We use a consulting service to do a whole system internal audit yearly.
It was suggested to me recently that this auditor should not audit the internal audit portion of the system because it was his responsibility.
I would say that because he is not a member of audited party’s organization he would not be responsible for that part of the system.
I would greatly appreciate your expert opinions an this.

I would agree with you. However, they (the external company) need to be auditing the person internally that is responsible for managing the audit program.

In other words, who controls this external body regarding the audit frequency, content, direction, corrective action follow-ups, etc? They need to be audited to ensure you are meeting the requirements of your procedure and the standard.

We use a consulting service to do a whole system internal audit yearly.
It was suggested to me recently that this auditor should not audit the internal audit portion of the system because it was his responsibility.



8.2.2 Internal audit
Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

True, this auditor should not audit the internal audit portion of the system because it was his responsibility. Does not matter who he works for - does not fall into the decision of "their own work."
But, using an outside source for the audit -and only once a year - is a goofy notion. You already have an outside service doing an audit - it is called an assessor. So, now you have two - and one - the internal auditor - is probably doing even less. That is the input to the Management Review. And, the management is satisfied with the resolution of a one per year internal audit? Sounds like quality level TCE - just enough to meet the barest minimum. Sure, it meets the requirement, but not very effective.

:soap:

If I was doing a supplier audit, and saw this in the system, I would recommend to purchasing to look for other suppliers. It is clear that management is based in minimum requirement philosophy. Some might call that efficient, but it can also be a systemic clue of what to expect in other areas.

I would agree with you. However, they (the external company) need to be auditing the person internally that is responsible for managing the audit program.

In other words, who controls this external body regarding the audit frequency, content, direction, corrective action follow-ups, etc? They need to be audited to ensure you are meeting the requirements of your procedure and the standard.I agree with this, but if there are significant gaps, the people nearest them could be the last ones to realize it. The customer can audit them, and consider it a supplier control effort as well as auditing the audit process.

I work with many vendors that are just too small to afford to have this type of resource internally.

One example in particular is one of our best vendors in terms of price, delivery, and quality. In fact, they even helped us resolve a customer complaint to the point where the customer has pointed out that it hasn't happened since the change occured (over 18 months ago).

Just because someone uses an external internal auditor is not by itself an indication of the potential performance of the vendor!

John

There is nothing wrong in having a consultant perform annual internal audits if you do not have the resources on hand. But, someone from your company, probably the Management Representative, must be responsible for the overall implementation of the audit activities. This person would probably be the best suited to audit the auditor. The auditor can not audit his/her own work. You can have a 2-part audit of internal auditing. One part to verify that the schedule is sufficient and the audit procedure is adequate and another part to verify that the audits are thorough and effective.

Great first post, Bunny! Welcome to the Cove. :bigwave: Hope to see more of you soon.

I work with many vendors that are just too small to afford to have this type of resource internally.

Just because someone uses an external internal auditor is not by itself an indication of the potential performance of the vendor!


That in and of itself does not bother me - but in combination with just an annual audit is very suspicious. Again, it meets the requirement, but waiting around a whole year to discover a system deficiency is weak to me.

Just because someone uses an external internal auditor is not by itself an indication of the potential performance of the vendor!
John
When I read the phrase "external internal auditor" I got dizzy for a moment. :lol:

Maybe it would have been better to state it this way.

Can a subcontracted internal auditor conduct an audit on the internal audit segment of the QMS and be compliant with ISO 13485 /9001?

Even that is a bit of a tounge twister.

Maybe it would have been better to state it this way.

Can a subcontracted internal auditor conduct an audit on the internal audit segment of the QMS and be compliant with ISO 13485 /9001?



Well, shoot, while we are at it the standard asks us to determine the proper frequency...never says how often. So, if we do 3 annual audits and have no findings, can we push out the internal audits to every two years, a la calibration?:biglaugh:

I purposely did that. I noticed it when typing I just couldn't think of a short phrase that was less dizzying.

Sorry for any dizzying I may have caused. I have been buried in government bureaucracy for the last week....makes all this seem normal. :mg:

Well, shoot, while we are at it the standard asks us to determine the proper frequency...never says how often. So, if we do 3 annual audits and have no findings, can we push out the internal audits to every two years, a la calibration?:biglaugh:


Maybe we can audit an entire QMS in just four sentences.
That too would not be very helpful.

When I read the phrase "external internal auditor" I got dizzy for a moment. :lol:

Jim,

Many of us are at the moment. ;)

Stijloor.

Maybe we can audit an entire QMS in just four sentences.
That too would not be very helpful.

Quality level TCE does not mandate "helpful." Only the barest minimum to meet the requirement! :bonk:

Quality level TCE does not mandate "helpful." Only the barest minimum to meet the requirement! :bonk:

Advice or suggestions are helpful.
Forming the assumption that a company has a “minimum requirement philosophy” from a 4 sentence snap shot is irresponsible.

Advice or suggestions are helpful.
Forming the assumption that a company has a “minimum requirement philosophy” from a 4 sentence snap shot is irresponsible.


I disagree. There was very solid evidence supplied within those 4 sentences.

When I read the phrase "external internal auditor" I got dizzy for a moment. :lol:

Hope you sat down until it passed, Jim. :D

Hi,

I do this also for a few of my clients. You can easily get around this issue by making sure you verify the sections that have been audited by the consultant.

This in most cases is a simple signature and you can say you have independently checked what the auditor has done!

I would recommend you go on an internal auditor training course to cover all the bases though!

I would recommend you go on an internal auditor training course to cover all the bases though!

Yes, it is a shame the consultant is not qualified to provide the training. If so, they should have already provided some. :rolleyes:

Let's come back to the original question. Let me see if I understand it.

If internal audits are being contracted, can that contracted person, whether a contract person working on premises or on a visit basis via a consulting company, also audit the audit process?

I would say the short answer is no. Not only "no" in the sense that the consultant him/herself can't do it, to be safe I wouldn't even allow anyone in the same consulting company to do it. That point may be rightfully debatable, but it's my position.

Now I will venture into the more complex. Chances are the audit process involves more than auditing. Things like scheduling, planning and the handling of conconformances are also auditable, and chances are good they are not contracted services. If I was doing one or more of these functions in my company, I could not pass the straight face test if I audited the functions. Someone else should do it.

Yes, whoever does this needs to be competent and some kind of reasonable training typically leads up to that. But regardless of qualifications to train, the consultant can't be expected to provide this training unless he/she has been contracted to do it.

Frequency (scheduling) is a separate subject. By all means one can, and should look at the process's effectiveness as often as is needed to validate it's effective, but that wasn't the question.

That in and of itself does not bother me - but in combination with just an annual audit is very suspicious. Again, it meets the requirement, but waiting around a whole year to discover a system deficiency is weak to me. I did internal audits for companies for quite a while. Always yearly. I've never heard anyone call the audit schedule suspicious because the internal audit frequency was 1 year. If a 1 year internal audit schedule is 'suspicious', then many registrar audits are 'suspicious' as well as many only come once a year.

Nor did I run across a company which had a problem that the yearly internal audit schedule was an issue because something was left 'undiscovered'.

When I did internal audits I audited the internal audit system. I was not responsible for the audit system, only for the internal audit I did.

What I did do was require someone from the company to go over my internal audit and do a writeup (audit, if you will) of my audit to verify that I did the internal audit according to the system. The person who reviewed my internal audit was the person who was responsible for the internal audit system.

The only time there was a complaint it was from a registrar's auditor who tried to write the company up for 'ineffective internal audits' because for a few years I found no nonconformances during my internal audits of their company. Funny thing, that. The company owner got the registrar's rep on the phone while the auditor was there and explained the writeup. The company owner asked if they would get a refund because the registrars audits had not turned up a nonconformity is something like the previous 4 years. This writeup was the first in about 4 or 5 years. The company owner accused the registrar of performing ineffective audits. The registrar's rep spoke with their auditor for a couple of minutes in private. Needless to say, after their brief talk the auditor decided that apparently my internal audits could not be cited as ineffective.

I did internal audits for companies for quite a while. Always yearly. I've never heard anyone call the audit schedule suspicious because the internal audit frequency was 1 year. If a 1 year internal audit schedule is 'suspicious', then many registrar audits are 'suspicious' as well as many only come once a year.

Well, it may have taken a while, but now you can say you have. :tg:

Bob, that's 1 (you) out of tens of thousands of people.

Bob, that's 1 (you) out of tens of thousands of people.

No problem, somebody has to tell the king he has no clothes. Might as well be me. :tg:

Won't be the first time.

Now you're just being argumentative.

Really? Then, you might want to share the origin of the concept of layered audits. Whether one thinks they are of value or not, the key is why anyone would have felt a need to even think of them. Sure - does not relate to ISO13485 (boy, do I know) - but that system is lagging, anyway.

But, on the other hand, your luck of auditing companies with no findings is extraordinary. Life is good to you...or something. :tg:

Heeeeeeeeeeeey Bob! How does a 1 person organization perform internal audits?

I've done lots of audits where I didn't find a NC....Maybe some folks don't understand the limitations of the representative sampling process.

But, on the other hand, your luck of auditing companies with no findings is extraordinary. Life is good to you...or something. :tg: That was one company. They did (and still do) good work.

Not every company has findings during audits, internal or otherwise. Some companies do things well so there's nothing to find. It's not unusual to have no findings during an audit.

Marc,

Stop - now I am just getting depressed. :(

Maybe some folks don't understand the limitations of the representative sampling process.

Another good reason to do a little bigger sample for internal audits than one per year...unless you are auditing Marc's Holy Grail client! :tg:

Soooooooooooooooooo, now the expectation is to sample until you find a NC or the audit is to be suspect?

What has become suspect is Bob's auditing background, knowledge and experience.

What has become suspect is Bob's auditing background, knowledge and experience.

Funny guy. I think we'll keep you. :tg:

Funny guy. I think we'll keep you. :tg:
So state your qualifications, Bob.

Soooooooooooooooooo, now the expectation is to sample until you find a NC or the audit is to be suspect?

Uh, no. Didn't say that. Wrong extrapolation of my comments. What I said was sample once a year and the probability of missing something occurring, oh, I don't know any other time of the year, lets the problem rot for a very long time. Might be some risk to that.

Please, I already agreed that once a year exceeds the requirement. So, one can easily conclude that it is "good enough." It's just that I do not agree that it is in fact good enough. The fact that people love to only do it once a year surely does not influence my opinion.

Here you go Marc, from the profile...

Bob Doering has been in the quality field for over 13 years, and has industrial experience for over 28 years. He is an adjunct instructor at Lorain County Community College in Engineering Technology and Enrollment Services departments, and has lectured classes in Metrology and Qual. Mgt. He holds associates degrees from Lorain County CC and U. of Akron in OH; BA in Business; MBA in Sys. Mgt. from Baldwin-Wallace College, Berea ,OH and doctoral level work at Cleveland State University. He is a CMQ/OE, CQE, CQA, and CMI.

Uh, no. Didn't say that. Wrong extrapolation of my comments. What I said was sample once a year and the probability of missing something occurring, oh, I don't know any other time of the year, lets the problem rot for a very long time. Might be some risk to that.

Please, I already agreed that once a year exceeds the requirement. So, one can easily conclude that it is "good enough." It's just that I do not agree that it is in fact good enough. The fact that people love to only do it once a year surely does not influence my opinion.


What would or could be good enough for a 1 person company?


And, where does once a year exceed requirements?

Here you go Marc, from the profile...


Thank you Randy. Saved me the work. I left off my former Provisional ISO Auditor certification, since I decided not to continue paying it for street cred, or my training as a TS 16949 or ISO13485 internal auditor. But, puffery really isn't the issue. The context speaks for itself.:tg:

Thank you Randy. Saved me the work. I left off my former Provisional ISO Auditor certification, since I decided not to continue paying it for street cred, or my training as a TS 16949 or ISO13485 internal auditor. But, puffery really isn't the issue. The context speaks for itself.:tg:

Mr. Nice Guy, that's me:D

It's just that I do not agree that it is in fact good enough. The fact that people love to only do it once a year surely does not influence my opinion.

This might not be a case of loving to audit only once a year. In the cases where I audit only once a year, it is a case of cost/benefits. A good QMS will find and fix these issues before the audit. Internal audits only check to see if the QMS is working, not to try to fix the issues. Things found in audits are only symptoms of other issues. These issues also cause symptoms that will show up in non-audit areas as well. Organizations better not be waiting to find something in an internal audit to fix things. If you have a good running QMS, then auditing once a year should be more than just good enough.

What would or could be good enough for a 1 person company?

A one person company should be easy to audit quarterly, right? Should be fairly simple.

And, where does once a year exceed requirements?

The standard states "planned intervals", right? Does that say annual? Biannual?

I'm a simple man and kinda new to this in the quest for answers.

Even if the planned internal audit intervals are annual, there should be enough flexiblility in the scheduling to allow for special (as in more frequent) attention to areas of concern.

Even if the planned internal audit intervals are annual, there should be enough flexiblility in the scheduling to allow for special (as in more frequent) attention to areas of concern.
Yes, most definitely! These are what I call supplemental audits. They can be triggered by just about anything.

<snip>The standard states "planned intervals", right? Does that say annual? Biannual?

So, if I understand what you have stated here, is that annual audits aren't planned intervals. How can that be since I "planned" my intervals at 1 year.

Please explain your apparent logical conclusion that 1 year intervals does not fall under planned?

So, if I understand what you have stated here, is that annual audits aren't planned intervals. How can that be since I "planned" my intervals at 1 year.

Please explain your apparent logical conclusion that 1 year intervals does not fall under planned?
I don't know, perhaps it is just me, but what I took from his statement that yearly is a planned interval, so therefore it exceeds (as in goes beyond) the standard.

I don't know, perhaps it is just me, but what I took from his statement that yearly is a planned interval, so therefore it exceeds (as in goes beyond) the standard.

Maybe I am incorrect in my interpretation. There is only one standard that I am aware of that has 1 year stated, that is ISO17021, paragraph 9.3.2.2, but that applies to the CB's (Certification Bodies) and not internal audits.

I didn't see where it was stated or suggested that everything was getting a single audit in one shot, once a year. Unless I misunderstood, the audit process was to be audited once per year. That is not unusual or risky, from my experience.

Similarly, a once-per-year scheduling of process audits is also typical. Sure, when auditing training one is also bound to do some coverage with records retention - but that's not going to mean it's a documentation audit so one can't claim to be doing two documentation and records audits in one year if a records check is part of a standalone process audit.

Also, looking at a process from time to time or performing an unscheduled audit out of perceived need is not uncommon in a funcitoning system. But none of this has anything to do with the poster's question anyway.

I do not know why this subject has been made to look so complicated or contentious.

I didn't see where it was stated or suggested that everything was getting a single audit in one shot, once a year. Unless I misunderstood, the audit process was to be audited once per year. That is not unusual or risky, from my experience.

Similarly, a once-per-year scheduling of process audits is also typical. Sure, when auditing training one is also bound to do some coverage with records retention - but that's not going to mean it's a documentation audit so one can't claim to be doing two documentation and records audits in one year if a records check is part of a standalone process audit.

Also, looking at a process from time to time or performing an unscheduled audit out of perceived need is not uncommon in a functioning system. But none of this has anything to do with the poster's question anyway.

I do not know why this subject has been made to look so complicated or contentious.

Jennifer,

There are quite a few topics here at The Cove that inflame emotions:
(Not necessarily prioritized);)

Corrective Action vs Preventive Action
The 2-page Quality Manual
Audits and auditors in general
SPC
Six Sigma
Standard interpretations
Cpk and Ppk
and more....
They tend to bring out the best, and sometimes the not-so-best out of Covers...:nope:

But as Marc stated a few times, as long as we keep it civil, it would be OK.

Stijloor.

There are quite a few topics here at The Cove that inflame emotions:
(Not necessarily prioritized);)

Corrective Action vs Preventive Action
The 2-page Quality Manual
Audits and auditors in general
SPC
Six Sigma
Standard interpretations
Cpk and Ppk
and Marc....
They tend to bring out the best, and sometimes the not-so-best out of Covers...:nope:

But as Marc stated a few times, as long as we keep it civil, it would be OK. There. Fixed that for you... ;)

Marc,

Naaaah! :notme:

Stijloor.

There is no regulation ....Depending on how your organization define it...But it can not be the perosn who lead the internal audit.

My organization tackled this problem by reserving one internal auditor to perform that particular audit and no other. We perform this audit at a minimum of twice a year, but it has had higher frequency when an issue seemed to develop. I think there are many areas of the requirement where a once a year check, is just too long to wait.