Internal Audit Scope Requirements - Audit Nonconformance

R

REOQA

Just finished the surveillance audit with my registrar and he wrote us up for a nonconformance because our internal audit procedure states that all clauses of ISO9001:2008 will be audited at least once every three years (every audit report is required to suggest and interval for the areas covered in that audit). I pushed back that the standard does not state that requirement. He said it is contractual through ANAB. So, ANAB is now writing rules about how the standard is interpreted? Anybody else think this is stupid and non-value added. I'm ready to dump the entire IAF->ANAB->registrar->my company thing. Anyone else tired of this game?
 
T

Tara Monson

Re: Internal Audit Scope

I agree with you. The standard does not require an annual internal audit of each clause. In fact, my sister company also performs their audit on a 3 year cycle, more often if problems arise. They have never had an issue with their CB. Our registrar also told us to audit as often as we feel is needed...

I would appeal the nonconformance.
 
R

Reg Morrison

Re: Internal Audit Scope

REOQA said:
and he wrote us up for a nonconformance because our internal audit procedure states that all clauses of ISO9001:2008 will be audited at least once every three years (every audit report is required to suggest and interval for the areas covered in that audit).
Click to expand...
It is not clear from your post if the auditor wants you to shorten the interval to yearly (instead of every 3 years).

As mentioned here, multiple times, whenever an auditor writes up an NC, s/he must IDENTIFY the requirement being violated. S/he can not simply say...it's an ANAB requirement....or it's an ISO 17021 requirement. SHOW me THE SHALL still applies.

If your audit schedule is risk-based based on status, importance and past performance and data supports your decision to extend the interval between consecutive audits of a given process (you should not be auditing against the standard, anyway), you could easily win an appeal from the registrar.
 
insect warfare

insect warfare

QA=Question Authority
Trusted Information Resource
REOQA said:
Just finished the surveillance audit with my registrar and he wrote us up for a nonconformance because our internal audit procedure states that all clauses of ISO9001:2008 will be audited at least once every three years (every audit report is required to suggest and interval for the areas covered in that audit). I pushed back that the standard does not state that requirement. He said it is contractual through ANAB. So, ANAB is now writing rules about how the standard is interpreted? Anybody else think this is stupid and non-value added. I'm ready to dump the entire IAF->ANAB->registrar->my company thing. Anyone else tired of this game?
Click to expand...

Can you post the exact wording of the registrar's nonconformity statement, including the specific clause(s) cited?

It seems like you are telling us that your own internal audit procedure states a specific requirement that is more or less applicable to registrars and not necessarily their clients (most registrars have a contractual agreement with their clients - that they have to abide by - that says they will audit the client's management system to all clauses of ISO 9001 over the course of a 3-year period). That (in itself) is not something I would expect to see in an organization's internal audit procedure.

Brian :rolleyes:
 
A

AndyN

Moved On
Yup - Brian has it. If you've got it in a procedure that might be the real issue. I'd certainly recommend it is removed. It's an external audit behaviour/requirement which has no place in internal audits. Your clue is that, as Reg correctly states, "status and importance" is the more applicable thing to define and implement - I bet your CB auditor can't explain what that means, tho'...
 
R

REOQA

Thank you all. Our procedure states 3 years. The CB verbally stated that by contractual arrangement of the rules of ANAB that all clauses must be audited every year. I've asked for that document. Thanks for the advice of substituting "status and importance". I think I'll phrase it something like, "internal audits will be performed according the the status and importance of the process to the organization." I already use status and importance in our report template as each report must recommend an interval for the next audit of the area/process.
 
H

Helmut Jilling

Auditor / Consultant
Re: Internal Audit Scope

Tara Monson said:
I agree with you. The standard does not require an annual internal audit of each clause. In fact, my sister company also performs their audit on a 3 year cycle, more often if problems arise. They have never had an issue with their CB. Our registrar also told us to audit as often as we feel is needed...

I would appeal the nonconformance.
Click to expand...

We have to be a little careful. The standard clearly states that it must be scheduled according to the risk and importance. But, it also states:

8.2.2 Internal audit

The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and

* It must address all the processes (and over time, all the requirements).

* It should be addressing the system in a process approach. This has been implied in the past, but will be an explicit requirement in the 2015 release.

* It must be effective... if you cannot demonstrate the your current 3 yr approach is effective, you might get a nonconformity, even if you meet your procedure.
 
R

REOQA

Re: Internal Audit Scope

Helmut, thank you for your comments but, we do not have to be careful, we need to be smart. I wanted some help with ANAB not a discussion about audit frequency that is self determined. :truce:I want a management system that works with or, especially, without 3rd party involvement. The current system is so wrought with fraud and abuse it is a joke. If you are going to quote or refer to what the standard states then please quote it accurately and do not substitute the word "risk" for the word "status", the two words are very very different. As an auditor you should know not to determine a finding by what may be in the 2015 standard, only audit to what is current. If audits had to be effective then the IAF, ANAB, and all CB's and registrars would not exist because in almost 30 years of dealing with them not one of their audits has been effective in my view. All of their findings have been ticky tacky and competent companies don't need 3rd party review, just the crappy ones. BTW crappy companies will filter themselves out of business in a more open market.
 
H

Helmut Jilling

Auditor / Consultant
Re: Internal Audit Scope

REOQA said:
Helmut, thank you for your comments but, we do not have to be careful, we need to be smart. I wanted some help with ANAB not a discussion about audit frequency that is self determined. :truce:I want a management system that works with or, especially, without 3rd party involvement. The current system is so wrought with fraud and abuse it is a joke. If you are going to quote or refer to what the standard states then please quote it accurately and do not substitute the word "risk" for the word "status", the two words are very very different. As an auditor you should know not to determine a finding by what may be in the 2015 standard, only audit to what is current. If audits had to be effective then the IAF, ANAB, and all CB's and registrars would not exist because in almost 30 years of dealing with them not one of their audits has been effective in my view. All of their findings have been ticky tacky and competent companies don't need 3rd party review, just the crappy ones. BTW crappy companies will filter themselves out of business in a more open market.
Click to expand...

You appear to be on a rant against the whole system, and apparently have some perceived bad experiences with your past audits. Sorry about that. But, there are many very good and beneficial audits, and people like me work very hard to make them value-added to our clients.


I will respond briefly to two bits.


1) The CURRENT 2008 version of the standard addresses "effectiveness," which was my point:

8.2.2 Internal audit

The organization shall conduct internal audits at planned intervals to determine whether the quality management system....

b) is effectively implemented and maintained.



2) The CURRENT 2008 version of the standard addresses risk to a degree.

Sorry, I "misquoted" cl 8.2.2 from memory and used the word "risk" rather than "status." I was NOT auditing from 2015, because I do know better...

But the word risk is not entirely invalid, either.

The CURRENT 2008 version of the standard addresses risk in general terms in both Section 01 and 04. It also addresses risk as a concept in cl 8.5.2 and 8.5.3, but replaced the specific word "risk" with a phrase that implies it - actions shall be appropriate to the effects of the nonconformities, or potential problems. In the earlier versions, it actually used the word "risk."

Preventing or evaluating Risk is not a new concept in ISO land... 2015 just takes it to a more definitive level.

Sorry if you don't like the 3rd party system, but I can assure you there have been many good successes, for every bad or silly experience you have had.
 
Last edited:
You must log in or register to reply here.

Similar threads

D
Opinions on internal audit schedule adjustment
2 3 4
Replies
34
Views
2K
Steve Prevette
Steve Prevette
S
Minimum Retention Time for Records of internal audit results as per AS9100
Replies
5
Views
664
Smchandler
S
J
Internal Audit Schedule IATF
Replies
4
Views
1K
m125qv36
M
L
Documented Information in Internal Audits Process (9.2)
Replies
4
Views
2K
luismx
L
S
Is it required to complete Internal Audits within one year?
2 3
Replies
29
Views
3K
SGquality
S
Top Bottom