I am helping a friend. He received a NCR for lack of internal audits. How much should he pay for someone to come in and do internal audit? It's a small mfg. company. 6 employees, the processes are pretty static. Talking to him its seems 2 days max.

Thanks

Larry
Portland

Costs for training and assigning internal people to do these audits may be less than contracting a consultant. You can use my calculation methods in this Reading Room paper (http://elsmar.com/Forums/showthread.php?t=11242)to help compare the costs.

But please forgive me for being snippy when I say the so-called elephant in the room is: why didn't this company realize internal audits were not being done?

Last month was his 1st audit by PJR. He received 2 NCR's.

That small a company, 1 day. Cost of contract auditor US$450 max.

Maybe he could find a local (qualified/competent) ASQ member who would be willing to do it for the experience. There may also be a local RABQSA or IRCA auditor who needs the experience as well.

Maybe he could find a local (qualified/competent) ASQ member who would be willing to do it for the experience. There may also be a local RABQSA or IRCA auditor who needs the experience as well.

Yes, this is true. If this is in the Chattanooga area, I would be glad to do it. :tg:

Maybe he could find a local (qualified/competent) ASQ member who would be willing to do it for the experience. There may also be a local RABQSA or IRCA auditor who needs the experience as well.

Good ideas!

Hey guys, just a brainstorm idea,here.

What about if this small organization had one of their customers conduct a customer/internal audit? I know, that goes against the competency and many other prime directives. However, I've been around small companies a lot. This might can get them down the road a bit until some of their folks can get some training, and they can get a CAPA program going.

Too, having their customers address things; maybe the boss will learn how to appropriately handle CAPA's once the internal auditors start.

I'm sure this is embedded with peril. I just want to help small organizations as much as possible.

But please forgive me for being snippy when I say the so-called elephant in the room is: why didn't this company realize internal audits were not being done?I can sympathize, being so small it's difficult to cover all areas of the business without the employee auditing their own areas, and it's not worth having more employees trained for internal auditing. It's been a continual issue for me and now I just outsource the activity. One day a year isn't bad.
Maybe he could find a local (qualified/competent) ASQ member who would be willing to do it for the experience. There may also be a local RABQSA or IRCA auditor who needs the experience as well.That's a great idea, but since the auditor has to be appropriately qualified, it might be difficult finding someone needing experience who already has the credentials.

We're talking process audits as opposed to 'compliance to the standard' audits, correct?

We're talking process audits as opposed to 'compliance to the standard' audits, correct?

Yeah, and what's the idea that an internal audit can be done in just one or two days - is that it for the whole year? Sounds goofy to me! I know that a small company has a big burden to sustain an ISO system, but let's not do the minimum and delude ourselves. Why does any company need to do audits? Not just to keep from getting nc's from a registrar? So, will your newly found resource do just a quasi-PJR audit, take the money and never be seen for another 365 days. Or is this company going to do this in the spirit and understanding of the real reason for doing audits?

Be careful, you may be paying double for compliance audits - the external person and then PJR and what benefit is that?

It depends upon the company. I have a client that is 13 people with simple processes. It takes 1/2 day to do their audit. Even the registrar has a hard time filling up 1/2 day of a mandatory 1 day audit.

I disagree that "...a small company has a big burden to sustain an ISO system..." Few of my former and current clients, large and small, prepare for an audit and there is little 'burden'. If you set the systems up correctly in the first place, and people do what they are supposed to, what's the burden?

I remember an auditor coming into one client and citing them for 'ineffective internal audits' because I (their contract internal auditor) had not found so much as a minor nonconformance in the prior 3 years or so. The auditor dropped the finding when it was pointed out that over the previous 4 years or so the registrar audits had not cited even 1 minor nonconformance. The question was, of course, if the internal audits are not effective because there have been no findings, then the registrar audits are not effective because they weren't finding anything.

I swear, sometimes I think people make such a big deal out of all of this. Not every company is screwing up on a regular basis. There are many companies out there doing what they should be and don't give a thought to 'preparing' for an audit.

I'll give myself some credit. I helped many set up systems which were simple and easy to maintain. They do what their systems dictate, so no findings.

And it's not only small companies. The first Motorola semi-conductor plant I worked with was Guadalajara. There were 4500 employees there. It was a QS-9000 implementation. And as you know, semi-conductor processes are not simple, uncomplex processes. The audit was something like 5 auditors for 4 days (or 5 days or whatever). I forget how many audit days, exactly, but it was a long tough audit of all shifts. They came out with ZERO findings. That's when Motorola started sending me to other plants.

Maybe I just do such a good job in implementations that my clients do well. :rolleyes:

I swear, sometimes I think people make such a big deal out of all of this. Not every company is screwing up on a regular basis. There are many companies out there doing what they should be and don't give a thought to 'preparing' for an audit.

Agreed. Many entrepreneurs had been managing with common sense and following recognized good practices way before ISO came into the picture but in an albeit unstructured manner. For these people, ISO is used to document and systematize what they had been doing all these while.

You're correct Marc. I was thinking of the burden of paying external auditors (when they have trouble justifying 1/2 days work). The costs of the auditor, travel etc is a burden and if the 'internal auditor' is going to do simply what the external auditor is going to do (my principle concern) then that's double the burden - IMHO. Not sayng small companies don't get it right, at all....:agree1:

Just to clear up my statement!;)

Andy

I cited about US$450 because there's travel, 4 to 6 hours auditing and then the report time of a couple of hours. Compared to what a small company pays for an internal auditor (from training to time for the audit and all that), I don't think that's a lot of money. I will say what set me off, so to speak, in part was the statement about ISO being a 'burden'. I associated it more with 'extra work' rather than burden in the sense of $, which is why I said if the company sets up an appropriate system and people do what they're supposed to do, ISO shouldn't be a burden any more than a company should have to 'prepare' for an audit.

In the sense of ISO 9001 being an extra $ burden, the costs are, or should be, mainly registrar costs which I agree are significant to any company, small or large. I look it as a cost of doing business, like a tax.

One of the things you said was: "Why does any company need to do audits?" I would be less sensitive about this if most of my clients really benefited from registration and audits, but only a few do. I know many people swear audits do their company good, but I fall back to my position that if audits are keeping a company 'in line' or whatever, they need better management.

I'm going to a client today to observe their annual surveillance audit. I have a number of clients that keep me on payroll (literally, so I'm not classified as a 'consultant' - I'm even on their organizational chart...) to do this because now and again they end up with screwy auditors and want someone who knows the standard better than they do so there aren't any auditor 'misconceptions' or 'problems' (such as the example above re: Ineffective Internal Audits).

This is not to say, either, that many auditors don't do the "quasi-PJR audit". I had a client recently that was nailed in a customer audit (which is why they contacted me). They just had their registrar (Intertek) in last summer for a QS-9000 to ISO 9001:2000 transition audit. In December I identified 4 major nonconformances (systemic) within the first 2 hours. None of them were 'new', but had been going on for at least 2 to 3 years. The Intertek auditor had to have been totally blind. The auditor OKed the new certificate with a couple of minor findings. It's the type of situation that makes ISO 9001 look like a total scam.

All of these insights prop up my view that an internal auditor's main function is not to help retain the certificate (contrary to wide belief) but to provide ongoing insights on how the system is doing. Issues that are found and fixed should be revisited through more sampling or another, smaller audit to see if the fix is effective. Not doing so can invite persistent problems that could cost a good deal more than a part time internal auditor.

In the end we have the difference, as Marc said, between compliance and process (performance) auditing. When a company's QMS matures I expect some migration to process (performance) monitoring as audits, and less superficial approaches. It may be early to talk about this with Larry's management, but if they are interested in growth the subject should come up at some point. :2cents:

All of these insights prop up my view that an internal auditor's main function is not to help retain the certificate (contrary to wide belief) but to provide ongoing insights on how the system is doing. Issues that are found and fixed should be revisited through more sampling or another, smaller audit to see if the fix is effective. Not doing so can invite persistent problems that could cost a good deal more than a part time internal auditor.


Good thread, all. This was my thought process about suggesting the customer audit. Small budgets are conquered by innovation, creativity, and flexibility. Where there is a will, there's a way. Heck, they could probably post their quality system documents here and get a desk audit by the best for free.:agree1:

Small budgets are conquered by innovation, creativity, and flexibility.

Amen, brother :agree1:

Good thread, all. This was my thought process about suggesting the customer audit. Small budgets are conquered by innovation, creativity, and flexibility. Where there is a will, there's a way. Heck, they could probably post their quality system documents here and get a desk audit by the best for free.:agree1: Now these are cost effective ideas! :cool:

I swear, sometimes I think people make such a big deal out of all of this. Not every company is screwing up on a regular basis. There are many companies out there doing what they should be and don't give a thought to 'preparing' for an audit.
I'll give myself some credit. I helped many set up systems which were simple and easy to maintain. They do what their systems dictate, so no findings.
Maybe I just do such a good job in implementations that my clients do well. :rolleyes:We do not "prepare" for audits. Our preparation is that we run our system EVERY DAY. IF you are doing everything right you shouldn't have to prepare or answer BS, fabricated, stretch-the-standard-until-I-can-write-something-up findings. However, if you find a 3rd party auditor that tells you he isn't sweating what the home office is going to say when he closes 2 TS audits in a row without a finding....call him a liar to his face.

Take Marc's advice. Find an expert (like Marc), sign them up as a contract employee, put them on your org. chart, and have them plan and execute your internal audit program. Done right, you should get not just internal audits but advice worth far more that $450. We are at the point where our internal audit turns up far more opportunities for streamlining and improvement than it does non-compliance findings.

Never underestimate the power of "low hanging fruit." The VAST majority of auditors that I have dealt with were running a checklist, filling in boxes, and looking for a magic number of findings that make it look like they were doing their job. A top-notch QA Manager develops the skill of identifying things that need fixed anyway, craftily leading your auditor to them, and allowing them to fulfill their quota. <ducks again, anticipating fire from all of the fine auditors here at the Cove who would NEVER stoop so low as to audit like this>