I am new babies studies on ISO9001, so can anyone let me how to think on questions below. Thanks~

Some one ask me "Supposed all internal auditor(s) is selected from the employees within the QMS scope, what is the theoretical minimum number of internal auditor(s) in a toys factory consisting of 400 employees? Why?"

I think minimum number of internal auditors is one because it is within the QMS scope. Isn't it?

Well, there are many threads already on this subject and it would be worth doing a search to check them out.

However, in my opinion the answer must but at least 2 as clause 8.2.2 asks for 'objectivity and impartiality' and states that the auditor 'cannot audit their own work'. So, if the management rep does all the audits, who audits the internal audit process and probably management review?

In a company of 400 people, I would recommend that you have a number of people (perhaps 8 or 10), from different departments, trained to conduct audits and they do the audits as required. They would not be full time auditors though.

The minimum number of auditors is defined by you.

My advise would be - have enough auditors so that you can do a full audit with no conflicts of interest.
That would be at least two in my current company... Me to do everything except the processes I own, and someone else, not in my department, to do the processes I own.

In reality I trained 8 auditors for a 100 person company. Overkill? Maybe, but it promotes interest in the QMS by getting a real cross functional team.

In reality I trained 8 auditors for a 100 person company. Overkill? Maybe, but it promotes interest in the QMS by getting a real cross functional team.

Scott, I quite agree with this sentiment. I usually find that people trained as auditors make very good auditees too, as they understand the process better and are less suspicious of the motives behind internal audits.

Good advice, however, one aspect often overlooked is the competence of the people who might be auditor candidates. It's not a simple numbers game. You have to look at the number/type of processes and then at what someone must 'know' to be able to audit it. As well as other competencies.

Who do you have that knows what effective preventive maintenance is? Who do you have who knows what a well run calibration system looks like? Who can understand the regulations and design process for toys?

(Just a quick thought - I wonder if anyone at Matel internally audited the design process to see if the design inputs and output for the paint specs included regulatory requirements?)

So, you see it's just not the 'minimum' number of auditors you can 'get away with'. You have to have effective audits, training is only in the basics of auditing, not what a specific process should/shouldn't be like, so you've more to consider.......

Friends,

The number of auditors at my Clients' sites is approximately 10% of the employee base.

Stijloor.

In reality it is a corporate preference and should be whatever works best for the company...as long as it's working effectively. There are valid arguements for both sides (several auditors for impartiality/objectivity or very few to one auditor for consistancy and efficiency). No matter the route taken, make it compliant to the standard, sensible to the purpose, and effective for your organization.

In our facility of 140 personnel, as QM I'm the sole auditor with the exception of the plant manager or buyer who is responsible for auditing quality.

In line with Stiljoor, I always try to set up 10% of the employee base as auditors with any new clients.

However, there are usually only 1 or 2 people doing most the work. But it helps to have the 10% available if they are needed; does well to promote QMS awareness across the organization. The ones that are interested will continue with the program and the ones that aren't will not.

Our facility has ~250 employees and there are 3 internal auditors, including me as the lead auditor. We do have one more who is "in training" and hasn't done any audits on her own yet. We have around 15 processes to be audited each year. Definitely less than the 10% previously mentioned as the desired number.....Somehow we manage, though. :cool:

I have 12 auditors in a plant of 350. I agree with the statements about how it can make better auditees, and I also agree with having competent auditors. So what I do is I use 6 main auditors and then I pair them up with 6others from the factory that I've also trained. I rotate 6 more through from the factory about every nine months.

5-ish for a European organization spanning 10 countries, 350 employees in total. Seems more than enough for us. Another related question you could ask yourself is how often do you want every process audited. We audit our entire management system completely in two years.

Although I agree with all the above posts, if we can define a minimum number of internal auditors, one could say ZERO ! My reasoning behind it is that the internal audits can be hired by an outside auditing company...however, as greatly discussed in other posts, you still have to audit 8.2.2.... so it´s a touchy subject... can it be 1/2 an auditor ? :notme:

Here for 130 employees, I have 3 lead auditors...

As many as you think you need to be effective.

It ain't in numbers, it's in effectivenesss and the ability to achieve the objectives of you audit program and your audit plan.

You do of course have audit program and individual audit plan objectives?

You do of course have audit program and individual audit plan objectives?

Randy,

What would you consider good examples of audit objectives?

Stijloor.

An objective is nothing more than the reason an audit is being conducted. How can one know than an audit is successful unless there is a goal to shoot for? We don't audit for the sake of auditing there has to be a purpose and that purpose has to be stated by the owner of the audit process "Top management" and is done so more often than not through the audit program manager or other responsible party.

An objective is nothing more than the reason an audit is being conducted. How can one know than an audit is successful unless there is a goal to shoot for? We don't audit for the sake of auditing there has to be a purpose and that purpose has to be stated by the owner of the audit process "Top management" and is done so more often than not through the audit program manager or other responsible party.

I agree Randy, but too many times organizations run their internal audit program because 'ISO-says-so", rather than benefit the organization. Therefore, the resourcing, objectives, scopes, criteria, scheduling all become haphazard. And very little of this nature is taught in any auditor course.

Similarly your statement about the resources is more than a number is also very correct. It's no different than any other work. Managers don't hire on the basis of '10%' of a number to do tasks, they estimate or calculate the heads required to get the job done, having understood the work activities.

And very little of this nature is taught in any auditor course.

We do!

Stijloor.

We do!

Stijloor.

I'm sure that most courses go over these aspects, but is it really 'taught'? Is there an activity (adult learning technique) where people get to wrestle with the complexities of deciding those fundamentals?

IMHO it has little or nothng to do with Lead Auditor or Internal Auditor training, since it is rarely the auditors call to decide. It's the audit management who decide (yeah, O.K maybe once in a while it's the same person), but usually there are only a few slides in a book.

I have taught the IA and LA courses for over 17 years and we 'mention' such stuff, but have never truely taught the skills required by anyone managing an audit program.......

If you do, why not share a small selection of the materials, here, with us?

I'm sure that most courses go over these aspects, but is it really 'taught'? Is there an activity (adult learning technique) where people get to wrestle with the complexities of deciding those fundamentals?

IMHO it has little or nothng to do with Lead Auditor or Internal Auditor training, since it is rarely the auditors call to decide. It's the audit management who decide (yeah, O.K maybe once in a while it's the same person), but usually there are only a few slides in a book.

I have taught the IA and LA courses for over 17 years and we 'mention' such stuff, but have never truely taught the skills required by anyone managing an audit program.......

If you do, why not share a small selection of the materials, here, with us?

I just taught this stuff today in the 18K Lead course.

And the materials? ISO 19011:2002

I just taught this stuff today in the 18K Lead course.

And the materials? ISO 19011:2002

But Randy - that's not internal auditing..........;)

Yeah, but these folks are going to be doing nothing but internal auditing....it's an onsite for a single corporation and any of the Lead auditor courses can be used by folks who are going to need to establish audit programs and/or manage the audit process either internally or externally.

Audit programs are audit programs and auditing is auditing.

Yeah, but these folks are going to be doing nothing but internal auditing....it's an onsite for a single corporation and any of the Lead auditor courses can be used by folks who are going to need to establish audit programs and/or manage the audit process either internally or externally.

Audit programs are audit programs and auditing is auditing.

Not! How can a person with your experience say that? One of the fundamental reasons for poor internal audits is because people get taught to use external audit techniques and then apply them in their internal audits. As I've posted here many times, it doesn't work to do that. Yes, I agree the RABQSA requirements dictate what you have to teach - if you run accredited courses, but there's no way that a lead auditor course teaches effective internal auditing. Every time I run a class or do an audit at a clients I see the pitiful results of following an external audit process, internally........

How can an internal audit program be the same as an external one? The objectives are totally different.

You and I know that although the principles of auditing might be similar, the practices should be quite different.......

You and I know that although the principles of auditing might be similar, the practices should be quite different.......

Like Randy said; "Audit programs are audit programs and auditing is auditing."

Stijloor.

Like Randy said; "Audit programs are audit programs and auditing is auditing."

Stijloor.

That's your paradigm, I suppose............

Min = 1
if he/she has no responsibility in the organizations
Min 2 , the 2nd to audit the responsibility of A1

How can an internal audit program be the same as an external one? The objectives are totally different.

You and I know that although the principles of auditing might be similar, the practices should be quite different.......

:bonk::bonk:OK, here I go:soap::2cents:

I don't know where you learned or who tought you but you're way off base.

1st, where most internal audits and internal audit programs go wrong is that they never get past asking people if they have a procedure and if they know the policy. This happens because many of the folks charged with the responsibility to establish so called internal audit programs and conduct audits don't know $hit-from-shinloa about what they are doing and/or the reason why. This starts with thinking that all we need is an auditor training class and ends at the failure to develop a sound competency process.


2nd, regardless of the type of audit be they internal, external, or whatever the purpose of every management system audit is exactly the same and that's to verify conformance...just look in 9001, 14001, 13485, 9100, 18001, 16949, 22000, or whatever and you'll see it very clearly written and never paid any attention to.

Do you really think that I, a 3rd party auditor, look at special stuff for 3rd party auditors only? I look at the same stuff, I interview the same people, I observe the same activities as the internal guys, unless of course the internal guys are just going through the motions, following some bogus, bull$4it, pre-printed checklist that is used time and time again with no deviation or change from audit to tired useless and wasted time audit.

There are hundreds of books published by "audit guru's" and "experts" and "I know more than you, blah, blah, blah's" about how to do internal audits and how to set up programs and all that other horsehockey:horse: that contain no more real substance than good old, in need of revision ISO 19011 when all of the fluff is removed and it provides guidance for to begin with.

The weakness and failure rests with a poorly planned process (and most don't know the process approach to establishing audit programs, planning for and conducting audits, developing and evaluating auditor competence, monitoring and measuring the program and seeking improvement).

I have to get off my soapbox because I've been hammering this home to a great group of people that last 3 days and I think it is starting to click, so forgive me for my passion and the flow of adrenaline in my system.

I don't know where you learned or who tought you but you're way off base.

1st, where most internal audits and internal audit programs go wrong is that they never get past asking people if they have a procedure and if they know the policy. This happens because many of the folks charged with the responsibility to establish so called internal audit programs and conduct audits don't know $hit-from-shinloa about what they are doing and/or the reason why. This starts with thinking that all we need is an auditor training class and ends at the failure to develop a sound competency process.


2nd, regardless of the type of audit be they internal, external, or whatever the purpose of every management system audit is exactly the same and that's to verify conformance...just look in 9001, 14001, 13485, 9100, 18001, 16949, 22000, or whatever and you'll see it very clearly written and never paid any attention to.

Do you really think that I, a 3rd party auditor, look at special stuff for 3rd party auditors only? I look at the same stuff, I interview the same people, I observe the same activities as the internal guys, unless of course the internal guys are just going through the motions, following some bogus, bull$4it, pre-printed checklist that is used time and time again with no deviation or change from audit to tired useless and wasted time audit.

There are hundreds of books published by "audit guru's" and "experts" and "I know more than you, blah, blah, blah's" about how to do internal audits and how to set up programs and all that other horsehockey:horse: that contain no more real substance than good old, in need of revision ISO 19011 when all of the fluff is removed and it provides guidance for to begin with.

The weakness and failure rests with a poorly planned process (and most don't know the process approach to establishing audit programs, planning for and conducting audits, developing and evaluating auditor competence, monitoring and measuring the program and seeking improvement).

Good points, Randy - kinda what I'm saying, really. Except the bit about the objectives. In practice, auditors often give up on the other thing you failed to mention - the effectiveness of the process. Anyone can read it here in other posts - "People don't follow procedure" - so what? What results are they getting? Did that ever factor in an audit report? Rarely!:nope:

See your own comments (highlighted) above. Indeed, you might cover these things in class, but I'd bet a pound to a pinch of that horse hockey that no 36/40 hour course can go into any depth to permit development of skills in these areas, so you get what you so amply describe, someone who thinks they know about audits, but are just plain dangerous.......no experience, ya see! :agree1:

Oh, BTW - you're also correct, you don't know who trained me or where I learned, but one things is for sure, I'm not off base. The model for teaching internal auditors is based, in the main, on external audit techniques. So, is ISO 19011 - as you said, it's in need of revision.:agree1:

Since we see eye to eye about these things, how about we approach RABQSA and the TC who wrote ISO 19011 and show them the error of their ways..........??:mg:

Since we see eye to eye about these things, how about we approach RABQSA and the TC who wrote ISO 19011 and show them the error of their ways..........??:mg:


Hey I can't Andy because I am represented already (sort of anyway), besides they wouldn't like me, I'm not too PC and I'd probably be a little too crude for the smooth hand crowd.

And you're so right...a 36/40 hour thing can only scratch the surface if at all.:agree1:

2nd, regardless of the type of audit be they internal, external, or whatever the purpose of every management system audit is exactly the same and that's to verify conformance...just look in 9001, 14001, 13485, 9100, 18001, 16949, 22000, or whatever and you'll see it very clearly written and never paid any attention to.Far from me to get in the middle of a lively discussion like this:tg:, but it is common knowledge (for many) that there are differences associated with first, second and third party auditing. So much so that the US QEDS delegation decided that ISO 19011 had too much slant towards 3rd party auditing. As a result, a US version of the ISO 19011 document was created: ANSI/ISO/ASQ QE19011S-2004, Guidelines for quality and/or environmental management systems auditing – U.S. Version with supplemental guidance added.

That standard is the subject of a specific thread (http://elsmar.com/Forums/showthread.php?t=23717)here at the Cove.
The Section of ISO 19011 that talks about audit objectives is paragraph 5.2.1. The supplementation of the American document states, as it relates to internal audits. The emphasis identified in color, bold text, is mine.

S5.2.1.1 First-party (internal) audits
First-party audits should be used by the organization to improve the management system, and may also be used as the basis for self-declaration of conformity and to satisfy requirements for third party registration. Internal audits should be closely aligned with the goals of the
organization. Some organizations may expand the objectives of their internal audit program to include the identification of business improvement opportunities, opportunities to enhance customer loyalty, and opportunities to minimize the organization’s environmental impact. Input on these opportunities can be gathered throughout the audit process and, where supported by objective evidence, reported as opportunities for improvement.
The first sentence of the quoted text gives me a glimpse of what many people believe should be the primary difference between first and third party audits. First party audits should focus first on system improvement, while verification of conformance (while still important) takes a back seat. Third party audits, on the other hand, need to focus on verification of conformance, while system improvement (although critical) is on the back burner.

We have been brain-washed and hard wired to think that audits must equate with verification of conformance. It will take a long time to overcome this paradigm.

Well my low karma may be failing me again I guess, but I'll still point out that when I look at the applicable specification or requirements documents (you know, the ones with the "shalls" in them) I see that the purpose of the audit (the internal one because thats the focus) state one way or another "the system conforms to planned arrangements, the standard, and is being effectively implemented and maintained". So in the end it really doesn't matter what a suggestion document (those guideline ones) say because unless an organization clearly and specifically states (or the "shall" document states) that the guidelines will be "the way and the only way" they don't count squat and the US whatever group can take those "should's" they created and chug on them.

I just taught this stuff today in the 18K Lead course.

And the materials? ISO 19011:2002 So in the end it really doesn't matter what a suggestion document (those guideline ones) say because unless an organization clearly and specifically states (or the "shall" document states) that the guidelines will be "the way and the only way" they don't count squat :confused:

The point is?:confused:

It's all taught as a "should" and it's emphasized as a "should", besides it's required to be used and referenced to.

From the RABQSA document RABQSA TP3.OHSMS 1 July 2005....

2.1.1 This course shall provide for the training of auditors in the principles and practices of auditing as it relates to the relevant OHSMS requirements document (e.g., BSI OHSAS 18001 or equivalent, and the American National OHS standard upon publication), using ISO 19011 as the guidance document. Auditor training shall be based upon the current version of ISO 19011 and the relevant OHSMS standard.

Here's the requirement for the RABQSA EMS-LA course right from RABQSA TP4EMSLA 1 July 2005.....

2.1.1 This course shall provide for the training of auditors in the principles and practices of EMS auditing as it relates to the ISO 14000 series standards, using ISO 19011 as the guidance document. Auditor training shall be based upon the most current revision of ISO 14001 and ISO 19011.

The point is?:confused:My point was, Randy, that you mentioned that you teach auditing classes and you use 19011 as a reference material. A few posts later you infer that 19011 is basically a useless document, because people need only to comply with the "shalls" of the auditable standard(s). That position would support the mind set that permeates in the management system profession that we should only pay attention to the auditable standards and totally disregard the rest, be it guidance documents, be it advisory papers (http://isotc.iso.org/livelink/livelink/fetch/2000/2122/138402/138403/3541460/customview.html?func=ll&objId=3541460&objAction=browse&sort=name)and the rest. That would mean that a lot of knowledge would be wasted.

If we want internal auditors to add value, I believe that one of the messages we should give them is: stop copying 3rd party auditors. You can delve deeper, you can open the closet door and interview the skeleton, you can use your "inside knowledge" to better your organization in a way that 3rd party auditors can't.

1st party auditing is different from 2nd and 3rd party auditing. If it wasn't so, there would be no American supplementation to ISO 19011.

You are an accomplished lead auditor and instructor. I am sure that you cover the differences and send a slight difference message when you are teaching internal auditor courses, compared to the Lead Auditor courses you instruct.

Great point, Sidney.

Our dilemma/dichotomy in the training business is that most of the people who attend Lead Auditor training aren't going to use it to be third or even second party auditors, let alone 'manage' an internal audit team......yet they seek some kind of insight into the external audit process (say before registration) or to have some 'accredited' training. The result is, they 'act' like third party auditors, they 'pass' a certification audit, but the organization's management etc. see little benefit in the long term.

It's about time the powers that be understood that the auditor qualification 'market' has moved on!

Internal auditor courses should be more aligned to the skills/knowledge of 6 Sigma Green Belts, IMHO, using not only the basic 'blocking and tackling' of auditing, but on problem solving, data analysis etc.

Furthermore, there should be an accredited 'Management Reps' course (which deals somewhat with the third party expectations) and, with that, courses specifically for training in Audit Program Management (based on a version of ISO 19011) and Lead Auditor courses should be re-named to ideintify them as for 'external' auditors

Please read the following advertisement for a Lead Auditor course: (this is not the one I teach)

Who should attend?

Professionals, Safety Consultants, Safety Officers, Managers, Executives and Engineers who have the responsibility to develop, implement and audit the OHSMS.

Course Objectives:

Understand the OHSAS 18001 certification standard and scheme
Understand the requirements in implementing an OHSMS to the OHSAS 18001 requirements
Understand loss causation and control
Understand risk identification, evaluation and assessment methods
Identify gaps in their own OHSMS and improve upon them to meet OHSAS 18001 and other requirements
Measure, monitor and internally audit their own OHSMS for compliance and continual improvement

Lead Auditor courses not intended for internal auditing?:confused: I need to think on that one a bit;)

Here is what I said about the guidlines "unless an organization clearly and specifically states (or the "shall" document states) that the guidelines will be "the way and the only way" they don't count"

And they don't.:nope:

Now if an organization states "this will be the way we do it (when referencing a guidance document)" or a specification document says "this is the way it will be done (when referencing a guidance document)" then it will be gospel, it becomes auditable and I'll hold the toes to the mark. I've had audits where the organization specifically stated that their audit program would be established and conducted 100% according to ISO 19011:2002 and before the end of the day they were sucking wind. Why? Because they in their procedure changed all the "should's" into "shall's". That made it applicable and unless we see that a should is a should and means "only if they wanna and to the extent they wanna".



Great discussion:applause:

Lead Auditor courses not intended for internal auditing?:confused: I need to think on that one a bit;)


Randy! How long have you been teaching this stuff? Seriously, there are many aspects of the LA course I teach which I've put the internal auditor 'spin' on, with great results.

Take one small, but useful example, 'Opening Meetings'. A slide in the (RABQSA accredited) LA training materials says that 14 points should be reviewed. These points include such items as 'The Documented Quality System', 'Confidentiality', 'Safety', 'Restrictions' and so forth. My comments in the course are, 'If you need to cover these things in an internal audit opening meeting, you shouldn't be doing the audit......!" The others are gems too!

The main aim of an internal auditor doing a opening meeting is because it's a protocol that you shouldn't be in someone's workspace without introducing yourself first. It's also an opportunity to engage management/supervision in the purpose of the audit etc. (this is a mere formality since the audit should have been planned with their input, in the first place).

Incidently, I didn't discover this yesterday. My comments are based on over 15 years of running training courses, meeting and working with clients who have attempted to run internal audits and just don't get the results they should. What I post is the result of careful and considered reasoning and application to the situations I've encountered - not just a bunch of bright ideas. I really believe that old saying about doing the same thing and expecting a different result........

I'm inclined to agree that internal auditor training should emphasize a more personalized and involved approach. Internal auditors are permitted to do more than external auditors, and the trainings should bring that out. I have begun to take that approach.

However, most of the rest of the stuff will be pretty much the same.

You and I do exactly the same thing Andy. Why did you think I didn't?

Most of the folks that attend those monster courses are not going to do anything but internal stuff and if we didn't put an internal slant to it when it's applicable they'd be getting cheated.