Using internal audits as part of document reviews

[cgaro62]

Good day @cgaro62 ;
As mentioned by @Cari Spears , there is no such requirement for a "periodic review". I have seen this erroneous "requirement" burden other organizations. I even had one client who had annual "due dates" established in a data base and they were holding themselves accountable (their own internal documented requirements), to annually review EVERY document in their QMS as part of some misguided belief that it was a requirement.

I have found that this misguided belief usually comes from 7.5.2 c) of ISO 9001, which requires "review and approval for suitability and adequacy". You will notice two important things, however...

1- There is no stipulated frequency or periodic requirement. In fact....
2- This requirement is within the scope of "Creating and Updating" . In other words, when an organization decides to create a controlled document (i.e. critical to quality, ...i.e. if that document is "wrong or gone" it can lead to a nonconformance), then the organization should review to make sure it is suitable and adequate before releasing that document (or updating it).

Here are the requirements from ISO 9001:
ISO 9001:2015
7.5.2 Creating and updating
c) review and approval for suitability and adequacy.

In regards to ISO 13485, the requirement is specific to ...
1- Prior to use (again, as with 9001, don't implement a document without the necessary review/approvals to ensure adequacy.)
2- The requirement is for a governing process of "Control of documents" which identifies your organization's governing requirements ("controls needed")...necessary to "review, update as necessary, and re-approve documents".

Here are the requirements from ISO 13485:
ISO 13485:2016
4.2.4 Control of documents
a) review and approve documents for adequacy prior to issue;
b) review, update as necessary and re-approve documents;


In regards to your consultants council. Hmmmm. The only way what you are doing is a problem is if REVIEW is not being done at the creation, revision (update) and approval of controlled documents.

Question your consultant's advice in this situation.

Hope this helps
Be well.

********************************
Hi John C. Abnet,

Thank you for your reply.
13485:2016, 4.2.4 begins the description of requirements for a documented procedure with "shall define the controls needed to..." prior to listing the requirements. As you show above, bullet b) is the second "review" along with "update as necessary and re-approve.." I have always taken this to mean that not only newly created documents but also any changes to existing documents are also reviewed and approved prior to release.

At my company, we also conduct a periodic review to ensure continued suitability & applicability (9001:2015), are you saying a review of this nature isn't required?

Here, every document that makes up our QMS is reviewed for content prior to approval - which is a good thing. Revised documents are also reviewed to ensure that the changed, or added, content is applicable and has also not altered the intent or purpose of the document. We also use internal audits as a second set of eyes (so to speak) - since the auditor is reviewing the internal document, first against the standard's requirements and then against the respective process to ensure compliancy, in preparation for their audit. This is the consultant's issue - that we use internal audits for this at all. To be sure, that is not the intent of the internal audit, but, if a discrepancy or issue is found during audit preparation, it is brought to the attention of the document owner and myself, as well as noted on the audit report.

Are you saying as long as an internal audit is not the only means for review - at the creation or revision of an internal document, this is okay. is that correct?

To answer John B's question: Yes, we do audit all of our processes which includes document review and approval as part of the document control procedure/process. And I agree John B, I want my auditors to focus on the audit at hand, however if during their audit preparation they discover an issue with the procedure, document or forms then that "second set of eyes" is working.

Responding to Tagin's statement: ISO 19011:2018 4e) also states in the last paragraph, "for small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited ...."
While a small company may get away with an auditor having to possibly audit in their own area, that is not the case here. We do not have employees who conduct the process and audit of that process at the the same time. Our auditors are not permitted to audit their own work or in areas where they are assigned. That being said, our operator's are trained to check their documentation and process; to stop and question it if something appears to be incorrect or amiss. Does that make sense?

Thank you all! Great input as it has all been very helpful.

 

[John Broomfield]

Yes, well crafted nonconformity statements are a valuable benefit of audit.

 

[Ninja]

our Doc Control procedure allows for 'periodic review' by the creator or SME, sometimes both and we "also use IAs" as a second set of eyes, so to speak. Does that make sense?

Howdy cgaro62,

Males sense? yes...but that's going to happen regardless during the IA process as a beneficial side effect.
It seems that you are trying to call it something else ('using IAs as a second set of eyes in the doc review process') and use the side effect to check another box that shouldn't exist in the first place.

Let it be the beneficial side effect that it is, remove the checkbox of "periodic review required" and move on to something else.
Trying to tie these together into something else is a potential distraction to the IA process.
You get the second set of eyes anyway during IA...

 

[JasnahKholin]

In my experience, the people who should be reviewing a document for accuracy (in my organization it is the document owner) are completely different than the people who are auditing the process. The subject matter expert/process owner is the one that should be reviewing and updating a document and it is not best practice to have that person audit processes that they own because of the potential for bias results.

 

[Guest]

I was advised by an ISO consultant that internal audits could not be used to meet the requirement of the periodic review of documents for applicability to whatever process the document covered.

Your ISO consultant may be wrong in this assertion, in part, because there's no requirements for a periodic review of documents in any ISO MS standard I'm familiar with. However, internal audits SHOULD consider the process of creation/approval etc as part of auditing (depending on scope/purpose etc), as I believe others have pointed out. The document control process may - or many not - need to be audited as its own process, if there's evidence of a lack of effectiveness, for example. Furthermore, auditors should be fully familiar with the process of document control (as well as records control etc.) when they do any internal audit.

It's the periodic review requirements - perceived that is - that worry me, most. And the purpose of internal audits, as described..

 

[cgaro62]

Howdy cgaro62,

Males sense? yes...but that's going to happen regardless during the IA process as a beneficial side effect.
It seems that you are trying to call it something else ('using IAs as a second set of eyes in the doc review process') and use the side effect to check another box that shouldn't exist in the first place.

Let it be the beneficial side effect that it is, remove the checkbox of "periodic review required" and move on to something else.
Trying to tie these together into something else is a potential distraction to the IA process.
You get the second set of eyes anyway during IA...

HI Ninja,

I think you may have misunderstood what I wrote. Our document control process is completely separate from the IAs. However, if during an IA the auditor detects a nonconformance during their "document comparison" portion of the audit - when they are looking to see if what we say we are doing IS what we are actually doing and is the internal document compliant to the applicable standard(s) - then great! "Thank you for the 2nd set of eyes," I say.

Funny you should mention removing "periodic review "required"" being removed. That was done yesterday while revising the procedure for control of documents

 

[cgaro62]

In my experience, the people who should be reviewing a document for accuracy (in my organization it is the document owner) are completely different than the people who are auditing the process. The subject matter expert/process owner is the one that should be reviewing and updating a document and it is not best practice to have that person audit processes that they own because of the potential for bias results.

Agreed. Those are our processes as well. Our auditors do not audit in their area of work or their own work. Only the SME or the process owner is responsible for reviewing to revise documents. If an auditor has a finding against an internal document, the finding is addressed by the SME or process owner.

Thanks for the input!

 

[cgaro62]

Your ISO consultant may be wrong in this assertion, in part, because there's no requirements for a periodic review of documents in any ISO MS standard I'm familiar with. However, internal audits SHOULD consider the process of creation/approval etc as part of auditing (depending on scope/purpose etc), as I believe others have pointed out. The document control process may - or many not - need to be audited as its own process, if there's evidence of a lack of effectiveness, for example. Furthermore, auditors should be fully familiar with the process of document control (as well as records control etc.) when they do any internal audit.

It's the periodic review requirements - perceived that is - that worry me, most. And the purpose of internal audits, as described..

I think the "periodic review" is a misconception that many QA folks have, myself included - thankful that I can come onto this forum and gain insight that helps to correct the misconception.
Not sure what you mean by, "purpose of internal audits," I myself see them as a necessity regardless of what any standard may state. A good internal audit program can help identify process issues. the need for a process, risks, and point to potential opportunities for improvements.

 

[lanley liao]

In fact, These are so easy questions, which we don`t need to complex these questions. It is the best as long as it is appropriate to you. Irrespective of standard specifications, documented procedures, work instructions, etc, they have limited themselves in actual work. It is just right as long as it can help you to perform the work correctly and can promote the level of company management as well as adding value for both personnel and the company.

 

[John C. Abnet]

At my company, we also conduct a periodic review to ensure continued suitability & applicability (9001:2015), are you saying a review of this nature isn't required?

Good day @cgaro62 ;
Yes, what I am saying (if I am understanding your situation correctly) is that...
1- a "periodic review" of your QMS documentation is not required.
2- It is required to have a documented procedure (ISO 13485--4.2.4) to define your organization's controls specific to "a~h"
3- it is required to "...when CREATING and UPDATING ...(ISO 9001--7.5.2) shall...review for suitability and adequacy".

Hope this helps.
Be well.