Re: Internal Audit Scope
Helmut, thank you for your comments but, we do not have to be careful, we need to be smart. I wanted some help with ANAB not a discussion about audit frequency that is self determined. :truce:I want a management system that works with or, especially, without 3rd party involvement. The current system is so wrought with fraud and abuse it is a joke. If you are going to quote or refer to what the standard states then please quote it accurately and do not substitute the word "risk" for the word "status", the two words are very very different. As an auditor you should know not to determine a finding by what may be in the 2015 standard, only audit to what is current. If audits had to be effective then the IAF, ANAB, and all CB's and registrars would not exist because in almost 30 years of dealing with them not one of their audits has been effective in my view. All of their findings have been ticky tacky and competent companies don't need 3rd party review, just the crappy ones. BTW crappy companies will filter themselves out of business in a more open market.
You appear to be on a rant against the whole system, and apparently have some perceived bad experiences with your past audits. Sorry about that. But, there are many very good and beneficial audits, and people like me work very hard to make them value-added to our clients.
I will respond briefly to two bits.
1) The CURRENT 2008 version of the standard addresses "effectiveness,"
which was my point:
8.2.2 Internal audit
The organization shall conduct internal audits at planned intervals to determine whether the quality management system....
b) is effectively implemented and maintained.
2) The CURRENT 2008 version of the standard addresses risk to a degree.
Sorry, I "misquoted" cl 8.2.2 from memory and used the word "risk" rather than "status." I was NOT auditing from 2015, because I
do know better...
But the word risk is not entirely invalid, either.
The CURRENT 2008 version of the standard addresses risk in general terms in both Section 01 and 04. It also addresses risk as a concept in cl 8.5.2 and 8.5.3, but replaced the specific word "risk" with a phrase that implies it -
actions shall be appropriate to the effects of the nonconformities, or potential problems. In the earlier versions, it actually used the word "risk."
Preventing or evaluating Risk is not a new concept in ISO land... 2015 just takes it to a more definitive level.
Sorry if you don't like the 3rd party system, but I can assure you there have been many good successes, for every bad or silly experience you have had.