Using internal audits as part of document reviews

[cgaro62]

Hi All,

I am an experienced quality assurance professional that includes implementing ISO 9001:2015, 13485:2016, AS9100D management systems, as well as ISO 19011:2018. I was advised by an ISO consultant that internal audits could not be used to meet the requirement of the periodic review of documents for applicability to whatever process the document covered. I cannot find anything in any of the above mentioned standards that states that internal audits cannot be used for periodic review of documents. Does anyone know where this is mentioned, which standard?

If I am assigned to conduct a process audit, part of that audit is to review the current process against the controlled process procedure/documents to determine if the process is compliant to the procedure. Why couldn't I use this review to also meet the requirement to review the document for applicability?

Regards,
Cgaro

 

[Ninja]

FWIW, I think you'll get more value out of your IAs if you focus on "are you following the docs?" rather than "are the docs right?"

Based solely on the desire to get as much value as possible out of an IA (see the rest of my posts here)...I suggest that they NOT be combined.

That said, a finding in an IA because the docs are outdated should result (through CA) in updating the docs...but that is an effect, not a cause.

 

[Cari Spears]

I'm not familiar with 13485, but there isn't a requirement for "periodic review" in ISO9001 or AS9100.

We set up our own internal requirement to review the Quality Policy Manual, our Quality Policy, our Interested Parties and Issues List, and our Order Management Procedure annually. Otherwise, we review documents during internal audits, as you described, and if a process changes at any time, any related documents are reviewed and updated.

 

[Mike S.]

Some auditors think ISO9001/AS9100 7.5.2 and/or 7.5.3 requires periodic review of documents. I don't happen to agree, but if someone had that as a requirement, and the auditee told me they reviewed their documents in advance of the internal audit, I would accept that. If as an auditor I saw that the documets did not truly reflect the practice, that would be a NC.

 

[John C. Abnet]

Good day @cgaro62 ;
As mentioned by @Cari Spears , there is no such requirement for a "periodic review". I have seen this erroneous "requirement" burden other organizations. I even had one client who had annual "due dates" established in a data base and they were holding themselves accountable (their own internal documented requirements), to annually review EVERY document in their QMS as part of some misguided belief that it was a requirement.

I have found that this misguided belief usually comes from 7.5.2 c) of ISO 9001, which requires "review and approval for suitability and adequacy". You will notice two important things, however...

1- There is no stipulated frequency or periodic requirement. In fact....
2- This requirement is within the scope of "Creating and Updating" . In other words, when an organization decides to create a controlled document (i.e. critical to quality, ...i.e. if that document is "wrong or gone" it can lead to a nonconformance), then the organization should review to make sure it is suitable and adequate before releasing that document (or updating it).

Here are the requirements from ISO 9001:
ISO 9001:2015
7.5.2 Creating and updating
c) review and approval for suitability and adequacy.

In regards to ISO 13485, the requirement is specific to ...
1- Prior to use (again, as with 9001, don't implement a document without the necessary review/approvals to ensure adequacy.)
2- The requirement is for a governing process of "Control of documents" which identifies your organization's governing requirements ("controls needed")...necessary to "review, update as necessary, and re-approve documents".

Here are the requirements from ISO 13485:
ISO 13485:2016
4.2.4 Control of documents
a) review and approve documents for adequacy prior to issue;
b) review, update as necessary and re-approve documents;


In regards to your consultants council. Hmmmm. The only way what you are doing is a problem is if REVIEW is not being done at the creation, revision (update) and approval of controlled documents.

Question your consultant's advice in this situation.

Hope this helps
Be well.

 

[John Broomfield]

To use internal audits as part of document reviews suggests to me that the document reviews themselves are not being audited.

So, would the document reviews continue to audited?

In my experience it is advisable not to compromise the independence of audit (per its definition) by making audit responsible for any control within your system.

 

[Ninja]

review, update as necessary

Yay...they got something spot on...

I can't even imagine how a standalone "document review" process would add value to anyone or anything.

 

[Tagin]

Why couldn't I use this review to also meet the requirement to review the document for applicability?

19011:2018 4e)

...Auditors should be independent of the activity being audited wherever practicable, and should in all cases act in a manner that is free from bias and conflict of interest. For internal audits, auditors should be independent from the function being audited if practicable...

You can't do a process and audit a process at the same time. Maybe if you were a one-person company you could argue it...but, realistically, no.

 

[lanley liao]

In fact, the word John said is very right. the question about this "review and approval for suitability and adequacy" has been interpreted as "periodic review" by a lot of persons in these management systems.

 

[cgaro62]

FWIW, I think you'll get more value out of your IAs if you focus on "are you following the docs?" rather than "are the docs right?"

Based solely on the desire to get as much value as possible out of an IA (see the rest of my posts here)...I suggest that they NOT be combined.

That said, a finding in an IA because the docs are outdated should result (through CA) in updating the docs...but that is an effect, not a cause.

************
Hi Ninja - I agree and our IA Program is focused on the value of the audit; our Doc Control procedure allows for 'periodic review' by the creator or SME, sometimes both and we "also use IAs" as a second set of eyes, so to speak. Does that make sense?