Does ISO 9001 Audit fit in within the Corporate Internal Audit department?

gg-audit · May 3, 2007

I am new to this forum, and to the ISO 9001 world. Let me give you a brief description of how our Internal Audit department is structured, and I'd really appreciate your thoughts on whether you think the structure is effective or harmful to the certificate.

I work for a large service company that has a single corporate Internal Audit Department with 150+ auditors who perform audits of the internal control environment for financial, operational and IT processes/systems (are the controls adequate to prevent, detect or correct problems). Several years back, a small group of ISO auditors were restructured under the IA department. It used to belong to a Quality Department, but that was basically done away with and the "auditors" needed a home.

A new member of management wants to "integrate" the ISO audit function into the "typical" audit function thinking it will increase coverage, and since the auditors are already in an area, why not do some review against the ISO standard.

And I can buy that, but what I can't get on board with is completely losing the expertise of the ISO auditors and letting 150 people with very limited exposure and understanding of ISO to be "let loose". I'm afraid we are diluting our efforts for no real reason. The ISO program has been extremely sucessful in the past, and I feel like we are being forced to change for no reason. For those of you that are familiar with IIA (Institute of Internal Auditors) standards, these ISO audits are now going to have to abide by IIA stds, which requires statistical sampling and over-scrutinization of the audit work. Our ISO auditors can crank out audits in 80 hours, but abiding by these stds will probably double their time, which in effect, makes them half as productive.

Has anyone else seen this integration and has it worked? If so, what were some key aspects that helped it work?

I'm really looking for validation that this is not the right avenue to pursue, but I'd like to get your objective opinions.

Thanks in Advance!

Randy · May 3, 2007

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

1st let me say Welcome to the Cove :bigwave:

2nd...What you are asking about is nothing new or something that hasn't already been done 100's of times already across the globe.

Here's a big secret...please don't tell...ISO Auditors aren't any better, smarter, or more capable than any other type of auditor...They just like to think and portray that image.

All you really need to do is make sure that whatever auditor you use possess's the requisite competencies and that the objectives, scope and criteria of the audits to be conducted are clearly defined and understood.

That's it, and it ain't nuttin' but a thang.

Jen Kirley · May 3, 2007

Re: Does ISO Audit fit in within the Corporate Internal Audit department?

Welcome to The Cove, GG! :bigwave:

The management person who said your company's IA members can just swing into doing ISO audits apparently has little idea of what goes into said audit.

That doesn't mean these people couldn't do the work; it means I doubt they're any more ready than I would be to say, "I think I'll go do a financial audit now." I'd have to learn some things, like accounting... :notme:

My recommendation is to press for Lead Auditor training for each of these persons.

But why do that when you already have internal auditors?

It seems common for some people to think, "Since you're there, you can just do this extra audit," perhaps in the same basic time frame but maybe with just a little extra time. What such a person is forgetting is that the time is going to be taken away from the regular auditing work. Can't stop the clock, ya know...

Auditing corporate operations is a little different from auditing production processes. If the corporate folks are being pulled into the audit schedule for the first time (I've seen this) they'll need to start from the beginning and be led through how their activities fits into a quality system. This handholding is not the job for someone who is inexperienced in the quality discipline.

Doing all that hand holding (making them ready for a registrar's visit or an audit by some other outsider) can perhaps take 80 hours, including the time to make process maps, flow charts and maybe turtle diagrams, plus coaching them on how to answer the auditor's questions (don't babble, don't go off on this or that tangent). Normally, however, auditing a department for ISO shouldn't take anywhere near that long. Oh my, no.

Nor am I familiar with the need to take a large sample, or hold yourself to any statistically designed audit method. I'd like to know why ISO auditing is being held to IIA standards. It's not a regulated function.

Key aspects to make it work are, as I mentioned, being willing to behave as internal consultant for corporate support functions being audited for the first time. What also works is competence, which is required for registration...proven in ways like passing an ISO Lead Auditor class and/or certifying for Quality Auditor with American Society for Quality. The auditor might as well be competent at the git-go.

I hope this helps!

Jen Kirley · May 3, 2007