Auditing Depth - IT, Finance and H&S and Environment

Hi all.
Firstly to the mods, I'm sorry if there's already a thread on this but I have searching and come up with a few results but nothing specific.

We 've achieved Global registration to ISO9001:2000 and I am currently creating this years audit schedule. Since the company has decided to create a Business Management System rather than just a QMS, it has included in great depth written procedures for IT, Finance and H&S+Environment. These, I feel, only come under 6.3 and 6.4, 2 very small sections of the standard so how deep/thorughly do we need to audit them?

Does audit at least once per calendar year mean we need to review every single written document or can we get away with sampling each year, checking the points?
If we already get audited by financial bodies and by ISO14001 auditors for HSE can we just look at these processes at a top level, checking performance measures and records?
I don't want my audit schedule to become a finance audit.
Finance = ~50 procedures & work inst (1 quarter of all written docs on site)

I guess my question could apply to all process audits. How much does the document checking take over when you should be spending time following the actual process, noting how well it flows and is under control, its outputs and what is done with these (analysis and CI etc.)

PS: on another note is there a minimum number of audits a person must complete a year to retain their certificate? (These are site auditors i.e. First party)

Many Thanks!
Fraser

If you're creating a "Business Management System" like you've described why don't you incorporate the requirements from the applicable management system standards? In doing so you will ultimately have a stronger system of managing your business processes and organization as a whole.

Fraser

We too have a business management system and in our case everything is designed to deliver customer requirements. These customers require us to comply with the law which is where a great deal of our HR, Finance, Safety processes (procedures in some cases) come from. These customers also require us to be cost effective (which of course means cheaper than the best possible number you thought was ever possible !).

In this sense, every bit of the management system is a part of delivering customer requirements, and so we set out to check (via audit) every aspect of the system. However - we do this by sampling. With 35 areas being audited I can show that every bit of the management system has been checked in at least one area in any one year. We also plan to cover every bit of the system in each area over a roughly 5 year time frame. When I refer to a "bit" of the system, I mean something like auditing "Emergency procedures" - there's no way we'll look at every one of them - but we will look at a sample.

We only get into detailed procedural/instruction level audit where there is a customer requirement to do so e.g. for pharmaceutical manufacture, or where we judge ourselves that this will be beneficial (again in helping us satisfy customer needs). This latter point is where we get to play off the customer need for low cost vs the expense of auditing everything to the nth level of detail.

This has worked for us so far. Hope it helps...
Cheers, Al.

Re: Auditing Depth

Thanks to you both for your input. I'm going to make sure I can prove all areas of a process (e.g. finance) has be audit over 3 to 5 years rather than attempting the impossible task of everything in one year.

I am also seeing my company attempting to aline its business objectives and everyone's objectives in the person performance system. This should help clear up the key areas to concentrate on. Since this is being on a global level it will take time to filter down through the various plants, so I'll wait and see how it develops.

Thanks
Fraser

Re: Auditing Depth

Fraser,

We have an audit schedule that is VERY flexible. We have mapped out all of our major processes and these will be audited every few years. We also have the option that a manager can call an audit if they feel that an area warrants a review of procedures etc. Our Management Review team also looks at all of our Non Conformances, Corrective Actions and Customer Compliants to ascertain if a particular part of the business requires auditing. Managers have the option when investigating CAs to have an audit carried out if they feel it is warranted. (That is not to say that the audit supercedes the investigation). We do not have a set number to conduct although this will change as our Business Plan's, Key objectives will include number of audits. We have two types of audits (Process and ISO requirement) we audit individual Work instructions or Processes to gauge worker compliance and ascertain if improvements can be made etc (we will also include the normal stuff such as Documentation checks, Control etc) and then we have Audits whose scope is a direct link to the ISO clauses ie Document control, Training etc

I hope this helps. It is as clear as mud to me

Greg B

Re: Auditing Depth

Faz1975 said:

Hi all.

I guess my question could apply to all process audits. How much does the document checking take over when you should be spending time following the actual process, noting how well it flows and is under control, its outputs and what is done with these (analysis and CI etc.)

PS: on another note is there a minimum number of audits a person must complete a year to retain their certificate? (These are site auditors i.e. First party)

Many Thanks!
Fraser

Click to expand...

You decide what to audit based on the importance. You decide the frequency of Audits. You decide to have Special Audits whenever the need arises. Your Registrar, I assume of course ,will check that you have some sort of Audit schedule and that you are doing them. The previous posts are excellent models, but you are free to develop your own. The Standard is clear.

All of the above

I can only agree with all of the postings. The point of the audit is to see if the system is working. When the standard talks about the status and importance of processes this allows organisations the flexibility to choose how often they audit. The only basis for a third party to criticize is if there is evidence the processes aren't working (objectives and targets not being met?) or that when they audit in an area they are finding non compliances that aren't being highlighted internally.