Internal auditing focus - Opinions on "what direction" so to speak

[Jim Biz]

Would be interested in opinions on "what direction" so to speak an internal audit should be focused....

Is it best to focus an internal audit toward commonly asked "standards requirements questions"? (there are a number of sources out in the world for these)

OR is it best to zero in the audit focus on specific internal practices?

Quite frankly we are currently using a combination of both but I can't be sure the Generic "ask every time questions such as - are there procedures in place & implemented for elementX.XX have any improvement validity to our system. This method to my thinking does however "cover each individual ISO section" - without having a minor written or evoking the need for our registrar to ask "have each standards section item been addressed"

[Marc]

Start off by taking a read through:
http://Elsmar.com/ubb/Forum13/HTML/000063.html
and http://Elsmar.com/ubb/Forum13/HTML/000012.html
and http://Elsmar.com/ubb/Forum13/HTML/000059.html
and http://Elsmar.com/ubb/Forum13/HTML/000037.html

My personal opinion is have internal auditors verify internal systems and let your management rep be responsible for ensuring the systems meet the spec (ISO/QS/whatever).

If you still have questions, come back and ask!

[Jim Biz]

Thanks Marc - I agree completley with your opinion, but the prime directive of satisfying the auditor also enters in to the mix. Hopefully our current means of combining "standards based" must have answers for questions, and internal auditor added "internal systems" (what we need to know) questions should provide a balance in auditing.

[Dawn]

Our registration auditor told us we "shall" audit every "shall" in the element being audited. Takes all the fun out of it and doesn't leave much room or time for continuous improvemnt.

[Marc]

Quote:

Originally posted by Dawn:

Our registration auditor told us we "shall" audit every "shall" in the element being audited. Takes all the fun out of it and doesn't leave much room or time for continuous improvemnt.

QS or ISO? Sounds to me like your registrar has decided that internal audits are not a sample. ISO does not even require every element to be audited yearly.

ISO9001:1994 reads:

4.17 Internal quality audits

The supplier shall establish and maintain documented procedures for planning and implementing internal quality audits to verify whether quality activities and related results comply with planned arrangements and to determine the effectiveness of the quality system.

Internal quality audits shall be scheduled on the basis of the status and importance of the activity to be audited and shall be carried out by personnel independent of those having direct responsibility for the activity being audited.

The results of the audits shall be recorded (see 4.16) and brought to the attention of the personnel having responsibility in the area audited. The management personnel responsible for the area shall take timely corrective action on deficiencies found during the audit.

Follow-up audit activities shall verify and record the implementation and effectiveness of the corrective action taken (see 4.16).

NOTES

20 The results of internal quality audits form an integral part of the input to management review activities (see 4.1.3).

21 Guidance on quality-system audits is given in ISO 10011."

QS9000:1998 adds:

"4.17.1 – Internal Audit Schedules

Internal auditing should cover all shifts and be conducted according to an audit schedule updated annually. When internal/external nonconformances or customer complaints occur, the planned audit frequency should be increased."

I know the QS expectation is that all elements be audited yearly, but I can't find where it is written.

[Jim Biz]

Marc - Our approach to audit timing focus and coverage was explained to me by my consultants et-all -- relating 4.17 to 4.1.3 Management Review wording.

IE: Management SHALL review "the quality system" (Implied meaning - all elements = all shalls) "at sufficient intervals to ensure effectiveness"(defined and/or implied to be yearly)

Therefore if all "shalls" (Including each individual ISO section and wording prase) is not internally questioned and compliance judged between yearly Meetings... then Management can not be effectively looking at the entire quality system.

If Review meetings "prescribed intervals" are longer than one year which is not required in writing ---- then they can all too easily be determined to be not sufficient/effective intervals...

Not saying here that I agree (in all or in part) with any of this but that was the explaination, and the "Standards Implied" basis reasoning. The way it turns out yes we have flexibility to concentrate on internal systems and improvement aspects in 4.17 and 4.1.3 takes a great deal of that flexibility away.

[This message has been edited by Jim Biz (edited 11 April 2000).]

Our auditor all but told us to audit by function and not by element. It avoids the repetition of asking each element question listed in the QSA (see: "take the fun out of it.)

I actually adopted our auditor's audit schedule to maintain that "function focus" listing all of the applicable elements in each. By doing so, we can cover every shall statement during the audit and have "fun" and variety from audit to audit even though we are essentially covering the very same elements each time.

For example... I never ask if "procedures have been established and implemented..." - if they are - they'll be there... and you make a note accordingly.

It really was a refreshing change and a great suggestion by our auditor (registrar).

[Marc]

If you have read any of my rants, this is what I tell people. Internal audits should focus on function systems - not compliance to a spec like ISO9001. Let your management rep ensure your 'master' systems are compliance.

Most companies I see do the QSA type of audit in functional areas when they should be focusing on the functional area's systems / procedures. Dumb. But then again, that is exactly what the AIAG folks push. In fact, this whole push to 'certify' internal auditors is based upon this '...verify compliance to the spec..." idiocy.