Creating an Internal Audit Schedule

Our first IA was conducted by a third party a few weeks ago. Our next audit is our registration audit in August. I'd say our next IA after August would be in 2008 in which we plan on having a third party come in again. Simply because nobody here at the organization is trained to perform any auditing duties.

Nothing is scheduled for 2008 regarding Internal Audits and I know in August, the registrar will want to see some kind of scheduling information regarding Internal Audits.

Any suggestions on how to go about this?

Well, if you have a process map of the organisation I'd start by using that to identify the main areas for audit. Decide which are the most important to you as a business and schedule at least 1 per process - perhaps more for the more critical processes. Consider also the results from the previous audits to help you to decide which areas (if any) require any special treatment.

You then need to consider other aspects of the system which may not have been automatically picked up by the process map e.g. management review, and schedule those in too.

One more thing I try to do is a matrix of the audits v the clauses of ISO 9001, just to let me know that all the clauses have been addressed at least once. Some people will point out that this is not essential but I like to do it anyway. It helps the auditor when preparing the audit and also informs the external auditor that the whole standard has been addressed.

noboost4you said:

Our first IA was conducted by a third party a few weeks ago. Our next audit is our registration audit in August. I'd say our next IA after August would be in 2008 in which we plan on having a third party come in again. Simply because nobody here at the organization is trained to perform any auditing duties.

Nothing is scheduled for 2008 regarding Internal Audits and I know in August, the registrar will want to see some kind of scheduling information regarding Internal Audits.

Any suggestions on how to go about this?

Click to expand...

I am currently conducting internal audits for one of my Clients. (That makes me a 3rd party, I believe..). I had a planning meeting with the management staff, and we developed an audit schedule for the next 6 months. For logistics and resource reasons, all scheduled audits are about 4 hours in duration, and it will take me 8 visits to complete a first cycle of internal audits. A trained member of top management will audit the audit process (auditors shall not audit their own work). The Client is very happy and the CB was pleased with this arrangement.

You may want to arrange for this prior to August with your (contracted) auditor.

Hope this helps a little.

Stijloor.

Since you're not required to have any kind of 'calendar' for next year, I'd suggest that you set a 'frequency', say quarterly or monthly, and say in your procedure that you'll select a scope and criteria in the 30 or so days before the audit is to be conducted. Many of my clients have been doing it this way and not had a problem of not having a fully completed plan for a year. Perhaps the only 'fixed' events on that calendar might be an audit of what the registrar will be looking at, a month before their next scheduled surveillance.

Well I imagine our IA in 2008 will be very similar to 2007. We'll contract a third party to come out 3 days in a row to go through everything. This is why I'm finding it difficult to make a "schedule." Do we know when the next IA in 2008 will be? Not at all and we probably won't know until early next year. At which point the "schedule" will encompass everything surrounding our QMS. It's more cost effective to bring and house the auditor for 3 days rather than a day here and a day there.

We don't plan on contracting our IA forever, but just until some people in the organization get training.

Would a statement stating that until internal personnel receive adequate auditor training, all internal audits (minus the auditing of the process) will be conducted by a third party in which the schedule of areas to be audited will take place during their visit work? Or something along those lines...

We schedule each area (process and/or subprocess) once each year, and then as we audit, we will reschedule an area for later on if we feel we need to because of customer satisfaction issues, internal audit issues, certification audit issues, customer audit issues, or new equipment/practices. This has always worked well for us, and our QMS auditor (registrar) has no problems with it at all. Our audit results (as well as the other criteria) pretty much show that our system works.

On the other hand, our EMS auditor argues with me every time. No nonconformances on it to date, but I can tell that it really chafes her fanny. But, hey, what can she do if she cannot find nonconformances to back her up? (and believe me, she tries). I really feel that our EMS auditor is about 10 years behind the curve compared to QMS. It might just be that the standard is newer, or that there aren't as many registered companies?

How do you address the 'status and importance' issue of your audit programme?

I know third party auditors don't often make any deal of this aspect (do they know what it means?) but this is a vitally important link to management getting some value from audits, instead of doing them 'because ISO-says-so".

Doing anything once or twice a year isn't likely to address this requirement......

AndyN said:

How do you address the 'status and importance' issue of your audit programme?

I know third party auditors don't often make any deal of this aspect (do they know what it means?) but this is a vitally important link to management getting some value from audits, instead of doing them 'because ISO-says-so".

Doing anything once or twice a year isn't likely to address this requirement......

Click to expand...

And I'm sure we'll audit our processes more frequently when someone here has had auditor training. But until then we are forced to contract a third party. Which, at this point, is more cost effective to have all processes audited in one 3-day visit. I think my Internal Audit Schedule for 2008 will just state a 3-day visit sometime mid-year.

noboost4you said:

And I'm sure we'll audit our processes more frequently when someone here has had auditor training. But until then we are forced to contract a third party. Which, at this point, is more cost effective to have all processes audited in one 3-day visit. I think my Internal Audit Schedule for 2008 will just state a 3-day visit sometime mid-year.

Click to expand...

If I were your registrar I'd probably write a nc against the audit program, and a lack of management commitment - for not extending the resources ($$) to either have your internal auditors trained or for paying the contractor to come in more often.............:mg:

Andy, with the level of lack of nonconformities we have set each area with the same importance. This wasn't always so, in the beginning there were areas scheduled twice and even three times. Plus, we review the areas during management reviews to allow for deciding to add extra audits to an area. We have yet to have a year where we stopped at the original "once per year" schedule, we've always identified something to look into another time (or two). So that is how we justify that we are scheduling accrding to "status and importance".