I tried to perform a search to see if I could find something to help me with this. I didn't have much luck finding what I needed. If I overlooked a thread, I apologize in advance.

I am getting ready to start performing our internal audits. We used to use Internal Audit software by Harrington. I hated the software so I "removed it from service". In creating our new audit process, I have put the responsibility of creating the questions on the checklist to the auditors. In reading some of the threads from my search there were some suggestions made to take a copy of the procedure with you and make notes and questions on it along the way. I hate the idea of using a "canned" checklist. We've been that route before. I just can't figure out another way do to this.

First you ensure our system meets the standard....if it does you proceed to see if what they are doing is compliant to the documented procedures and work instructions. There was also talk in some threads along the way of using checkmarks.

This is what I had in mind....

On the front page of the checklist have a place for the auditor to identify which clauses they are auditing against (these are identified on the audit schedule) and to the right have a place to check if the system satisfied the clause, same with the QMS. If there are any areas unsatisfactory you identify the findings or any observations below.

My boss really liked the idea of an Audit Summary Report. When we used Harrington, my boss at the time had me submit a copy of the checklist to All departmetal supervisors involved. There was no "report". To be honest they didn't read them half the time they'd look for any findings and that was it. If you don't do a checklist, just what do you do? How do you document and have a record of your audit?

If you audit against the standard and the QMS and everything is hunky dorey...What and Why would you want to go into all the detail of documenting what you compared it to and what you found I've already said in my auditing procedure that we audit the standard and our own QMS. Would this satisfy the standard.

People were talking about an audit trail in some of the threads I was reading on as well. I'm not sure how all this is coming into play.

Can anyone help me "see" the light? Knowing me, I'm making this much harder than it is.

You all have a GREAT weekend!
:bigwave:

Jamie

I meant to attach a copy of what I had created so far for our report and checklist. I hope I have them attached to this message right. If I do, what do you think?

Jamie

Originally posted by Jamie
First you ensure our system meets the standard....if it does you proceed to see if what they are doing is compliant to the documented procedures and work instructions. There was also talk in some threads along the way of using checkmarks.

If you audit against the standard and the QMS and everything is hunky dorey...What and Why would you want to go into all the detail of documenting what you compared it to and what you found I've already said in my auditing procedure that we audit the standard and our own QMS. Would this satisfy the standard.
:bigwave:
Jamie

Jamie,

We do not intend to let our Internal Auditors audit to the standard. They will audit approved procedures written with the standard in mind, by a Steering Committee of (7) Department Heads and Managers. These meetings are often contentious, argumentative and eventually end up in agreement regarding interpretations. If seven us find it difficult to agree on what the standard means, what chance does an Auditor have in coming to a conclusion on what meets the intent? That does not preclude them from using a checklist to perform their audits. Again, the checklist will be developed with the standard in mind by the Committee. While the Internal Auditors have had auditor training by an outside consultant, the limited time (2 man days) is not enough to become familiar with a document that they never saw before. They are also not being paid to spend hours reading the standard before beginning their audits. All Auditors have a copy of the standard and are encouraged to read it. Certainly, as they mature and become more familiar with the standard, they have the right through the Document Control System to suggest changes to procedures and explain why. But not now.
So, documents/procedures approved and released by the Committee are binding and only subject to arbitration with our Consultant and/or our eventual Registrar. While everybody on the committee is recognized for their individual expertise, the standard (or intent) causes a lot of confusion as to what a section really means. Look at the differing opinions that we see here at the Cove. If you allow your Internal Auditors to question anything that doesn’t agree with what they perceive to be the correct meaning of a particular section of the standard, you can be in for a long day. I’m a firm believer in that old saying, “Give a man a hammer and he will bang it”.


:ko: :smokin:

Oh I forgot. We have 8 auditors for a Company of 45 people. 4 of them are on the Steering Committee. That leaves 3 that are not auditors. Conflict of interest? Not. We're all in this together. JMHO

Energy

It is a requirement of ISO9001:2000 that your internal audits are conducted against the requirements of the standard.

Your internal audit system as you describe it would be non-compliant with ISO9001:2000, and doubtless ineffective also.

Love

Martin

I agree with M Greenaway here. All our internal audits start out from the std requirements. How else would we find out if we missed a requirement?
:confused:

/Claes

Aha... Debate.. I like that :D It depends on your priorities. Who cares if you miss a requirement? Don't you pay a registrar to look after that? Nope. We have to do it ourselves:

8.2.2 a (Internal audit): determine whether the QMS: conforms to the requirements of this standard.
Besides, The registrar spends two days/year here. Our internal auditors are here all the time. Thus they are able to dig up things the registrar would never find.
You could look at 9001 compliance separately Why? That would mean doing the same thing twice.why involve all those excellent busy people trying to do their work? Keep it away from them. Expose them to the organization's system, not to ISO 9000 I agree with that apart from the auditors. It's their job to do just that.

/Claes

Jim

Internal audits must address the organisations compliance with the requirments of ISO9001:2000. You can slice and dice it anyway you want - and you may seperate the compliance to ISO9001 audit (even if you call it an annual desk top review - or any other name) from the compliance to our own procedures, from the effectiveness of the system - but you have to cover all these points.

The system you describe does not do away with the ISO9001 compliance audit - you have just seperated it from the other audit criteria and called it a different name.

You quote 8.2.2. I submit that there is a much more relevant and important clause: 8.2.1.3. Tell me if you can't find it

Sure. 8.2.1.3 is certainly relevant (No worries about finding it either), and it reflects my main reason for doing audits at all: To find input for improvement. However, that cannot be used to negate 8.2.2. Exactly how an audit is performed is beside the point, clipboards and deskchecks or not. We still have to use them to make certain that we conform to 9001.

Besides, we never go out waving the 9000 flag during audits. We ask questions designed to tell us whether we can improve the way we work. If we find that we don't fulfil the requirements in the standard, that's one of the things we need to fix....
There are alternatives. You could, and this is JUST AN EXAMPLE, meet the 'conform to 9001' requirement by having one person do a deskcheck and then have managers audit their own departments or processes with no reference to ISO 9001 at all. Err... I certainly want them to work with improvement in their own areas, no argument there. But: Bearing in mind that you're not supposed to audit yourself that is continual improvement, not part of the audit system. And yes, you could have one person do a deskcheck to see if you fulfill the standard. I just fail to see the point in having a number of trained auditors do only part of the job and leave the rest to this one person when they are perfectly able to do it themself?

/Claes

Originally posted by M Greenaway
Energy
It is a requirement of ISO9001:2000 that your internal audits are conducted against the requirements of the standard.
Your internal audit system as you describe it would be non-compliant with ISO9001:2000, and doubtless ineffective also.
Love
Martin

I believe that my post says that they will audit to procedures that are written with the standard in mind. We stand by our procedures that they meet the standard. Auditors do not need to have a copy of the standard to do internal audits. They can use the checklist that the Registrars use and ask the same questions. The auditees have to demonstrate that they are aware of the procedures and I consider that effective. The standard is poured over in detail by the Committee and all areas will be addressed in some form or other. We will not have people reading into the standard and interpreting at will. We leave that to you guys. If we have done our job correctly, we're golden. If not, well, shame on us. The relevant sections of the standard are shown on the "references" portion of the procedures. Auditors are free to look at their copy if they determine that there is a N/C. They will not cite the standard. They can suggest changes if they feel that the procedure is causing a problem with their interpretation of the standard. We do not intend to muffle any concerns the auditors may have. And I also said that the auditors make up the majority of the Steering Committee, so they are in the driver's seat when it comes to approving and releasing procedures/documents. How you interpreted that we are non compliant in respect to internal auditing eludes me. But then, I'm not an acredited Auditor. I do have the feeling though that you would cite us because our auditors would not reference the standard when issuing a N/C. They would be referencing our procedure, by paragraph, etc.. I promise to study that more carefully, as your posts usually contain some thought provoking subjects and are usually right on. Are you one of those auditors that are so sure that they are correct that there is no way you can see an alternative method? You question everything as evidenced by your initiated topics. I'm a little surprised at your response and will investigate further. Thanks for the input.

Claes

I think we are in agreement!

If we want the badge, we must meet the requirements. But we can meet them any way we choose.
Absolutley Jim,

Nice to have a bit of a discussion every now and then. It sparks the old creativity. And believe me: Just like you I'm doing my level best to cut down on the crap in the QMS and concentrate on what should be there.

/Claes :agree:

Energy,

We only have two auditors, one of which is myself. We don't have a Steering Committee that writes our procedures. Truth be know, that would be me. I know that isn't what most people want to hear or what should be done. In creating this system, I've been the one to create each operational procedure and work instruction. Now, keep in mind that in doing this I did ask Managers questions on how things were done, etc. etc. After I completed a draft, I'd submit it back to Mgt. for review. When it came time for approval. The appropriate dept. Authority would approve on grounds of accruacy with the process and I'd be approving to ensure consistency with the standard.

The way we are doing this, there is no room for disagreements on what the standard means. No one in the company other than Myra and myself really have read the standard. Well, I take that back Renee (the VP) has. When I gave her my draft of the new QM I also gave her a copy of the standard. So she could tell where I was coming from.

I wish our company was big enough to implement some of the things you have. That would take a load off of my job!

Our internal auditors, have been trained, I guess you'd say by BVQI. When we attended that Lead Auditor Training Class. If that is what you want to call it. They really didn't give you a whole lot of training on how to conduct an audit, the checklist, etc. That may be why I still have so many questions. They did however cover such things as an audit team, team meetings, etc. Our company is so small that there is no audit team. I conduct the audit, compose my findings and submit to Mgt.

I have plenty of time to audit to the standard and our system. In creating my audit schedule I have given myself 2 to 4 weeks to complete one audit. At least I hope I've given myself enough time to effectively do that.

I'm still confused on how the Audit Checklist and the documenting of the Audit play into everything and the "correct" way of doing this. I'm sure it will all come together. I'll make it if I have too!

Jamie:bigwave:

Howdy Y'all

We know that 9004-2000 Guidelines for Performance Improvements is not what we get registered to, but I like it because it is meant to guide you in improving the QMS. It also, I believe, shows you what is expected of you in determining whether or not you meet the standard. Section 8.2.1.3 Internal audit does not mention once that you audit to the standard. In fact, I feel we are doing what is suggested:

“Top Management should ensure the establishment of an effective and efficient internal audit process to assess the strengths and weaknesses of the quality management system. The internal audit process acts as a management tool for independent assessment of any designated process or activity. The internal audit process provides an independent tool for use in obtaining objective evidence that the existing requirements have been met, since the internal audit evaluates the effectiveness and efficiency of the organization.

All eleven examples of subjects for consideration by internal auditing contain no mention of the standard.

The only place that mentions “to the requirements of this International Standard” is the standard itself. It is nestled neatly between “conduct internal audits at planned intervals to determine whether the quality management system a) conforms to the planned arrangements, to the requirements of this International Standard and to the quality management system requirements established by the organization.

Reading that exactly as it is shown indicates that the standard is included in the planned audits. The rest of 8.2.2 makes no mention of the standard during the planning, consideration, scope frequency and methods, etc..It appears to lean towards processes and areas based on status and importance.

So taking it literally, it appears that you must show evidence that the standard was used during the audit. The fact that our procedures were designed to meet the standard doesn’t appear to matter. If I get a narrow minded, let me show you how smart I am, type auditor, I can expect a N/C. Right? That's not you, M.

I say, if my procedure doesn’t meet the requirements of the standard, then I deserve a N/C.

M,
You’re point is well taken. However, I will take my chances that our External Auditor/Assessor will know the standard and during the document assessment of our Internal Auditing Procedure will tell me if it’s adequate. It explicitly, by means of omission, makes no mention of the Standard, except reference to the applicable section as posted above. It mentions records, other procedures contained therein (which are fair game for auditing if they define it in their scope). They will know the section of the standard that this procedure covers. That’s it. Well, back to work! Great discussion.
:agree: :ko: :smokin:

Energy

Much like Jim Wades proposed 'audit' routine it appears that you are addressing the requirement to ensure you are compliant with the standard outside of what might be considered the 'traditional' (?) approach to auditing.

So its possible you are meeting this requirement under another guise - which is theoretically OK, let us know how you get on with your assessors on this.

Energy,
Our system has been set up similar to yours for 8 or 9 surveillance audits now. We have not had a problem with conformance. Ours uses the references in procedures to show which element/requirement it covers. Therein lies the audit trail!!!

I was reading in ASQ magazine this weekend about a group of "Quality Professionals" be asked what there quality system was. A majority of them said it was QS/ISO 9000. The author went on to state that that is not what your quality system should be.

I agree on keeping the "standard" from the your employees. They should understand that it is the way the company operates not how the company conforms. It is my job as Management Rep and Systems Manager to ensure our system is found in conformance. The systems compliance is my responsibility, the operational compliance to the system is theres.

I agree with Energy, Randy and Jim Wade here.
It is my job (as MR) to ensure that the whole system meets the requirements of ISO9001. It is my Internal Review team's (I hate the word Audit as well) responsibility to check that the procedures as written are being followed.
If there are any changes required, these changes must pass through me to check that how they affect compliance. The surveillence audits then confirm that compliance is maintained.

This is the way our Internal Review system "determines whether the quality management system a) conforms to ... the requirements of this International Standard AND to the ... requirements established by the organisation..."

Internal Reviewers are not trained in ISO9001 nor do they report based on requirements of the standard. They are trained to review against what is written for the procedure.

Internal auditors should audit to the "approved" procedures that have to do with the running of the company. The registrar/auditor audits to continuing conformance, effectiveness, and suitability.

And count me on the side of intrnal auditors that don't need to use a checklist but find them helpful. It is all in the training of the internal auditor.

Let's KISS

Al,

If you don't mind me asking....If you don't or prefer not to use a checklist, then what do you use to "record" your audit? What do you use for your record?

Jamie

We don't use the "checklist" either. Our reviews are based on our processes so reference to the process flow, procedure, operator instructions, or control plan is what is documented. These items will, in turn, reference a clause, element, etc. that it is applicable to. I record what document I'm reviewing and my findings or suggests, these are used for our registrar along with my quarterly summaries to the company Steering Committee.
Checklists are great for new auditors to ensure they look at the right stuff, but once someone is familiar with your system and how the evidence is obtained, IMHO the checklists become to restricting. It's like always having training wheels on. I have found that using the process flows opens up more discussions on the "what if you did this" and "what happens if you miss this" type of involvement. It is not true everywhere, but all too often the checklist becomes similar to a light switch, it is either on or off, and I feel this is where a bunch of companies lose a great opportunity for continuous improvement.
On the other hand I have seen a few checklists that have been based upon the processes (i.e. Control Plan preparations and design inputs) that are very good. :bigwave:

Jamie/Al,

We created a "blank" checklist for the auditor to develop his/her own questions, based on the procedure they are auditing. For new auditors, it keeps you focused when the auditee starts their smoke and mirrors responses. A seasoned auditor is experienced in the various nuances involved with person to person contact, where one is being interrogated :vfunny: by another.
The list has the left side for the questions that are formulated during the auditors desktop audit of the procedure. The rule of thumb is twice the time for the desk top audit than the actual audit. You can only do that with a checklist. The center portion has a place for the auditee's responses. The right hand column has place for comments, objective evidence, etc. When the audit is completed, the auditor has an audit report form to complete with the information that is recorded on the checklist. Seasoned auditors may scoff at the use of a checklist, but during our auditor training, both instructors approached the desk top audit the same way. What do you do? Write your questions on a lined pad? Why not? It still becomes a checklist, of sorts.

Jamie. I will send you the forms I have, sans our company name and logo. Enjoy!

Al, about that kiss. Do you want it on the cheek or a soul kiss that will reach your soul as it passes your tonsils? :ko: :smokin: :biglaugh:

:bigwave:

I fall under the same catagory as Jamie with a total of 5 auditors including myself. I write all procedures and work instructions and submit for approval form our management team. Our management team review as a general rule is nothing more than a debate over intent of the "STANDARD".

To ensure that I have not mis-interpreted the standard I allow my auditors to "audit my procedures to the standard" before performing the manufacturing end of the audit.

I made this change in an attempt to have as many "EYES" see that my procedures meet the "STANDARD". :frust: So far my auditors like the idea of being able to look at the procedure and the standard, I think that it gives them a better understanding of what exactly it takes to write a procedure that meets the standard and is functional at the manufacturing level.:ko:

:truce: I have given up trying to be the lone soldier when it comes to compliance to the standard. I feel that one person writing the procedures and checking for compliance is asking for trouble.

Curt

Originally posted by Curt
:bigwave:
:truce: I have given up trying to be the lone soldier when it comes to compliance to the standard. I feel that one person writing the procedures and checking for compliance is asking for trouble.
Curt

If I didn't have a 7 person Steering Committee reviewing procedures, I would have probably allowed the Auditors a whack at the standard. As I said previously, 4 members of the committee are Internal Auditors, so I have the help I need. You're right, you shouldn't have to go it alone. When it comes to the standard, most people who don't have regular exposure are looking for the boogey man and begin to act like attorneys trying to demonstrate their vast knowledge in interpreting the written word. Our meetings can grow quite contentious and have ended up with the GM, my boss, slamming his fist down on the table and saying, "That's it. We do it this way. Case closed. Get on with it". Most times it's directed at me! :vfunny: But, I have my moments when he knows I'm more than a match for him on this subject and not just his subordinate. :rolleyes: :ko: :smokin:

:biglaugh: And here I thought I had the market cornered on getting the BOSS pi**** off...:rolleyes: Glad to see I am not alone.

Curt

Our reviewers/auditors make up the Operations Engineering Group. Within this group we have Scheduling, Industrial Eng, Quality Eng and now a "Black Belt Candidate". We have tried to take a cross cultural section of the manufactuing area to drive the continuous improvement effort. I am the only one really schooled in the "Standards" (Cert Lead Auditor) so we work on the processes as a team to ensure compliance. It works for us in that it keeps us as part of the "team concept" and not the Audit Gestopo.:biglaugh:
We review all the findings and direct the problem solving/root cause analysis programs. I end up presenting this information at a monthly Steering Committee meeting and weekly Staff meetings. Coupled the 5S initiatives, Lean Principles, etc. rolled out to the staff managers with the meeting minutes and deeper dives, you end up with a pretty complete package to show the external guys when they come in.:bonk:

Originally posted by Jim Wade

I ask this with tongue firmly in cheek, admittedly.

But look carefully at the wording:

"The responsibilities and requirements for planning and conducting audits and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure".

Elsewhere in 8.2.2 we are told we "shall conduct internal audits", and an audit programme "shall be planned", but nowhere does it say we shall have a record or that we shall report results.

rgds Jim [/B]

Ok so you don't have a report but: 5.6.2 Review input:
"results of audits"
How do you give results of audits with out some form of report?

It's not that we don't have a report. I report out to our Steering Committee monthly. We do not perform the "formal" internal audits (clipboard, checklist, etc.). Utilizing the skills of industrial, process and quality engineers linked to the corrective/preventive actions and continuous improvement initiatives, we have a reporting system. :bigwave:

From my point of view (biased from my teacher of course):

A checklist is simply a tool. Your audits after registration are often focused on compliance to your policies and procedures not directly against the standard itself since you are already registered (thus obiouvly compliant to the stnadard). Now is the time to check to make sure "you do as you say you are doing).

A checklist is not evidence for a report. Evidence is, essentially, anything which invloves the process being audited (p.o.'s, forms, calibrated or uncalibrated tools, etc.).

Therefore, for our auditors, we have a "loose" checklist where the questions we ask might be jotted down on our form along with the evidence of our findings.

These then are collected and kept with internal records and are the basis of the internal reports, but are not the reports themselves of course.

I am from a very small company of 20 people, so reducing the need for strict rules within the company is a plus for us.

In the hopes of heading off some wrong-thinking:
I can see where someone might also argue that if you are only audited annually to the Standard...documents that are updated in between time might change the companies compliance.
However, as the ISO Coordinator (and hopefully everyone certified has someone performing same task regardless of position) when a document change is requested my job is to evaluate the document(s) to ensure that compliance is maintained.

This in itself (IMHO) is a form of internal audting to the standard so no the actual Internal Audits don't need to address the standard only how they perform against their process procedures.

We also require a checklist be developed for internal audits. The auditors must take into consideration the documents used by that process as well as results of previous audits and any other nonconformances reported (not a witch hunt...just additional follow-up to ensure CA taken was long term effective and maintained).

Eileen

I have a question...We have been using the standard QS9000 AIAG checklists for auditing which restricts us to auditing by element. Has anyone seen a book or CD or something with an Audit Trail version of checklists in it? Especially keeping in mind moving towards TS-16949?

I would also be interested in information on process based checklists and how to develop them. I attended a seminar on ISO 9001:2000 and realized that we would need process checklists but these would need to be uniquely developed for your individual company and processes to fit they way things are done. I want to have a checklist to guide the auditor (usually myself) on what to look for and what to ask in order to get in as deep as possible and uncover those elusive improvement opportunities.
I also wonder how many auditors are able to judge if a process is efficient. How can you write a finding like "the process of issuing a purchase order takes too long and involves more personnel than necessary"? Who am I to tell the purchasing department this. As one of our quality managers says "I'm just the stupid QA guy. What do I know?".
:biglaugh: :bonk:

O.K., I'll bite: Where is clause 8.2.1.3?

Bigbear

Bigbear said:

O.K., I'll bite: Where is clause 8.2.1.3?

Bigbear

Hi Bigbear - welcome to the Cove...

8.2.1.3 is in ISO 9004:2000, not 9001. It's not an auditable clause - it's one of those "shoulds" that ISO came up with to take your organization to the "next level" of quality after getting your 9001 cert.

Hope this helps....

Cheers!!!

Mike