In need an opinion and I know I can count on all of you. :D Our company has just been recertified to ISO 9001 but this time management decided to do a multi site certificaiton. One of our findings was that we did not have a comprehensive audit plan and schedule that encompasses all sites. Do we need to have one schedule for all sites or can the sites continue to use their own but be monitored by the corporate quality department. I have my opinion (of course) but I would like to get feedback how it's being done at other companies.

In need an opinion and I know I can count on all of you. :D Our company has just been recertified to ISO 9001 but this time management decided to do a multi site certificaiton. One of our findings was that we did not have a comprehensive audit plan and schedule that encompasses all sites. Do we need to have one schedule for all sites or can the sites continue to use their own but be monitored by the corporate quality department. I have my opinion (of course) but I would like to get feedback how it's being done at other companies.

As long as the audits are scheduled, performed at each location and properly managed, I would not see a problem. I might recommend that a common format might be beneficial, but that would be an OFI at best. I am not aware of any specific ISO rules on the issue.

Do we need to have one schedule for all sites or can the sites continue to use their own but be monitored by the corporate quality department.I would like to suggest you peruse paragraph 3.0.5 of the IAF Mandatory Document IAF MD 1:2007 Certification of Multiple Sites Based on Sampling (http://www.compad.com.au/cms/iaf/workstation/upFiles/351519.IAF-MD1-2007_Certification_of_Multiple_Sites_Pub2.pdf). It indicates that, for multi-site certified organizations, the corporate office must be involved with the planning and result analysis of the internal audit program. If you were to leave to the individual sites to plan the audits, they might not plan to audit processes with the frequency and depth they should, from a corporate perspective.

I would think that the proper way to plan an internal audit schedule would be a collaborative effort between the sites and the corporate location, but the central office should have overriding rights, of course.

This is great information. Thanks!

With management, I'm running into a brick wall. Their stand is as long as we are evaluating the audits and corrective actions at each site we shouldn't have to look at them as a whole across all 5 sites. But our ISO auditors wrote us 2 major correctives actions for not having a "systematic" way of evaluating audits and CAR's from all the sites. I want them to understand that we should do this not just because of ISO but because it makes sense for us a business to send trends and areas that are weak.

With management, I'm running into a brick wall. Their stand is as long as we are evaluating the audits and corrective actions at each site we shouldn't have to look at them as a whole across all 5 sites. But our ISO auditors wrote us 2 major correctives actions for not having a "systematic" way of evaluating audits and CAR's from all the sites. I want them to understand that we should do this not just because of ISO but because it makes sense for us a business to send trends and areas that are weak.

The premise behind a multi-site certification is centrally managed QMS. The system needs to be managed even if the individual schedules are local. There also was a Guide 62(?) comment I saw some time back that said audit findings must be reviewed across the board by all sites for applicability.

There is good business reasons for these rules. If they don't like to operate as a multi-site, they can always give up the multi-site certification and discount...:D

The premise behind a multi-site certification is centrally managed QMS. The system needs to be managed even if the individual schedules are local. There also was a Guide 62(?) comment I saw some time back that said audit findings must be reviewed across the board by all sites for applicability.

There is good business reasons for these rules. If they don't like to operate as a multi-site, they can always give up the multi-site certification and discount...:D

That's what I told them. But I don't think they wanted to hear it. :bonk: I think things should be as simple as possible. And I don't think having multiple schedules at the sites is the simplest way to do it. Most of our processes are the same and some of our auditors will be going from site to site to audit. Why not have one schedule so everyone will know the dates and the auditor assigned?

That's what I told them. But I don't think they wanted to hear it. :bonk: I think things should be as simple as possible. And I don't think having multiple schedules at the sites is the simplest way to do it. Most of our processes are the same and some of our auditors will be going from site to site to audit. Why not have one schedule so everyone will know the dates and the auditor assigned?

Would it be more effective to simply go directly to the audit managers at each site, and propose joining programs? Or, better, mock up a best in class audit schedule that everyone would want to use. Then, you have bargaining power.

The last option is to let your 3rd party auditor "discover" the problem during their audits...

Would it be more effective to simply go directly to the audit managers at each site, and propose joining programs? Or, better, mock up a best in class audit schedule that everyone would want to use. Then, you have bargaining power.

The last option is to let your 3rd party auditor "discover" the problem during their audits...

I am working on an audit schedule I think everyone will use. "Fingers crossed" I have a plan that I'm bringing to management on how we can have one system but I wanted to bounce my ideas on here and see how everyone else felt about it. And remember the 3rd party auditor already "discovered" it - That's why we have a major NC that has to be answered in the next 60 days.

That's what I told them. But I don't think they wanted to hear it. :bonk: I think things should be as simple as possible. And I don't think having multiple schedules at the sites is the simplest way to do it. Most of our processes are the same and some of our auditors will be going from site to site to audit. Why not have one schedule so everyone will know the dates and the auditor assigned?
…internally? this can be done… provided that you have enough no. of qualified internal auditors on each sites (and that they should be independent from the site they are auditing)…

...The last option is to let your 3rd party auditor "discover" the problem during their audits...
…usually, it is better for your organization to discuss what would be your corrective and/or preventive actions to your nonconformance and/or foreseen nonconformance… instead of taking the risk and see if the external auditor would find it… ISO does not work on that way…

…internally? this can be done… provided that you have enough no. of qualified internal auditors on each sites (and that they should be independent from the site they are auditing)…

Not at all - in fact it's advisable to have the auditor from the site being audited. Indeed, as we've done over so many times, there is no requirement for the auditor to be 'independent'..........they just can't audit their own work (which you pointed out in one of your own posts, recently)

(He he he… here we go again… :o)

OK, as AndyN said, there is no requirement for the auditor to be 'independent'… - as long as the assigned auditor is not directly involved in the development and implementation of the QMS in the process he is going to audit… (:frust: you know guys, I was having a hard time why you cannot consider those scenarios as “independent”?)

…anyway, just to add (as quoted from another thread), ISO 19011 doesn't say anything about auditors not auditing their own work... ISO 9001 is very specific, but ISO 14001 doesn't prohibit it and neither does, OHSAS 18001, PAS 99, or BS 25999… :notme:

(whew... I hope it'll stop there...)

…usually, it is better for your organization to discuss what would be your corrective and/or preventive actions to your nonconformance and/or foreseen nonconformance… instead of taking the risk and see if the external auditor would find it… ISO does not work on that way…

If you reread the context of that sentence, you will see I was inferring that sometimes you can use an external auditor to your advantage. Sometimes when no one listens to an internal auditor or manager, when the external auditor writes it up, it has a little more leverage. But, that is a risky move and should not be used often. As an auditor, I don't like it, but I am sure I have been "shown" a few things over the years.

(He he he… here we go again… :o)

OK, as AndyN said, there is no requirement for the auditor to be 'independent'… - as long as the assigned auditor is not directly involved in the development and implementation of the QMS in the process he is going to audit… (:frust: you know guys, I was having a hard time why you cannot consider those scenarios as “independent”?)

…anyway, just to add (as quoted from another thread), ISO 19011 doesn't say anything about auditors not auditing their own work... ISO 9001 is very specific, but ISO 14001 doesn't prohibit it and neither does, OHSAS 18001, PAS 99, or BS 25999… :notme:

(whew... I hope it'll stop there...)


The concept of auditors being independent is pretty well ingrained in all the ISO standards and history. And, I would point out, that 19011 applies to 9001 and 14001, and can be applied in principle to 18001. The words change slightly with each iteration, possibly in an attempt to clarify the intent, to stop just this sort of discussion or debate as to what is allowable.

The answer is not black and white. There is a little grey. But the principle is that people should be improving their processes all the time, and should not wait for an audit. And the second is that auditors should have a fresh perspective, not the same perspective they apply to that job every day. And, third, less emphasized in the current version, is they should have some degree of freedom from their direct boss, when they have to write findings.

Now, these are my paraphrases, not quotes from the standards, but I think they do a good job of explaining in plain English what we should look for.

PS Josh, the internal auditors can audit at their own sites without any problem, just not their own work (or processes they have responsibility for).

If you reread the context of that sentence, you will see I was inferring that sometimes you can use an external auditor to your advantage. Sometimes when no one listens to an internal auditor or manager, when the external auditor writes it up, it has a little more leverage. But, that is a risky move and should not be used often. As an auditor, I don't like it, but I am sure I have been "shown" a few things over the years.

I have used the Third Party Auditor in that way, when I have hit a roadblock on something. Which doesn't happen that many times, but does happen.

The Third Party Auditor is a person that can reiterate your concerns and help you with changes, but don't rely on the Third Party all of the time. If you are in a position, that drives changes, then only use the Third Party Auditor on an occasion. Because relying on the Third Party for changes, only could hurt your goals and aspirations in the Organization, in my opinion.

I truly believe we have the auditors in place. The problem I'm having is that the powers that be came along several months ago and said you will know have a multi site certification without giving us the proper time to make it happen. Everyone is comfortable with the way the are doing the audits at their site and they don't want a knew way of doing things. Even though the registrar pointed out that is an area that could be beefed up. We were chosen as the lead site because we have a mature system in place and we know have to roll reports up on audits, CAR's/PAR's, Quality System, etc.

I truly believe we have the auditors in place. The problem I'm having is that the powers that be came along several months ago and said you will know have a multi site certification without giving us the proper time to make it happen. Everyone is comfortable with the way the are doing the audits at their site and they don't want a knew way of doing things. Even though the registrar pointed out that is an area that could be beefed up. We were chosen as the lead site because we have a mature system in place and we know have to roll reports up on audits, CAR's/PAR's, Quality System, etc.


Based on what you say, then, the only thing you may need is to develop that harmonized multi-site schedule you have discussed.

That's where I'm headed but does anyone have a good way I can explain the benefits of having one schedule for all sites. I would appreciate any bites of wisdom that you have. Rather than me just saying "do it":whip: I want to give them some valid reasons why this is a good idea for all of us.

That's where I'm headed but does anyone have a good way I can explain the benefits of having one schedule for all sites. I would appreciate any bites of wisdom that you have. Rather than me just saying "do it":whip: I want to give them some valid reasons why this is a good idea for all of us.


...cuz Corp said so.....

Actually, a multi-site schedule can be a simple matrix made up of the individual schedules:

Corp:
Process # 1
Process # 2
Process # 3

Plant A:
Process # 1
Process # 2
Process # 3

Plant B:
Process # 1
Process # 2
Process # 3

with twelve columns to show the dates the various audits will take place.

That's where I'm headed but does anyone have a good way I can explain the benefits of having one schedule for all sites. I would appreciate any bites of wisdom that you have. Rather than me just saying "do it":whip: I want to give them some valid reasons why this is a good idea for all of us.

because then the management team will see the audit results from one process (or however you group it) for all sites at the same time. It will help to root out whether a problem is a localized, one-off type thing, or a systemic problem throughout all (or a good part) of the organization.

It also may illustrate differences in how multiple sites follow the same process/procedure/etc. and make CA/PA/CI projects easier to find.

Our company has a multi-site certificate. Currently I do the audits at 3 sites... my home site (major) I audit all the time, the off-sites (minor sites) I do a "sweep" audit of all applicable clauses during the course of a week, two or three times/year. Clearly this doesn't fit the "all at the same time" scenario, but has been quite effective.
There are two additional sites, one of those being also a major site. In January, we coordinate our schedules of the two major sites in a general way... we try to do the same clause(s) within the same month. It doesn't always work out. ;)

We do have the rationale and schddules for the major and minor site approved by corporate before implementation, and in the QMR we have evidence in a read-ahead package that details the classifications of findings and a review by the audit manager of any findings believed to cross site boundries... and of course any c/a taken on those items.

This system has been acceptable, even appreciated by our registrar... but it is destined to change as we have almost doubled in size in the past 2 years. New corporate directorate wants everything to appear the same at each site and it looks like I'll be charged with making that happen.

Of course I'm going to consider some of the valuable input you all have discussed above as I begin to develop that plan...
:)

We do have the rationale and schddules for the major and minor site approved by corporate before implementation, and in the QMR we have evidence in a read-ahead package that details the classifications of findings and a review by the audit manager of any findings believed to cross site boundries... and of course any c/a taken on those items.

This is some great info. Thanks! This is definitely something we might can leverage here. Corporate wants as many of the processes to be the same if possible but some of our sites are design sites only so we may can look at them different based on a risk assessment.

Thanks again.....

The guidance to qualify for multi-site certification is on Annex 3 of the IAF Guidance for Guide 62 (read page 41 - 48). See attached doc. This can be downloaded at www.iaf.nu as well.

The guidance to qualify for multi-site certification is on Annex 3 of the IAF Guidance for Guide 62 (read page 41 - 48). See attached doc. This can be downloaded at www.iaf.nu as well.

We have to be careful using this kind of guidance for internal audits. These are for third party audits and the OP was asking in the context of internal audits..........

We have to be careful using this kind of guidance for internal audits. These are for third party audits and the OP was asking in the context of internal audits..........

My intention is to help her to understand how a company can be qualified for multi-site registration, not to be used for internal audits. Because I think it's important that they understand that requirements. By all means, there is no intention to confused them with the internal audits. That's just my :2cents:

If you reread the context of that sentence, you will see I was inferring that sometimes you can use an external auditor to your advantage. Sometimes when no one listens to an internal auditor or manager, when the external auditor writes it up, it has a little more leverage. But, that is a risky move and should not be used often. As an auditor, I don't like it, but I am sure I have been "shown" a few things over the years.
…I do understand your point, believe me… I was only emphasizing that whatever nonconformities you have seen (or you are seeing) should be discussed by the organization within themselves (that why I used the word “discuss” and not “solve” or “resolve”)… because I knew the experience of highlighting a certain NCR during internal audit but nobody is listening (some are even commenting stupid findings)… until it was highlighted during external audit… then, as most top management’s escape-goat reasoning is the question “why it was not seen during internal audit?”…

…so, the only way-out for an internal auditor to save his butt, is to do his job properly… have records of whatever findings he made… and let the management decide whether they are significant or not…

Ah - the joys of being in Quality. After lots of research here and talking with our registrar, I went to our Quality Manager with a revised Audit Schedule for all sites. His comment was "I don't understand. Why can't we just have one schedule, put in the procedure and never touch it again. That way Manufacturing will know they will always be audited on March and September of every year." And I'm thinking - :mg:Did he just say that? As you can guess the discussion went downhill very fast after that comment. I was and still am at a loss for words.

Ah - the joys of being in Quality. After lots of research here and talking with our registrar, I went to our Quality Manager with a revised Audit Schedule for all sites. His comment was "I don't understand. Why can't we just have one schedule, put in the procedure and never touch it again. That way Manufacturing will know they will always be audited on March and September of every year." And I'm thinking - :mg:Did he just say that? As you can guess the discussion went downhill very fast after that comment. I was and still am at a loss for words.

I can understand their point, and maybe I will get blasted by some other Covers (especially the ones from Registrars and/or Consultants). But, if I understand that the schedule reflects that all processes will be audited at a specified time frame, why would that not work?

I believe the requirement only requires that all processes at all facilities will be audited (if that is what the procedure states), but I could be wrong. Maybe I need some enlightenment.

I know someone will provide that insight.

I can understand their point, and maybe I will get blasted by some other Covers (especially the ones from Registrars and/or Consultants). But, if I understand that the schedule reflects that all processes will be audited at a specified time frame, why would that not work?

I believe the requirement only requires that all processes at all facilities will be audited (if that is what the procedure states), but I could be wrong. Maybe I need some enlightenment.

I know someone will provide that insight.

The way I've always looked at it is that the standard states that your program should be planned based on importance, risk and results of previous audits. If I have an area that had many finding during the past year chances are that I will audit them more frequently next year or if there were no findings for the past several audits than I might audit them less. If the schedule always stays the same then the registrar/auditor will say these are not being taken into consideration during planning.

The way I've always looked at it is that the standard states that your program should be planned based on importance, risk and results of previous audits. If I have an area that had many finding during the past year chances are that I will audit them more frequently next year or if there were no findings for the past several audits than I might audit them less. If the schedule always stays the same then the registrar/auditor will say these are not being taken into consideration during planning.

I have to chime in on this one as I have struggled with a customer audit on this issue. Historically, when planning Internal Audits they are mapped to product and previous issues which does not drive me to do more audits necessarily. However, it does ensure that those areas are covered during the Internal Audit. One of my customer's auditor was very pointed in sharing a non conformance that my approach is not prudent or acceptable. In the spirit of ensuring that the Audit plan is more robust I am working through a planning process to replace the current annual plan that I use.

My thoughts today are to focus those areas that are the most important to our business.

1. Customer Escapes - Perform Product Audit on all customer escapes to ensure root cause and corrective action have been completed and validated.
2. Internal System Escapes - Audit the manufacturing and quality processes used to manufacture our parts when internal QPPM reaches trigger point.
3. QMS Audit - Continue to perform Internal Audits of the QMS on an annual basis.

Any comments about my approach would be helpful I am sure.

Thanks,

The way I've always looked at it is that the standard states that your program should be planned based on importance, risk and results of previous audits. If I have an area that had many finding during the past year chances are that I will audit them more frequently next year or if there were no findings for the past several audits than I might audit them less. If the schedule always stays the same then the registrar/auditor will say these are not being taken into consideration during planning.

I agree, that is the best approach. But, what is the (hypothetically) requirement that the Auditor is saying that you do not meet? You have planned intervals, based upon importance, and risk. Your auditors are competent, you have a defined procedure, so what am I missing here?

The way I've always looked at it is that the standard states that your program should be planned based on importance, risk and results of previous audits.Michelle, you are definitely on the right track, but one correction I would like to offer. The standard does not state should, but shall. It is a requirement, not a suggestion. Internal audit resources are limited. They should be used wisely. An internal audit program which contains a risk management approach to it is a much better approach.

Michelle, you are definitely on the right track, but one correction I would like to offer. The standard does not state should, but shall. It is a requirement, not a suggestion. Internal audit resources are limited. They should be used wisely. An internal audit program which contains a risk management approach to it is a much better approach.

Further to Sid's point, the rationale for the schedule should be presented with the schedule for approval. Our schedule and rationale are approved annually (or more frequently if conditions/schedule changes dictate) by the appointed Management Rep.

Our rationale for this year's schedule included production schedule and projected inbounds, results of previous audits with focus on work instruction currentness and accuracy, new personnel with focus on Quality Policy and criteria for product acceptance, customer complaints with focus on corrective action verification, customer requests, registrar's observations/improvement opportunities, and new off-site locations.

When all of these variables are considered, it's impossible to have one audit schedule in a procedure that never changes.
You could have a schedule where you always audit Manufacturing processes in March and September for example... but the focus or process areas audited may change from audit to audit based on criteria similar to our rationale above.