Generic or Specific Checklists for Internal Audits

[Jimmy Olson]

Hello everyone.

This is probably a stupid question, but I was interested in finding out what type of checklists people used for internal audits, as far as if specific checklists are developed for each area or if generic checklists are used that maybe reference procedures or documents for the area being audited.

[Randy]

Your company procedures have got to bounce off of the standard you are working with (9K2K I guess).

Base your Internal Audit on your procedures/instructions and the way you say you will do business.

If your procedures meet the requirments of the standard, and you audit against your procedures/instructions you should be OK.

That's about as simple as I can put it.

[Randy]

The primary guidance for a process is a procedure/instruction that gives the who/what/where/when/why & how.

It would be silly to audit a process without knowing what makes it tick. "Duhhhh yep. Looks like somethin's happenin, but I'd be hornswangled why and whut fer"

[M Greenaway]

Randy

Your statement 'If your procedures meet the requirements of the standard.......' is a very big IF, and is one of the questions that needs to be addressed at internal audit.

Purely auditing compliance to procedures would be auditing only requirement 4.9.c of the 1994 standard (still dont quite know where it is in the 2000 standard). If your internal audit programme only addresses one requirement from the standard I would say that is is very much lacking.

I would also wager that your findings from such an audit programme are typically trivial non-compliances that just require petty corrections to the documented procedure.

Audits should be undertaken against the requirements of the standard, and your checklists should cover those requirements that are applicable to the area/process you are auditing. You cannot claim that by auditing procedures you are indirectly auditing against the requirements of the standard.

[M Greenaway]

Jim

I would agree that a company has to have many other methods of constantly checking other important things. But I would say that these should be done through the process monitoring required by the standard.

I believe that internal audits should stick to the task of ensuring compliance to the standard, i.e. are operational definition of an internal audit should be the assessment of the quality management system against the requirements of the standard. But like you say we must have other things going on that tell us more important things about the effectiveness and efficiency of our business.

So I dont disagree, just think we should draw a line around what we want from 'internal audit'.

[M Greenaway]

Jim

The examples you quote are requirements of the standard, and as such would be audited when conducting an audit against the requirements of the standard !

i.e. clause 5.4.1 requires the company to have quality objectives, as such our audit checklist will include the question 'has the organisation established quality objectives.....'

Simple eh ?

[M Greenaway]

Jim

As we know ISO9001 goes around and around in circles, and clause 8.2.2 is no exception.

OK - I say that you need to audit against the requirements of the standard, as does clause 8.2.2, but this clause also mentions other things.

Firstly it also says that the audit should confirm conformance with planned arrangements, and it references clause 7.1. I would say that if we audit the requirements of clause 7 we will have addressed this statement in the auditing clause.

Also clause 8.2.2 says we must also confirm conformance to other quality system requirements established by the organisation. If we were to audit the requirements of clause 4.2.1 however we would address this issue as this clause tells in part d) about documents required by the organisation (as opposed to documents required by the standard) and states in the note that documents must be established, implemented, and maintained.

Finally clause 8.2.2 requires us in part b) to look at effective implementation and maintenance. Again if we 'audit the requirements' we can see for example in clause 4.1 requirements for effective implementation and maintenance of the QMS.

Easy peasy huh ?

[M Greenaway]

Jim

Your conclusion, and reasons given for saying that you think audits are not required totally supports my statement that internal audits should concentrate on checking compliance to the standard, i.e. the other bits in clause 8.2.2 are already done by other methods in the QMS.

If we could get rid of the bit requiring us to independently appraise our system against the standard internal audit would be truly redundant. But it does serve a purpose if we ignore the negative press and try to think in terms of ISO9001 being a really useful document and as such adherence to it being an important thing to achieve/maintain.

But then we might get into the argument again about how can we check compliance against a document that doesnt actually tell us anything as it is not a standard.......and on and on it goes.