Hello everyone.

This is probably a stupid question, but I was interested in finding out what type of checklists people used for internal audits, as far as if specific checklists are developed for each area or if generic checklists are used that maybe reference procedures or documents for the area being audited.

Your company procedures have got to bounce off of the standard you are working with (9K2K I guess).

Base your Internal Audit on your procedures/instructions and the way you say you will do business.

If your procedures meet the requirments of the standard, and you audit against your procedures/instructions you should be OK.

That's about as simple as I can put it.

The primary guidance for a process is a procedure/instruction that gives the who/what/where/when/why & how.

It would be silly to audit a process without knowing what makes it tick. "Duhhhh yep. Looks like somethin's happenin, but I'd be hornswangled why and whut fer"

Randy

Your statement 'If your procedures meet the requirements of the standard.......' is a very big IF, and is one of the questions that needs to be addressed at internal audit.

Purely auditing compliance to procedures would be auditing only requirement 4.9.c of the 1994 standard (still dont quite know where it is in the 2000 standard). If your internal audit programme only addresses one requirement from the standard I would say that is is very much lacking.

I would also wager that your findings from such an audit programme are typically trivial non-compliances that just require petty corrections to the documented procedure.

Audits should be undertaken against the requirements of the standard, and your checklists should cover those requirements that are applicable to the area/process you are auditing. You cannot claim that by auditing procedures you are indirectly auditing against the requirements of the standard.

Jim

I would agree that a company has to have many other methods of constantly checking other important things. But I would say that these should be done through the process monitoring required by the standard.

I believe that internal audits should stick to the task of ensuring compliance to the standard, i.e. are operational definition of an internal audit should be the assessment of the quality management system against the requirements of the standard. But like you say we must have other things going on that tell us more important things about the effectiveness and efficiency of our business.

So I dont disagree, just think we should draw a line around what we want from 'internal audit'.

Jim

The examples you quote are requirements of the standard, and as such would be audited when conducting an audit against the requirements of the standard !

i.e. clause 5.4.1 requires the company to have quality objectives, as such our audit checklist will include the question 'has the organisation established quality objectives.....'

Simple eh ?

Jim

As we know ISO9001 goes around and around in circles, and clause 8.2.2 is no exception.

OK - I say that you need to audit against the requirements of the standard, as does clause 8.2.2, but this clause also mentions other things.

Firstly it also says that the audit should confirm conformance with planned arrangements, and it references clause 7.1. I would say that if we audit the requirements of clause 7 we will have addressed this statement in the auditing clause.

Also clause 8.2.2 says we must also confirm conformance to other quality system requirements established by the organisation. If we were to audit the requirements of clause 4.2.1 however we would address this issue as this clause tells in part d) about documents required by the organisation (as opposed to documents required by the standard) and states in the note that documents must be established, implemented, and maintained.

Finally clause 8.2.2 requires us in part b) to look at effective implementation and maintenance. Again if we 'audit the requirements' we can see for example in clause 4.1 requirements for effective implementation and maintenance of the QMS.

Easy peasy huh ?

Jim

Your conclusion, and reasons given for saying that you think audits are not required totally supports my statement that internal audits should concentrate on checking compliance to the standard, i.e. the other bits in clause 8.2.2 are already done by other methods in the QMS.

If we could get rid of the bit requiring us to independently appraise our system against the standard internal audit would be truly redundant. But it does serve a purpose if we ignore the negative press and try to think in terms of ISO9001 being a really useful document and as such adherence to it being an important thing to achieve/maintain.

But then we might get into the argument again about how can we check compliance against a document that doesnt actually tell us anything as it is not a standard.......and on and on it goes.

Another first......Jim & Martin agreeing on something:vfunny: :vfunny: :vfunny: :bigwave:

Seriously though, I quite agree with Martin and of course Jim.

The "processy" bits of the QMS will be monitored in "real-time" by the various methods available to that particular process.

The actual Internal Audit will be what was (is?) called a System Audit for standards compliance.

Regards,

Chris.

I think I'll stay out of this. What the H--- do I know about auditing anyway?:bonk:

First of all Richard, I apologize for waiting so long to respond. I have been spending quality time with my best friend (my fishin’ pole). I’m back now, and feeling fully refreshed (thank you very much).

Now to the question at hand (if Martin and Jim will allow): Auditing IS REQUIRED! (even if it is done through our “met via normal management processes” as Jim mentioned – aren’t we playing semantics here) To get the most of your QMS (or EMS) your checklists should include both the standard-based requirements and the organizational documentation.

My recommendation is to begin with a canned set of checklists. I know Marc has at least one set available. Add to that questions based on your own processes and procedures. For each step in the process ask yourself three questions:

1) What activity is being performed?
2) Who is performing the activity?
3) What evidence would show the activity is being done correctly?

I think this is a good start, at least for most organizations?

Quote:

But wouldn't you agree that:
a) those three questions aren't required to be answered by 9001/8.2.2


I think if you actually read the standard, you will find they are required! No I'm lying! :bonk: In this case they are not covered by a “shall”. No checklist is required. However, I believe that auditing (and checklists) should be tools that allow the organization to see the level of compliance and uncover any possible improvement targets. The three questions allow the auditor to have a better understanding of the process and can assist in the audit process.

Quote:

b) a lot more needs to be done to meet the requirements of 9001/8.2.2?

Oh yes! But this thread is about checklists (which are not required). If asking my three questions about process steps is followed throughout each process, I think both 8.2.2 a) and b) will be addressed.

Hope this clears things up.

Okay, so ISO 9001 doesn't require us to audit procedures, but wouldn't that be an easy way to do the audit? Most processes have procedures to define them. If the process has a procedure that is part of the quality system, why not use the procedure as your reference for your internal audit of that process?

I am still new to all this and am terribly confused. :confused: :confused: :confused:

Do what is easiest and works best for you. it may take some trial and error. So what? That's what continual improvement, & C&P action are for and about.

Just be sure that you can verify the implementation, effectiveness and the conformance of your system.

Jim,
I agree with your position for the auditing process. The focus of ISO9000 is on auditing processes, even though there are documented procedures required for implementation.
A process is typically described by written word, flow diagrams and/or process maps. When we describe a process by word, we tend to be drawn back into that procedure mentality. We should be focusing on the process as described by the procedure.

A process is defined by three basic steps: inputs, activities, outputs. Questions I would ask during an audit;
- What is your job?
- How do you know that what you are doing is right?
- Have you had training?
- Who is your customer?
- What are their requirements?

Of course the determination of an acceptable process is only evident by verification of an acceptable product.

And as usual these comments are just MHO

:bigwave:

We must be careful not to lose sight of the original question in regards to checklists. ISO wants us to think “process” and ONE WAY to audit the process is to see how the process is being performed. The "HOW" you perform a process IS THE procedure, written or not. When developing a checklist based on HOW the process is performed, the three questions I use is ONE way to determine the process performance. The “what we have achieved” vs the “what we are doing” issue is only valid in mature systems. If you can’t meet the “doing” part, the “achieving” part can never occur. As systems mature, then there needs to be a natural migration from compliance to performance. You can’t feed a newborn steak, and a healthy adult should be beyond babyfood.

To add a fourth question: “How can the process be improved?”, can add some benefit, but unless handled properly, it might alienate process operators (“Are you telling me how to do my job?”). If the auditor asked the question directly to the auditee, that situation may be avoided.