Due to issues regarding auditors’ independence and practicality, I’m thinking of writing in a Q or E or SH Manual something like this: “To ensure objectivity, our Certifying Body performs the audit of the company’s Internal Audit activity…”

Can you share your thoughts about this? Thanks in advance.

Due to issues regarding auditors’ independence and practicality, I’m thinking of writing in a Q or E or SH Manual something like this: “To ensure objectivity, our Certifying Body performs the audit of the company’s Internal Audit activity…”

Can you share your thoughts about this? Thanks in advance.


I'll write you a Major NC for not performing IA's if you do.

You have to audit how you meet all the requirements of whatever standard, if you fail to do so be prepared for bad, bad news. You could scream, cry, pee and moan all you want but the accreditation bodies would agree.

I guess Randy mis-understood the question.

I agree with the poster that we should not have to audit our own internal audit process, that is surely the job of the certification body.

However we do currently audit our own internal audit process.

You could say that the certified body has audited a sample of the whole of your QMS, not just the internal audit process. A large, multi-national pharma that I know, used to use the fact that a certified body or a division/corporate audit had recently performed an inspection, so any scheduled internal audits that had not been performed, such as the internal audit process, were said to be covered by the certified body/division/corporate audit.

OR. Get your management or a trained auditor from another department to audit the audit process, as long as they are independent.

I guess Randy mis-understood the question.

I agree with the poster that we should not have to audit our own internal audit process, that is surely the job of the certification body.

However we do currently audit our own internal audit process.

IMHO, I think Randy did understand the question and I agree with him. Here we have 3 LA, me being one of them, I am responsible for the IA program and when it comes time for auditing 8.2.2, one of the other two LA audits me... it´s simple !

Well it doesnt warrant a major NC as i see nowhere that it states that we must audit our internal audit process.

Well it doesnt warrant a major NC as i see nowhere that it states that we must audit our internal audit process.


From ISO 9001:2000

8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained.
An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

The audit PROCESS is an integral part of the quality management system and must be audited like any other process within the QMS.
In some of my Client's companies, a trained member of top management, audits the audit process to ensure that the process is compliant, effective and continually improving. No big deal.

Hope this helps.

Stijloor.

Randy and Stijloor are correct.

The organization is held responsible to understand on its own and respond to findings regarding how well the internal audit process is supporting the management systems.

The internal audit function cannot audit itself, which makes it easy to conclude the registrar can fulfill the requirement. And the registrar may very well (I hope they will) audit the internal audit process, but that's definitely not enough to fulfill the requirement.

Moreover, the registrar should not be depended upon to tell us how well our programs are working. Registration is supposed to be a verifying function, while internal audits can be more analytical in their design.

The internal audit process must be audited during internal system audits.

this is why it's best to have more than one auditor if you don't hire an outsider to do your internal audits.

We're just wrapping up our 2nd full internal audit. And, yes, the internal audit process was audited.
I, as process owner, was the auditee and two of my audit team were the auditors. They are not the process owners and are in different departments for their regular jobs so there was no conflict of interest even though they are auditors. Because they audited the PROCESS.

I agree that I would write a major NC if I was a registrar and found no records of the internal audit process being audited.

I know our CE marking notified body would pull our cert if we tried to put that over on him.

So how are your other 2 auditors independent when they are involved in the audit process?

So how are your other 2 auditors independent when they are involved in the audit process?Fair question. We use someone who used to internally audit at the company but is not doing it anymore. So he's qualified but he's outside the process.

So how are your other 2 auditors independent when they are involved in the audit process?

We have an auditor from one of our manufacturing facilities come in and audit our internal audit process.

I guess one of the problems here is "where does it stop?" I know a training organisation that run IRCA registered courses and they had recently been audited by IRCA. When the ISO 9001 cert body auditor turned up he was informed that the training organisation had not done all of the internal audits but it didn't matter because IRCA had already audited them during their visit!

On this basis, I suppose if the organisation had a 2nd party audit, they could leave out the internal audits on anything they covered too.

I too would raise an NC but not a major. There is a system in place but it has a single breakdown. (I hope this does not escalate into another of those "what is a major/minor" debates).:)

Here are a couple of discussion threads on this topic...

http://elsmar.com/Forums/showthread.php?t=17665
http://elsmar.com/Forums/showthread.php?t=18139

I hope these links work. :cfingers:

So how are your other 2 auditors independent when they are involved in the audit process?

Because they are not the process owners, nor are they even part of the department that owns the process.

Being involved in a process <> conflict of interest.
Using that logic my QC inspectors can't be auditors because they are involved in every department in the company to some extent.

I too would raise an NC but not a major. There is a system in place but it has a single breakdown. (I hope this does not escalate into another of those "what is a major/minor" debates).:)

I agree, that if the rest of the management system was audited with reasonable evidence of conformance and non-conformance, but the internal audit process was missing from the audit record, then it should be a minor. A reasonable auditor would see that the audit process was effective, although the organization was confused as to the requirement to audit its' own internal audit process.

Thanks everybody for your inputs. Actually, we did receive a Minor NC from our CB for failing to include in our Audit Plan a schedule to audit the Internal Audit process.

We feel that auditing or not auditing the Internal Audit process will only produce insignificant results for us, except that we want to be certified against a standard.

Anyway, the "requirement" can be easily satisfied by a lot of ways as you have suggested.

tony s

Thanks everybody for your inputs. Actually, we did receive a Minor NC from our CB for failing to include in our Audit Plan a schedule to audit the Internal Audit process.

We feel that auditing or not auditing the Internal Audit process will only produce insignificant results for us, except that we want to be certified against a standard.

Anyway, the "requirement" can be easily satisfied by a lot of ways as you have suggested.

tony sYou're welcome.

Expecting insignificant results is no reason to exclude that function from the audit schedule.

On what evidence does your organization base this assumption?

Please remember that I used the word "effective." Understanding a function's effectiveness requires an examination based on data. The audit function's contribution to the organization's effectiveness is the question. Including all the necessary functions in the audit schedule is just one tiny part of compliance, which is designed to help contribute to effectiveness but certainly is not all the being effective requires.

We feel that auditing or not auditing the Internal Audit process will only produce insignificant results for us, except that we want to be certified against a standard.

tony s

Probably because you don't allow it to be a value added process and relegate it to the "oh well, this is just another pain-in-the-fanny thing we have to do".

You only get out what you put in.

Probably because you don't allow it to be a value added process...

We are a small company, a commercial printing press. If we let ourselves depend on the well compensated external auditors to do it (audit the IA process) for us, will it reduce the value? Or will it add more value? We're not taking it out, we just want somebody to do it more effectively for us.

We don't see also a solid basis for raising a nonconformity for not auditing internally the IA process.

tony s

Because they are not the process owners, nor are they even part of the department that owns the process.

Being involved in a process <> conflict of interest.
Using that logic my QC inspectors can't be auditors because they are involved in every department in the company to some extent.

The problem I have is that you are using 2 of your auditors to audit the process that they appear to be involved in routinely. A trained management rep or consultant auditor is independent, and, possibly, more objective?

Your QC inspectors are part of the manufacturing process?:)

External auditors usually assert that they are our partners in improving our management systems. I hope they would not think that they are being abused or we are trying to circumvent the "requirement" if we let them do a minor task that we think will add more value to our established systems.

tony s

If a registrar is making you feel as though the registration audit is a kind of consulting service, it's a misunderstanding or worse.

I really want you to understand that an organization needs to know, on its own, how well the audit program is functioning. The audit process is intended to assess compliance and, running the assumption that your QMS is responsive to such input, provide input suitable to recognize opportunities for improvement. If this process is not itself internally assessed, the organization runs the risk of not knowing when a gap in auditing exists. Clause 8.2.3 says we should monitor and, (where applicable) measure QMS processes, and that the methods are to demonstrate the ability of processes to achieve planned results. These QMS processes include the internal audit process.

By delegating the matter of assessing internal audits to your registrar, you are failing to recognize that you understand the need to examine how well you are doing assessments on your own. Even a small organization should be able to do it--you can use methods like trade internal audit services with another organization; you could be finding one via your area ASQ chapter.

So how are your other 2 auditors independent when they are involved in the audit process?

Woa, matey..............they're not required to be 'independent'.......but they are required to be 'objective and impartial'........

There's no problem as long as the audits they use to sample are not theirs.

Woa, matey..............they're not required to be 'independent'.......but they are required to be 'objective and impartial'........

There's no problem as long as the audits they use to sample are not theirs.

woa,woa,woa 'matey', OK, but what about their objectivity and impartiality to the process that they take part in??? Hmmmm????

woa,woa,woa 'matey', OK, but what about their objectivity and impartiality to the process that they take part in??? Hmmmm????

Well, that's the challenge of auditor selection! I'm certain you have someone who is an open minded, 'big picture' person to do the audit. Maybe they will look at it objectively if they are familiar with the audit procedure. But beware that you might have to look at the thing differently, based on what they find!

(The 'matey' thing was supposed to be an attempt at a British term of endearment...........):D

I really want you to understand that an organization needs to know, on its own, how well the audit program is functioning. The audit process is intended to assess compliance and, running the assumption that your QMS is responsive to such input, provide input suitable to recognize opportunities for improvement. If this process is not itself internally assessed, the organization runs the risk of not knowing when a gap in auditing exists. Clause 8.2.3 says we should monitor and, (where applicable) measure QMS processes, and that the methods are to demonstrate the ability of processes to achieve planned results. These QMS processes include the internal audit process.



Excellent post, Jennifer. Thank you.

OK, I've got a question on this one. I am a profound believer in the internal audit program, and feels it's one of the strongest assets of the QMS. However, it sounds to me that audit the internal audit process is a bit too refined, and can lend to one auditor (with certain notions and biases) to be pitted against another (solely based on auditing practice). I'm perceiving auditing the auditor doing audits for the audit! Is not the effectiveness of the internal audit process not apparent in the audit program findings, CAPA, management actions, etc.? Those items are definitely auditable.

NOTE: I am not making a statement of fact, but of perception. Please correct where my thought process is in error.

Independance does not guarantee impartiality or objectivity, this discussion has happened many times. In the case of a small company independance may not be possible but impartiality and objectivity can be. It all boils down to the integrity and honesty of all involved in the process....management, the organization and the auditor.

Excellent post, Jennifer. Thank you.

OK, I've got a question on this one. I am a profound believer in the internal audit program, and feels it's one of the strongest assets of the QMS. However, it sounds to me that audit the internal audit process is a bit too refined, and can lend to one auditor (with certain notions and biases) to be pitted against another (solely based on auditing practice). I'm perceiving auditing the auditor doing audits for the audit! Is not the effectiveness of the internal audit process not apparent in the audit program findings, CAPA, management actions, etc.? Those items are definitely auditable.

NOTE: I am not making a statement of fact, but of perception. Please correct where my thought process is in error.

Hello BradM,

Allow me to chime in here...

When I audit an audit process, I always examine how the audit results (good, bad, ugly) are used. There are a number of "beneficiaries" of the audit program that use the audit results: Top management, process owners, even the CB/Registrar. ISO 9001:2000 (for example) has a few direct links to "audit results": Review input 5.6.2 a) and Continual improvement 8.5.1; and indirectly: 8.5.2 Corrective action and 8.5.3 Preventive action.
Auditing is a process of discovering nonconformities, opportunities, and risks. A great tool that in many organizations is underutilized. The job of the external and/or internal auditor is to find out how this asset is used and if the results are used to improve the organization and its processes.

Sorry for "rambling", but this topic is near and dear to me.

Thanks for the great dialogue in this thread.

Stijloor.

Well, that's the challenge of auditor selection! I'm certain you have someone who is an open minded, 'big picture' person to do the audit. Maybe they will look at it objectively if they are familiar with the audit procedure. But beware that you might have to look at the thing differently, based on what they find!

(The 'matey' thing was supposed to be an attempt at a British term of endearment...........):D

We are a small (<30) organisation, and one of our regulators has issued guidance on management auditing 'QA activities'. One the aims of the guidance is to audit that QA is independent of activities for which they are providing quality assurance. I take this to include the audit process.

I have passed a copy of their requirements to my management and requested that one of them (who is trained in the audit procedure) perform this audit, which they have done. I expect to have to review my process based on their findings.

I still believe that any auditor selected should come from outside the audit process to demonstrate complete objectivity and impartiality. I believe the audit process in general should demonstrate if we're doing what we say we're doing, we're adding value, we're satisfying internal/external customers, we're highlighting opportunities for continual improvement.

(The correct term should be 'mate', as in 'buddy' 'pal' 'chum', which I still regard you as (professionally also).:D

It's a difficult balance between being from 'outside' the process and not 'knowing it' and being 'inside' and oblivious to the process and its performance. I advocate having someone who knows the process, so they aren't learning it, while they're doing the audit - it won't be an effective audit.
I actually think that inpartiality etc comes from their personality/approach rather than from which part of the organization.

(Good call, "Matey" was kids bathtime soap liquid ........:lol:)

It's a difficult balance between being from 'outside' the process and not 'knowing it' and being 'inside' and oblivious to the process and its performance. I advocate having someone who knows the process, so they aren't learning it, while they're doing the audit - it won't be an effective audit.
I actually think that inpartiality etc comes from their personality/approach rather than from which part of the organization.

(Good call, "Matey" was kids bathtime soap liquid ........:lol:)

I think it can still be an effective audit (effective auditor required), if they don't know the process - sometimes a fresh pair of eyes...and this is the way our external customers audit us, and still, sometimes, come up with good opportunities for improvement or even strengths?

How do you demonstrate an impartial personality/approach (here I go again)?

(I am so sad. I remember the song they used to advertise here:
"Your Matey's a bottle of fun,
Ya puts me in yer bath,
I'm lurved by everyone,
I'm always good for a larf !!!!"):nopity:

How do you demonstrate an impartial personality/approach (here I go again)?



By observation of their audit practices, getting them to describe during the audit planning phase, what their strategy/tactics will be to address aspects of the process/controls.....

(yes, it's sad - I didn't remember the lyrics, but I do remember the bottle/shape etc.......:bonk:)

By observation of their audit practices, getting them to describe during the audit planning phase, what their strategy/tactics will be to address aspects of the process/controls.....

(yes, it's sad - I didn't remember the lyrics, but I do remember the bottle/shape etc.......:bonk:)

So could the owner of the audit process demonstrate this competency? In other words, the Audit Manager performs the audit of the internal audit process?

(It's late here. I need to have my bath. Matey?):bigwave:

So could the owner of the audit process demonstrate this competency? In other words, the Audit Manager performs the audit of the internal audit process?

(It's late here. I need to have my bath. Matey?):bigwave:

I see no reason why not. If the audit mgr doesn't audit their work (the auditors do the audits) then it's reasonable, IMHO. In smaller orgs it would need to be done in a similar way, which is why (I understand) that the 'independent' was removed, since smaller (head count) orgs have a problem meeting that requirement. And getting someone in from outside isn't really an 'internal' audit, again, IMHO (I've done some and it's not a good feeling when you don't know the people, management culture etc. that well.)

Sleep well.......

I really appreciate the different views shared in this thread. It really gave me a clearer perspective on the importance of assessing your own IA process.

Hope you won't get tired of helping people.

tony s

I really appreciate the different views shared in this thread. It really gave me a clearer perspective on the importance of assessing your own IA process.

Hope you won't get tired of helping people.

tony sYou're welcome, and no I think we won't get tired.

We'll start arguing about the speed of barn swallows carrying coconuts soon.

(AKA Monty Python and the Searcrh for the Holy Grail)

You're welcome, and no I think we won't get tired.

We'll start arguing about the speed of barn swallows carrying coconuts soon.

(AKA Monty Python and the Searcrh for the Holy Grail)

Oh no we won't

"Run away, run away................":lmao:

((Here we go, this thread could so easily become hi-jacked and degrade into a 'who can quote a Python sketch..........)):lol:

"Run away, run away................":lmao:

((Here we go, this thread could so easily become hi-jacked and degrade into a 'who can quote a Python sketch..........)):lol:

Why don't we move to the water cooler?:cool:

Excellent post, Jennifer. Thank you.

OK, I've got a question on this one. I am a profound believer in the internal audit program, and feels it's one of the strongest assets of the QMS. However, it sounds to me that audit the internal audit process is a bit too refined, and can lend to one auditor (with certain notions and biases) to be pitted against another (solely based on auditing practice). I'm perceiving auditing the auditor doing audits for the audit! Is not the effectiveness of the internal audit process not apparent in the audit program findings, CAPA, management actions, etc.? Those items are definitely auditable.

NOTE: I am not making a statement of fact, but of perception. Please correct where my thought process is in error.


I did want to follow up on this question that I posed. There were a couple of good responses to my question (thank you). So here are the elements (for lack of better word) that you audit on the internal audit process:

1. Independence/impartiality of internal auditors
2. Comprehensive coverage of audits
3. Appropriate level of reporting structure
4. Effective closure and use of internal audit findings.
5. Training of the internal auditor

Does this look right? Am I missing some, or did I include some that should not be there?

I did want to follow up on this question that I posed. There were a couple of good responses to my question (thank you). So here are the elements (for lack of better word) that you audit on the internal audit process:

1. Independence/impartiality of internal auditors
2. Comprehensive coverage of audits
3. Appropriate level of reporting structure
4. Effective closure and use of internal audit findings.
5. Training of the internal auditor

Does this look right? Am I missing some, or did I include some that should not be there?

6. Adherence to / adequate scope of, audit schedule
7. Effectiveness of audit - adding value during an audit as well as in report.

Although some think independence is not required:D

Actually, would you also include:

Root cause analysis
Investigation (including previous similar occurrences)
Corrective / preventive action plans, completion, closure rate, reporting of?

Also, a clearly defined scope and criteria for the audit. The planning of any audit is 80% of the task. What 'background' info did the internal auditor access, in their preparation?
:2cents:

We'll start arguing about the speed of barn swallows carrying coconuts soon.

(AKA Monty Python and the Searcrh for the Holy Grail)

With all due respect, Jennifer, I must disagree with you on this one. The discussion at hand should be in regards to the average wingspan velocity of the European and African swallow. After all... this is a temperate zone!! :lmao:

This poor old dead horse ought to be laid to rest.

Geeesh!:frust: