ISO9000 Internal Audit Requirements

[Marc]

Ah! Can this be real??? A snippet from a list-serve:

From: Charley Scalies
Subject: Re: Q: IA Program On Target or Overkill/Schwarz/Scalies

> From: JSchwarz

During a recent surveillance audit of my company, the Registrar's Lead Auditor indicated that our internal audit program was excessive. We had been under the impression that the Registrar expected us to audit each department and each ISO Clause at least annually. However, the Registrar's Lead Auditor stated that though we were expected to audit against each ISO Clause annually, there was no requirement that each department be audited on an annual basis. We were told that we could randomly select any departments we chose to audit. Any opinions? Thanks.

> J Schwarz ----------------------

Say "Thank You" to the Registrar's Lead Auditor. Sounds like he/she is sensitive to your bottom line by suggesting that more effective audits are better than more audits.

Perhaps you should revisit both the letter and the purpose of the 4.17 requirement. Your audit program must verify whether or not your quality system is suitable and effective (including meeting the minimum requirements of the standard). If you think you need to audit every department against every element in order to make a determination as to whether or not your system is suitable and effective, then go right ahead. Otherwise, don't.

Also, take another look at the 20 elements, except this time, read them as a whole, not as 20 separate disparate requirements. They are all inter-related. The proposed draft of the year 2000 standard seems headed in a direction that will tend to shift focus from the bits and pieces to a more "whole-istic" view of the standard.

As for auditing each element annually, that isn't a requirement of the standard, just of your Registrar. (Not a bad one, and not one I would argue against.) Keep in mind there are ways of auditing compliance with certain elements collaterally, rather than directly. For example, if you plan every audit to include a test of the quality records system for that particular process being audited, then you may not need to do a separate quality records audit. Depends on what you are able to conclude about quality records compliance and system effectiveness learn from the collateral audits.

Charley

[Marc]

And another one I liked. We must remember this is ISO, not QS!

From: RbrtC
Subject: RE: Q: IA Program On Target or Overkill/Schwarz/Craig

The auditors response is not that atypical, especially the remark about random sampling. All 3rd party audits rely on random sampling therefore it should not be a surprise that they would accept sampling in your internal audit system.

Also, there is NO requirement that each element be audited annually. The requirement states that audit frequency should be based upon your past audit results and risk assessment. It is fairly typical to audit elements in frequently (i.e., every other year) where you have established a history of not having any issues. On the other hand, elements where you repeatedly find noncompliances in your internal audit system should be audited more frequently (i.e. every six months or quarterly).

Bottom line assign your audit frequency based on your past experience not on some established rule of thumb. As long as your reasoning is sound for assigning the frequency, the assessor should not have an issue with it.

Robert J. Craig, Director of Quality, Berg Electronics Author: NoNonsense Guide to ISO 9000 Registration, ASME Press, NY, NY

[barb butrym]

You have to make the decision...does it add value? Does it make sense?

Makes sense to me (my company hat)...that if my surveillance audit is coming and I know what elements will be covered...I damn well want to cover them, and anywhere they may lead the auditor... first..no surprises. Why set my self up for grief for the sake of a little preparation..also covers Management responsibility...review the system. If I don't do MR meetings often, it will be a long time to catch up on the elements I don't do every year.

OK, now the auditors hat..simple..covering the entire system builds my confidence in the system...Is Management review capturing the system to show effectivity of the IA program? I go in looking for a complete system audit annually..but YA GOTTA PROVE TO ME that what you do works...if it does then I am happy.

now the consultant hat...If you have a matrix of all 20 elements and the areas covered you can plan a simple way to capture the most bang for the audit buck. I suggest area audits that cover all ISO elements that apply to the area (check lists with lots of room to write)then when I want to review the element....I do a desk audit of the IA results for that element portion of the check lists. Obviously some elements need more..ie design, contract review, doc control. But that covers most of the others. If the auditors are trained using this technique the audits typically become a value added exercise and feed into the CI program.