Auditing Information Technology (IT) in the ISO 9001 workplace

L

lennon121

Auditing IT in the workplace.

Is this a practice commonly used in an ISO 9001 environment.

I'm finding it difficult to audit IT as a horizontal as this department don't really fit within the ISO standard.

Does anyone else include auditing IT systems in their internal audits?
 
S

sridharafep

Re: Auditing Information Technology in the ISO 9001 workplace

Good topic, we have not included IT! (Isolated function for ISO9001)

Waiting feedback from others!
 

Stijloor

Leader
Super Moderator
Re: Auditing Information Technology in the ISO 9001 workplace

Auditing IT in the workplace.

Is this a practice commonly used in an ISO 9001 environment.

I'm finding it difficult to audit IT as a horizontal as this department don't really fit within the ISO standard.

Does anyone else include auditing IT systems in their internal audits?

IT is an internal service organization similar to Maintenance.
They have many internal customers that have needs and expectations.
The internal audit should be focused on how well IT is able to meet the needs and expectations of their internal customers and how well they support other processes that are very dependent on the performance of the computer system.

As an auditor, I found most of the IT folks very responsive.

They are also my allies when I consult for organizations that want to implement a quality management system. Document/record management....;)

Stijloor.
 

somashekar

Leader
Admin
Re: Auditing Information Technology in the ISO 9001 workplace

Auditing IT in the workplace.

Is this a practice commonly used in an ISO 9001 environment.

I'm finding it difficult to audit IT as a horizontal as this department don't really fit within the ISO standard.

Does anyone else include auditing IT systems in their internal audits?
IT (Information Technology) is a support function is almost all organizations. Its importance is stressed in the ISO 9001:2008. It falls within the Infrastructure in 6.3.
How IT requirement is determined, provided and maintained for achieving conformity to requirement must be the basic audit focus area. Data storage, access control, back-up and disaster management, Loss prevention, Security and protection from virus, malware etc., Rights and security when access is provided from remote site for data base operations .. etc etc.
 

AndyN

Moved On
Re: Auditing Information Technology in the ISO 9001 workplace

Auditing IT in the workplace.

Is this a practice commonly used in an ISO 9001 environment.

I'm finding it difficult to audit IT as a horizontal as this department don't really fit within the ISO standard.

Does anyone else include auditing IT systems in their internal audits?

Well, it depends on what you're auditing and why - like any audit really. You shouldn't just 'audit IT', for example...

A few years ago, while auditing the manufacturing shop for a significant waste producing issue, it became clear that the client's IT function was involved in the design of a reporting database used to track the waste. Only, the database reporting was incomplete. As part of the manufacturing audit, it was discovered that the IT people would 'get around to fixing it' only after they'd worked on 14 other IT projects first.

The cost, to the org. of this waste? $8M! Apparently, equipping staff with cell phones etc was a higher priority...
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
According to my internal plan, the "data center" gets audited to the following elements:

QMS (General) 4.0
Control of Documents 4.2.3
Control of Records 4.2.4
Management Responsibility (General) 5.0
Responsibility, Authority & Communication 5.5 & 5.5.1
Resource Management (General) 6.0
Infrastructure 6.3
Product Realization (General) 7.0
Identification & Traceability 7.5.3

It's important to move away from the product mindset when auditing IT/IS/Data retention services. 7.5.3, for example is a support function as in electronic record keeping of traceability, if electronic records are used.

Infrastructure is about physical environment (temperature and humidity to ensure the equipment is always available. That might even mean calibration of the sensors), but it's also about structure to ensure electronic data remains identifiable and retrievable. That might mean mirrored servers, backup systems using tapes, and backup battery banks so shut down can happen in an orderly fashion during a power outage - some systems don't like sudden shutdowns. Of course people need to be trained and educated to properly run and maintain these systems, so 6.2 could be added to the above list.
 
S

samsung

This is absolutely fine. Can I suggest including in the above list, various applicable elements of Section 8 such as Monitoring & measurement of the process (8.2.3), 8.3, 8.4 and the whole 8.5 clause.
 

SteelMaiden

Super Moderator
Trusted Information Resource
Re: Auditing Information Technology in the ISO 9001 workplace

IT is an internal service organization similar to Maintenance.
They have many internal customers that have needs and expectations.
The internal audit should be focused on how well IT is able to meet the needs and expectations of their internal customers and how well they support other processes that are very dependent on the performance of the computer system.

As an auditor, I found most of the IT folks very responsive.

They are also my allies when I consult for organizations that want to implement a quality management system. Document/record management....;)

Stijloor.

Agreed! My IT dept is absolutely critical to our QMS health. Everything we do is highly automated, without the computer infrastructure, we are toast.

Audit trails to follow could include back up of information, contingency plans for server failure, how do they manage change requests?
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Re: Auditing Information Technology in the ISO 9001 workplace

Agreed! My IT dept is absolutely critical to our QMS health. Everything we do is highly automated, without the computer infrastructure, we are toast.

Audit trails to follow could include back up of information, contingency plans for server failure, how do they manage change requests?
Things to watch out for are supplier-fed processes like data storage, such as what HP just outbid Dell to purchase as a "one top shopping" service to offer people who buy their computers.

Similarly, those of us whose workplaces contract with Google for their email may find the Googledocs option so tempting. And it looks really great for sharing inputs to processes. But I have never found anyone who could adequately describe to me how this meets the requirements of 4.2.4.

A year or so ago I bit the leg, so to speak, of an audit department that had decided to keep its records on Googledocs but for some reason could not fathom why I was pressing the issue of 4.2.4 with their cloud computing. We are different divisions of the same corporation, and neither of our divisions manages these IT services.

The audit program manager in that other place ended up getting perturbed with me for continuing to gnaw on his leg, so to speak, while I went along for weeks wondering why they didn't "get" 4.2.4 or if I was in the middle of some private joke.

This week the issue came up again, locally this time, only this time the fellow was not confused so maybe we can get a straight answer from IT this time. The saga continues.
 

Pancho

wikineer
Super Moderator
Re: Auditing Information Technology in the ISO 9001 workplace

Similarly, those of us whose workplaces contract with Google for their email may find the Googledocs option so tempting. And it looks really great for sharing inputs to processes. But I have never found anyone who could adequately describe to me how this meets the requirements of 4.2.4.

The requirements of §4.2.4 are broad, and therefore I think that they can indeed be met by Google docs or another cloud solution. The clause reads:

Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.
The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records.
Records shall remain legible, readily identifiable and retrievable.
The key is "...a documented procedure to define the controls needed...". The organization defines which are the controls needed. If the software is proving useful to its users, then it is very likely that it is already meeting most of the controls needed, possibly except the retention and disposition (people tend not to think of these when the records are in process). These needed controls need only be documented.

If retention and disposition are not being met, one way meeting them might be to classify the records into two categories: active and inactive. Upon closeout of a contract/project, its records become inactive. At this time they are printed or exported to disk, deleted from gDocs, and filed locally for the required inactive period along with other records for the contract/project.

There is a risk of loss of data by Google during the active period. The standard allows you to define whether that risk is acceptable or not. For some critical records, it might not be, and then you may need some backup plan (say, exporting even when the record is active). But I suspect for most records such risk is indeed ok.

:2cents:
Pancho
 
Top Bottom