How do I create a FMEA for the Internal Audit process?
- Thread starter edgedirk
- Start date
Wouldn't waste my time. Surely there are bigger fish to fry. In 30+ years of auditing I've yet to find a meaningful KPI, frankly. The fact that IA is in the "performance Measurement" section of the standard gives you a clue to the fact that it's a pert of performance evaluation, not a core process for the customer or business. IMHO - find something management want to get benefit from measuring...
BTW - your external auditor is plain wrong!
He is not just wrong, he's nuts. FEMAs were developed to resolve PRODUCT problems, not processes.
Er, not as far as industry is aware. They are not there to "resolve" anything, but prevent design and process (ing) issues. DFMEA and PFMEA use is quite common in the automotive industry as a preventive measure...
You could apply a "FMEA" (not FEMA, that's a federal department) to the internal audit process, but really..?
No CB auditor has the right to tell you FMEAs are required for all processes. Such specific advice crosses the line into consulting, which is forbidden under ISO 17021 and accreditation rules. In fact, guidance for registrars from the International Accreditation Forum includes a list of evidence types that could be used as appropriate for that process. When told you must have FMEAs for everything, please ask "Where in the standard is that required?" and if you receive a nonconformance for not having FMEAs for all processes, please dispute it as is your right under accreditation rules.
We are required to (6.1.1)
ISO 9001:2015 does say (6.2.1)
Andy and I agree there are few meaningful performance metrics for the internal audit process. Mostly I see "Number of audits completed/number of audits scheduled", which is an easy, arguably simplistic approach.
I have, however seen cases where that metric could be appropriate. I have seen cases in which the auditors are assigned audits as collateral duties, but their managers pressure them to complete primary duties so audits do not get done as planned. When that happens, is it an indication of inadequate resource management and management support, which is another requirement (5.1.1).
So, make the objective/target/KPI reflect what success looks like in the process. If that seems difficult, as yourself "What would failure look like?" and decide how that would be measured. What is the process expected to achieve? How would you know if that did not happen?
I hope this helps!
We are required to (6.1.1)
What are risks in internal audits? How will they be managed? Remember risk is defined as "the effect of uncertainty." There is always a risk of not completely covering the standard in the three year registration period. Planning and audit program management techniques can help address that. It is enough to state the identified risk, as verbal responses to questions are also audit evidence. Showing how your planning is designed to address the risk is demonstration. After enough time, showing that complete coverage has, in fact been achieved, is also demonstration.
ISO 9001:2015 does say (6.2.1)
Is Internal Audit a relevant function/process? Try convincing a CB auditor it is not, since its activities assess effectiveness of the management system.
Andy and I agree there are few meaningful performance metrics for the internal audit process. Mostly I see "Number of audits completed/number of audits scheduled", which is an easy, arguably simplistic approach.
I have, however seen cases where that metric could be appropriate. I have seen cases in which the auditors are assigned audits as collateral duties, but their managers pressure them to complete primary duties so audits do not get done as planned. When that happens, is it an indication of inadequate resource management and management support, which is another requirement (5.1.1).
So, make the objective/target/KPI reflect what success looks like in the process. If that seems difficult, as yourself "What would failure look like?" and decide how that would be measured. What is the process expected to achieve? How would you know if that did not happen?
I hope this helps!
Last edited:
Pardon my typo on FEMA instead of FMEA.
As far as them being inappropriate I wish to cite John J Guzik article "Prove It, How to demonstrate risk-based thinking for auditors" as published in Standards Outlook. This article was recently linked to another thread here at Elsmar Cove. The writer is a principal of Impact Management in Hanover, PA. He is a participating member of the U.S. Technical Advisory Group in ISO Technical Committee 176.
"There have been much written and said about this 'new' ISO 9001 requirement on risk. Many have pointed to risk management programs, insisting that the standard now formally requires them. Tools such as failure mode and effects analysis (FMEA), a production parts approval process (PPAP) and a plethora of new whiz-bang software programs have been introduced as tools that can do the task.
The difficulty with using these tools is that most of them were designed for risk management programs that address requirements of a product or service. Using these tools may help with product integrity, but they could leave you hanging in the breeze when it comes to demonstrating risk-based thinking per ISO 9001's requirements."
It would be best to read the entire article where he points out the risks of depending on such programs and goes on to show how if you are already living to specific clauses of the standard you are already practicing risk-based thinking.
