this will not be good enough, that I need to have the original hand-written forms for the file. This will show that the audit actually took place and that I didn't just type up a fake audit. According to him, ISO registrars are under the same constraint from ANAB, to show the trail of work done in external audits so that no foul play occurs. Because of this, he says we, as a registered company, must also follow this.

I called him on it and asked for the "shall" in the standard, and he said it's not there, but I'd best start doing it anyway. I can't find this requirement in our contract with the registrar either.

What are your thoughts on this situation, fellow Covers? I don't plan on changing the current process. Yeah, I could fake an audit by typing it all up into the Access program, but what's to stop me from taking pencil to paper and doing the same thing, and then typing THAT into my program? I asked that question also, and got a shrug for an answer.

The guy did a pretty good job on the audit, especially for his first visit to our type of business, but I think he's full of it on this one, even IF ANAB requires his company to keep all handwritten notes (what happens if they use e-tablets?).

Thanks in advance for your thoughts. I did a search on this here, but the only thread that looked close was this one:

http://elsmar.com/Forums/showthread.php?t=12231&highlight=Audit+report

If you choose to keep them, that's fine, but there's no requirement for original handwritten auditor notes in ISO 9001, AS9100, ISO/TS 16949, or ISO 13485. Your requirements for audit records are defined in your internal audit procedure.

We had a similar issue come up in our TS 16949/ISO 9000 surveillance audit that was completed at the end of June 06. The auditor was reviewing our internal audits. Like you, we type a summary of the audit findings along with supporting evidence into our system and toss the papers. He asked to see the "work papers" to get a feel for how comprehensive the internal audit was.

We told him that we do not retain those papers. He did not cite us for it, but he did request that we amend our system to retain these work papers for a year so that they are available for the auditor to review if necessary.

I don't see a big deal to this, so I think we will comply. I plan to scan the work papers into the system, so I don't have to file and maintain the hard copy. I will only retain them for the minimum amount of time.

I think the intention is that the most people only document what was found wrong or are too brief in their explanation of things gone right. By looking at the work papers, the auditor gets a better feel for how the audit was conducted and that it had a reasonable chance of identifying the problem. Which ultimately is the true purpose of internal auditing.

Another example of an auditor who is out of dte. Does s/he realize that with today's ERP+ systems (e.g., SAP) that most of an audit can even be DONE electronically?

Process audits, qms audits, and dock audits are all recorded into an Access database, which get back up nightly for security purposes. We use a controlled audit form to assist us in the audit with asking questions, leading the audit, and recording answers. All of this is transcribed into our program afterwards, and I toss the handwritten forms. If we take copies of orders or other records for the audit, or take pictures, they go to file, but not the audit form.That sounds exactly like our setup, and I have yet to see an external auditor even try to nail us on that one.

Let's discuss how the data is transcribed into the application afterwards, though. Here is our take: The checklist (Questions, ref to std and ref to written procedure/record) are typed up using the application, and then printed and brought along during the audit. After the audit, we add the answers to the checklist, and make it an appendix to the audit report (also typed up within the application). The handwritten notes are then discarded.

Is this similar to what you do?

I called him on it and asked for the "shall" in the standard, and he said it's not there, but I'd best start doing it anyway.Doh! :frust: Because he says so? I think he'll have to do a bit better than that...

By looking at the work papers, the auditor gets a better feel for how the audit was conducted and that it had a reasonable chance of identifying the problem. Which ultimately is the true purpose of internal auditing.How the external auditor feel about it is one thing, but what about yourself? When I prepare an audit I definitely want to have a look at the questions/answers from the previous audit.

/Claes

What does you Document Control, Records Control and/or Audit procedure require?

Thank you for the replies.

Randy, our setup is written to allow electronic records. I've in no way painted us into a corner on this. This was straight from the auditor's perspective, because he is now required to do it. He didn't bring it up because of what our system or ISO 9001:2000 requires of us, but because of what he sees as an ANAB requirement on him. We didn't get dinged on it, but his comments led me to believe he will try to if he is our auditor next time.

Claes, yup, I'm doing almost exactly what you do. I designed a set of audit forms to handle dock audits, qms audits, and process audits (in fact, it's posted on this site somewhere). We print the blank form out and the auditors sit with me and make some initial notes for the audit, including areas I want to focus on and specific records I might want checked. There is a list of standard questions that can be used to direct the audit, and I may include more to be used if I'm looking for more. For dock and qms audits, there is a checklist also. With our Access app, I am able to easily look at previous audits for a quick review and decide if anything for a particular audit warrants special attention. I was also able to easily print out any audit for the external auditor to look at.

After the audit, I take the forms from the auditor(s) and transcribe them into the Access app. All measurables, inputs, outputs, initial notes, auditees, checkmarks, etc are entered to the electronic format. This includes all questions asked and the resulting answers from each interview. Audit results also go into this (NC's and OFI's), which are given to department heads and mgt review.

The setup allows ALL this to be printed back out in a readable format, using the same format as the original audit form, so that it has become the record of the audit. In short, the audit report has the summary on the first page and ALL the data from the handwritten notes on the rest of the report (excluding any photos or copies that were put to file and referenced in the notes).

The auditor was a little argumentative on this, but I let it slide after a bit, because his reasoning on audit authenticity was circular and I was getting tired of it (I guess he feels it's okay to transcribe lab testing data to electronic format and toss the handwritten data. Handwritten data, whether from a lab or an internal audit can be faked/pencilwhipped just as easily as electronic format can be faked). It didn't make it into the audit report, so I let it go. I did want to get the views from some other experienced hands though, while it was still fresh on my mind.

Thanks again folks.

Hi,

If I was an auditor in your company, would have preferred to see the original records too :)

Btw, if you would have scanned thes documents and placed in your drive, it would have given me confidence.

:agree1:

I prefer keeping the audit notes but I make them on spreadsheets, which can be filed electronically. I make the spreadsheets out with questions, note the document and element the questions pertain to, and write in the blanks to the right under "evidence." I do not keep the handwritten copies, but type in my results based on my notes.

This way, years later I or anyone can look and see what was looked at, and what was found not only to show compliance but to show if there is any trending, positive or negative. It helps close the "results" loop in continuous improvement as well as corrective action.

We had a similar issue come up in our TS 16949/ISO 9000 surveillance audit that was completed at the end of June 06. The auditor was reviewing our internal audits. Like you, we type a summary of the audit findings along with supporting evidence into our system and toss the papers. He asked to see the "work papers" to get a feel for how comprehensive the internal audit was.

We told him that we do not retain those papers. He did not cite us for it, but he did request that we amend our system to retain these work papers for a year so that they are available for the auditor to review if necessary.

I don't see a big deal to this, so I think we will comply. I plan to scan the work papers into the system, so I don't have to file and maintain the hard copy. I will only retain them for the minimum amount of time.

I think the intention is that the most people only document what was found wrong or are too brief in their explanation of things gone right. By looking at the work papers, the auditor gets a better feel for how the audit was conducted and that it had a reasonable chance of identifying the problem. Which ultimately is the true purpose of internal auditing.


Records and docuemnts can be in any form - handwritten, typed, paper, electronic. The media is not an issue. But, I also see where the notes, records, etc, the criteria of the audit, is discarded, and only a one page summary of findings. This does not provide evidence of an effective audit, because it does not provide evidence of the audit criteria, the depth of the audit, the skill of the auditor...it only shows the results. We auditors have to turn in our notes as well (electronic is not the issue).

ISO 19011 can shed further light on this.

Bottom line Joe.....NO. You just need to keep a "record"

Guess I'll add my 2 cents worth.

We have had the same issue with our auditor as others. In our case he simply explained that the summary did not provide enough detail for him to make a valid evaluation of the system. (In our case there were other issues that called his attention to the IA system) My personal opinion is that if an auditor sees handwritten notes on a form that has obviously been around a while (showing any signs of age) it gives a warm fuzzy that the audits are being performed in a timely manner.

On the other hand If an auditor finds no other evidence of failure as in Joe Cruise's OP, it would be a hard sell to write this one up. Not only is there no shall, but the auditor's own audit demonstrates the system is functioning within acceptable parameters and therefore the assumption must be that the internal audit program is effective, regardless of the style, detail, type, or media of internal audit records.

James

What does you Document Control, Records Control and/or Audit procedure require?


Randy is right. What do your procedures require? If you have specified a Time for retention of records then you will need retain them.

My suggestion is:

In your procedures I would state that the last two audit reports will be maintained.

Your requirements for audit records are defined in your internal audit procedure.

ding ding ding! :applause:

As someone said, ISO 9001 does not require records to be on paper and Note 3 to 4.2.1 says explicitly that any "form or type" of medium is acceptable. I don't see how auditors or ANAB can demand requirements that are not in the standard.

And what are they going to do with totally paperless organisations? Working in telecom and software for the last several years, I don't actually remember the last time I saw paper audit notes. (Mind, I don't remember a lot these days so it could have been yesterday ;-)

Also, I think accusing you of fraud is disgraceful unless there's reason to believe it's happening, and a poor basis for the trust that auditors must build to drive out the fear we were discussing in another thread.

Most companies and their people are reasonably honest. For auditors to waste everyone's time and trees demanding proof of absence of fakery is wrong, especially when electronic systems can reliably track the dates that records were entered.

I think this is an auditor from the Ark, overdue retirement.

Hope this helps,
Patrick

Hi,

If I was an auditor in your company, would have preferred to see the original records too :)

Btw, if you would have scanned thes documents and placed in your drive, it would have given me confidence.

:agree1:

Confidence in what? As I stated before, I can just as easily fake handwritten notes on an audit form as I can typing it all up in an electronic form. If this is ONLY an issue of an oversight body having some degree of confidence that internal audits are being performed (and from this particular registrar auditor, THAT is the issue), the oversight body is being incredibly naive if they think handwritten forms are satisfactory evidence that the work is being done, as opposed to having only electronic records available to prove that the work is being done. I do agree that if the handwritten notes are being tossed, and only an electronic summary is kept without the full set of audit notes data, there is a problem. We are not doing that though, as ALL notes and comments are transcribed to the electronic format.

This same auditor had no qualms about laboratory data on raw data forms or lab books being typed up into our LIMS, with the handwritten data being tossed afterwards and the electronic record being the only record. Both scenarios are the same thing, at the heart of it. Both handwritten forms are data that gets transcribed electronically, and then the original handwritten data is discarded.

When I transcribe the handwritten stuff to electronic form, ALL the notes go into the Access app and become official record of the audit. It's not summarized, only the findings are, and the full set of notes are available in the report.

I appreciate all the views given here from all of you. I thought the auditor was off base to say that, and I'm glad I felt comfortable enough in my viewpoint to take a stand and demand a "shall" or at least a competent "why" for his "putting us on notice" statement. I received neither, and we'll continue to do business as we were.

One more thing; the auditor was not accusing us of faking the audits or anything untoward, although I guess it could be construed that way. He just made the point that he felt that the handwritten originals were better evidence than the electronic record with all the same information. He said he based that on the constraints layed on him for keeping his audit notebook with all its notes. But he never answered me satisfactorily when I aksed him what was to keep me from faking the handwritten notes to show compliance.

Our system handles the document/record/audit procedure side of this very well, and he had no issues with that. We learned back in the 1994 version to watch out for painting ourselves into a corner :notme: .

This was the first visit here for this guy, so maybe he was looking to shake things up a bit. We've had zero findings in the last 4 audits now, and just a few OFI's. We've been registered since 1994, so the system is pretty mature. This guy is liable to be our next "regular", so he may have been testing the waters with us. On everything else, he did well. Anything he saw in our system that he was unsure of, he questioned quite well until we showed him how we wrote it to make sense in our business in complying with the standard. He left us with a few OFI's, one of which was a way to improve our electronic audit format to give a better summary report. We implemented it.

Thanks again, folks! I has been my time spent here learning from you that has helped to give me the knowledge and confidence to question an auditor over an issue like this without :whip: being intimidated into doing what the auditor says just because they say so. :applause: :applause: :applause: