Can someone provide a good interpretation of the independence rule for internal auditing in the ISO-9001:2000 system? I realize the previous revision of ISO-9001 required that an auditor could not audit an area they were "responsible" for. The new standard says an auditor cannot audit their own "work". My understanding for this verbage change was to allow QA folks to audit QA systems/processes. As a Quality Manager, am I allowed to audit any system/process within my department even though I do not personally do the assigned "work"?

:confused:

Actually, I believe it was more for smaller companies to be able to address what had become a challenge of 'independence', since this was generally considered to be 'from another department'. As a result of this (too) literal translation, some smaller (head count) businesses found it difficult to show this - when they don't have departments. So, we have 'ya can't audit your own stuff'. Someone else can, as long as they are impartial about it........

Think of the first Americans, at the time of the Revolutionary War............:lmao:
Andy

Here's what 8.2.2 says. How do you interpret it?

...Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

Technically if it ain't "yours" it's fair game.

Thanks much! I think I'm getting the idea. "My own work" includes not only the tasks that I personally perform but also the tasks I am responsible for even though they are performed by other people in my department. It was explained to me by my previous ISO auditor and Corp QA Director (at a previous company) there was a difference between "work responsible for" and "work actually performed by". It was explained to me previously that I, as the QA Mgr, could audit a function within my own department as long a I did not perform the actual task/function. This approach was considered OK providing the results of the audit didn't indicate biasness.

If the concern is undue bias, then what about the issue of the Quality Manager being considered the Lead Auditor in the company? Is there not an opportunity for that person to be unbias in that role if they chose to be?

Here's what 8.2.2 says. How do you interpret it?

...Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

Technically if it ain't "yours" it's fair game.

To reiterate Randy's great definition, for example: It you are the only Internal Auditor, you would not be able to audit the Internal Audit System.

Thanks much! I think I'm getting the idea. "My own work" includes not only the tasks that I personally perform but also the tasks I am responsible for even though they are performed by other people in my department. It was explained to me by my previous ISO auditor and Corp QA Director (at a previous company) there was a difference between "work responsible for" and "work actually performed by". It was explained to me previously that I, as the QA Mgr, could audit a function within my own department as long a I did not perform the actual task/function. This approach was considered OK providing the results of the audit didn't indicate biasness.

If the concern is undue bias, then what about the issue of the Quality Manager being considered the Lead Auditor in the company? Is there not an opportunity for that person to be unbias in that role if they chose to be?


That would be the same thing that Randy identified. If it is not your work, it is fair game.

In my opinion I really don't agree with the requirement as specified in ISO9001. I feel that any experienced internal auditor (at least in my case) would be able to be independent and review and validate the entire QMS and be unbiased in my review. I look at the Internal Audit System to be a tool to better the overall business and even specific departments. If my work does not meet the requirements, I would document it myself.

My stance has been is that if our audit system doesn't find the noncompliances in our system, the ISO auditor will. So I am compelled by the accountability that a third party auditor provides to perform audits that are thorough and are performed with the utmost integrity. This accountablity helps ensure that audits are objective and impartial. If I was dishonest enough to hide things during an audit, I would also be dishonest enough to pencil whip the paperwork and make the system look absolutely perfect. Believe me it would be much easier to create the "window dressing", but I won't do that.

My quandary is around me auditing functions in my own department like inspection and calibration. I don't personally perform these tasks, but I do have ultimate responsibility to make sure these tasks are performed. I do have one person (sales) that audits internal audits for me.

If I may ask one more time for clarity, does this violate the independence rule?

My stance has been is that if our audit system doesn't find the noncompliances in our system, the ISO auditor will. So I am compelled by the accountability that a third party auditor provides to perform audits that are thorough and are performed with the utmost integrity. This accountablity helps ensure that audits are objective and impartial. If I was dishonest enough to hide things during an audit, I would also be dishonest enough to pencil whip the paperwork and make the system look absolutely perfect. Believe me it would be much easier to create the "window dressing", but I won't do that.

My quandary is around me auditing functions in my own department like inspection and calibration. I don't personally perform these tasks, but I do have ultimate responsibility to make sure these tasks are performed. I do have one person (sales) that audits internal audits for me.

If I may ask one more time for clarity, does this violate the independence rule?

The key word here is: Audit your own work

If you are not performing these functions, then in my opinion it would not violate the requirement.

Maybe Randy, Laura, or Sidney, could better cover that requirement from an Third Party Registrar or Auditor's interpretation.

My stance has been is that if our audit system doesn't find the noncompliances in our system, the ISO auditor will. So I am compelled by the accountability that a third party auditor provides to perform audits that are thorough and are performed with the utmost integrity. This accountablity helps ensure that audits are objective and impartial. If I was dishonest enough to hide things during an audit, I would also be dishonest enough to pencil whip the paperwork and make the system look absolutely perfect. Believe me it would be much easier to create the "window dressing", but I won't do that.

My quandary is around me auditing functions in my own department like inspection and calibration. I don't personally perform these tasks, but I do have ultimate responsibility to make sure these tasks are performed. I do have one person (sales) that audits internal audits for me.

If I may ask one more time for clarity, does this violate the independence rule?I don't think it would violate the rule of not auditing your own work, but more importantly would you feel comfortable enough that it was an independent audit?

:2cents:Personally, I won't audit a process that I have any involvement in so their can be no question as to my objectivity.

Good word Al. For me, I am comfortable with the independence because of the integrity I personally strive to live for in my personal life. Granted someone who doesn't have the same ethics could abuse the rule. Again, if I was to cheat the system, there are other more easier ways to do it than overlooking system nonconformances due to being bias. Again, the 3rd party auditors provides a check and balance to keep me honest.

Also, as a Mgr, I need to monitor my employees performance, to me, internal audits are a way for me to stay in touch with making sure they are doing their jobs.

Also, as a Mgr, I need to monitor my employees performance, to me, internal audits are a way for me to stay in touch with making sure they are doing their jobs.That's not the purpose of an internal audit and if your employees or any employee believe that the audit is being used to evaluate them it may become counter productive. Besides it's usually not the employees at fault.

Al, please don't misunderstand the approach I mentioned. I have never used an IA to evaluate performance, just as a method of staying in touch with the system I am responsible for and the people involved. And I agree, it is not usually the employee's fault. If there is a noncompliance issue, all elements of the process gets evaluated for good root cause, the people being the last consideration.

Performing the audits allows me to give personal attention to the various areas of the system to help identify where we can do things better, easier and faster

That's not the purpose of an internal audit and if your employees or any employee believe that the audit is being used to evaluate them it may become counter productive. Besides it's usually not the employees at fault.


I agree with Al. The internal audits are used to better your business and not a way to monitor your employees. I was told (without researching facts) that there is only 10%-15% Employee error. The real cause is the processes, be it training, manufacturing process, or even design can play a major part in actual root cause.

So I am compelled by the accountability that a third party auditor provides to perform audits that are thorough and are performed with the utmost integrity.

Sometimes it might not be a matter of integrity, but rather overfamiliarity with the process. Knowing how the process is supposed to work can at times be detrimental to assessing how it actually functions. This could be either because you now perform the work, have previously performed the work, designed the process, have audited the same function many times, etc.

This is not to say that you should never audit processes you are familiar with - obviously this is quite often infeasible within the internal audit spectrum! But it is something to be concerned about. Personally, I favor having a pool (doesn't have to be very large) of auditors that audit different parts of the system from audit to audit. This has the benefit of fresh eyes as frequently as possible.

As far as strict interpretation of the standard goes, I would go with the idea that if I do not perform the work myself it is OK for me to audit it, but I always keep in mind whether I have become too mired in how the system is supposed to work.

Hope this helps!
Silly Girl

...
This is not to say that you should never audit processes you are familiar with - obviously this is quite often infeasible within the internal audit spectrum! But it is something to be concerned about. Personally, I favor having a pool (doesn't have to be very large) of auditors that audit different parts of the system from audit to audit. This has the benefit of fresh eyes as frequently as possible.


Anyone can audit their own area, if they want, if they don't make it part of the internal audits. Gap analysis, tarining verification, whatever. Just don't put it in the internal audits. Make it extra.



As far as strict interpretation of the standard goes, I would go with the idea that if I do not perform the work myself it is OK for me to audit it, but I always keep in mind whether I have become too mired in how the system is supposed to work.



I think that is a very smart approach.

Good word Al. For me, I am comfortable with the independence because of the integrity I personally strive to live for in my personal life. Granted someone who doesn't have the same ethics could abuse the rule. Again, if I was to cheat the system, there are other more easier ways to do it than overlooking system nonconformances due to being bias. Again, the 3rd party auditors provides a check and balance to keep me honest.

Also, as a Mgr, I need to monitor my employees performance, to me, internal audits are a way for me to stay in touch with making sure they are doing their jobs.


The standard does not ask you to prove your integrity, it says auditors should not audit their own work. What you do outside of the internal audit program is up to you, however. But, I appreciate that you have high integrity, but you still have to follow the rules.

This subject has been beat up tossed around and trounced upon so many times that it ain't even fun any more.

1st..How could a 1 person company utilizing ISO 9001 be "independent" and not audit his/her own work? The independence slice is put there to help ensure objectivity and impartiality. Be that as it may, I could be totally and absolutely independant and be so pro and partial that anyone could pass an audit regardless of the evidence. It's not the independance that is important, it's the objectivity and impartiality. Look at what ISO 14001 and OHSAS 18001 state about the audit....

ISO 14001:2004, 4.5.5 - Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.

OHSAS 18001:1999, 4.5.4 - Wherever possible, audits shall be conducted by personnel independent of those having direct responsibility for the activity being examined.
NOTE The word “independent” here does not necessarily mean external to the organization.


2nd...as stated by mlthompson "My stance has been is that if our audit system doesn't find the noncompliances in our system, the ISO auditor will. "

Hopefully that's not how you really feel because if it is you are so far wrong you're not on the chart. If you are looking for NC's that tells me you're waiting for stuff to break and your audit system is ineffective and that's one of the 1st things as an auditor I would take a bite out of, an ieffective internal audit program. Your audits should be focusing on verifying the meeting of requirements with objective evidence (whatever those requirements are) and identifying areas where improvement can be made. No audit is 100% and we never actually accomplish 100% of every audit. Remeber you are only looking at a piece of the whole system. Your "planned" audit, coupled with your "sampling" protocol may not identify a NC, or may identify X# of NC's. The presence of or the absence of a NC doesn't prove anything other than the audit did or did not identify a NC in the "sample". If you state in your policy that you are going to seek improvement and only audit for NC's you are in fact not meeting your committment. Fixing stuff ain't improving, it's gluing the lamp back together as opposed to taking action to keep it from falling off in the 1st place.

This subject has been beat up tossed around and trounced upon so many times that it ain't even fun any more.

1st..How could a 1 person company utilizing ISO 9001 be "independent" and not audit his/her own work? The independence slice is put there to help ensure objectivity and impartiality. Be that as it may, I could be totally and absolutely independant and be so pro and partial that anyone could pass an audit regardless of the evidence. It's not the independance that is important, it's the objectivity and impartiality. Look at what ISO 14001 and OHSAS 18001 state about the audit....

ISO 14001:2004, 4.5.5 - Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.

OHSAS 18001:1999, 4.5.4 - Wherever possible, audits shall be conducted by personnel independent of those having direct responsibility for the activity being examined.
NOTE The word “independent” here does not necessarily mean external to the organization.


2nd...as stated by mlthompson "My stance has been is that if our audit system doesn't find the noncompliances in our system, the ISO auditor will. "

Hopefully that's not how you really feel because if it is you are so far wrong you're not on the chart. If you are looking for NC's that tells me you're waiting for stuff to break and your audit system is ineffective and that's one of the 1st things as an auditor I would take a bite out of, an ieffective internal audit program. Your audits should be focusing on verifying the meeting of requirements with objective evidence (whatever those requirements are) and identifying areas where improvement can be made. No audit is 100% and we never actually accomplish 100% of every audit. Remeber you are only looking at a piece of the whole system. Your "planned" audit, coupled with your "sampling" protocol may not identify a NC, or may identify X# of NC's. The presence of or the absence of a NC doesn't prove anything other than the audit did or did not identify a NC in the "sample". If you state in your policy that you are going to seek improvement and only audit for NC's you are in fact not meeting your committment. Fixing stuff ain't improving, it's gluing the lamp back together as opposed to taking action to keep it from falling off in the 1st place.


Well said, sir....

Thank you all so much for your input. This is why I love this forum, good honest talk. I 100% agree with what has been said. Audits are for monitoring ongoing compliance and for identifying improvements. Despite my lack of explaining all my intentions for auditing I really do practice this. Working in a company that considers any inspection or audits performed as waste ("muda"), I've had to stand up to strong opposition in promoting using audits as an improvement tool.

Sometimes you have to step back, assess what has been done, assess what is being done and determine if it is the best way to do things. Isn't this why Internal Audits fall under the Measurement, Analysis and Improvement section in the standard?

Again, thanks!

Thank you all so much for your input. This is why I love this forum, good honest talk. I 100% agree with what has been said. Audits are for monitoring ongoing compliance and for identifying improvements. Despite my lack of explaining all my intentions for auditing I really do practice this. Working in a company that considers any inspection or audits performed as waste ("muda"), I've had to stand up to strong opposition in promoting using audits as an improvement tool.

Sometimes you have to step back, assess what has been done, assess what is being done and determine if it is the best way to do things. Isn't this why Internal Audits fall under the Measurement, Analysis and Improvement section in the standard?

Again, thanks!

If audits are only performed for compliance, and IF you have NO findings, then perhaps they are not adding value and can be classed as muda.

However, if there are findings, then they are not waste.

Further, if audits are focused on finding improvements, and if there are many good improvement findings - then one would have to think pretty limited to call them waste...:confused:

Isn't this why Internal Audits fall under the Measurement, Analysis and Improvement section in the standard?

Again, thanks!

You've hit one of those proverbial nails on the head. The internal audit is conducted in order to monitor "system" performance.