Internal Quality Audits and Contract Audits

Internal Quality Audit and Contract Audits

A client of mine runs a CNC Lathe machine shop with only 2 operators. This shop turns out some specific components and supplied to a major Automobile Parts manufacturer.

Recently during an external audit for a ISO 9001:2000 Certification, the Auditor raised a NCR for not identifying Internal Auditors within the Organisation.

The client has clearly stated in the QSP that the IQA is being subcontracted to an external party.

Is the Auditor right in his objection?

How do we tackle such situations where the number of employees is small, say less than 10.?

I do interal audits on contract for several companies and this has never been an issue. The internal audit system flow chart clearly shows this step. There is a person whose responsibility is to over see the system and keep the schedule and such, but I know of no requirement that states or implies that every company must have internal auditor(s) per se. The requirement is that internal audits be done and that a system is defined.

Also see: http://Elsmar.com/Forums/showthread.php?t=2390 and http://Elsmar.com/level2/4_17.html

If you want to attach a copy of your current system flow chart or whatever you use to describe your internal audit system, maybe some of us will make some comments. :thedeal:

I agree with Marc, as long as the auditors are independent of those having direct responsibility for the activity being audited (94). However, in the 00 standard it states "The responsibilities and requirements for planning and conducting audits,......, shall be defined in a documented procedure." So, in my opinion you are ok. I would challenge it! You may want to double check on what the 00 says about outsourcing.

External Internal Auditors

About the only thing I would add to the previous comments is perhaps some documentation that indicates who the outsource is. A contract, signed proposal or even listing the company in the procedure (I would be careful here). Just saying they are conducted by outside personnel might lead to additional questions.

Also, if you had bios of the auditors, showing their credentials that might help. The requirements should be well established by you (to avoid any confusion).

Hope that helps

Dave B (the other Dave)

I believe the '94 version also required a documented procedure for the internal audit system as well.

The 2000 version does not in any way I can discern address contracting internal audits. Standard stuff will apply - such as the auditor's credentials, etc. But - all in all the '94 version and the 2000 version are not significantly different save the verbiage rearrangement. :thedeal:
Internal Audit - Element 8.2.2

The company shall conduct internal audits at planned intervals to determine whether the quality management system
a) Conforms to the planned arrangements (see 7.1), to the requirements of ISO 9001:2000 and to the quality management system requirements established by the company, and
b) Is effectively implemented and maintained.

An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.
Auditors shall not audit their own work.
The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.
The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2).

NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance.

Example Wording

Example wording:

8.2.2 Internal Audit

Company X conducts internal audits at planned intervals in accordance with a schedule to determine whether the quality management system:

a) conforms to the planned arrangements (see 7.1), to the requirements of this manual and to the quality management system requirements established by our organization, and

b) is effectively implemented and maintained.

Our audit program is planned by the Vice-President of Operations, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods are defined.

Auditors do not audit their own work because our system utilizes qualified contract auditors. These auditors provide reports which are used as a basis for systems improvement. The results of the audits are recorded and brought to the attention of the personnel having responsibility in the area audited. The management personnel responsible for the area take timely corrective action on the deficiencies found during the audit. This method also ensures the objectivity and impartiality of the audit process.

Should Company X in the future decide to undertake internal auditing by internal employees, adequate training shall be provided to the prospective auditors and the appropriate documentation and systems shall be developed, implemented and maintained. (Adequate training will be an auditing course given by a qualified instructor)

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (per 4.2.4) are defined in our Internal Audit System Flow Chart.

The management responsible for the area being audited ensures that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities include the verification of the actions taken and the reporting of verification results (see 8.5.2).

Follow-up audit activities verify and record the implementation and effectiveness of the corrective action taken.

NOTE:

The results of internal quality audits form an integral part of the input to management review activities and is a line item on the management review form.

Internal Quality Audits

Thanks for the response.
The client did mention about a contract for Audit as well as including the Auditor as 'Service Provider' and has gone through the route of 'Vendor Appraisal'.

The auditor shouldnt question that you are sub-contracting your internal audits to a service provider, so long as all the Purchasing requirements are met.

I expect however that he is concerned at the apparent lack of ownership of the QMS if the so called QA activites are undertaken by an external service provider.

Contract out our committment?

Unregistered,

Good point! That is why you should register...we need this type of thinking.

We can never assume that by using outside resources for internal auditing we can give up on ownership of the QMS. I doubt that contracting out our management review process will be of any value.

Dave B (the other Dave)

Internal Quality Audits

What we have further done is to include the Internal Auditor also to attend the Management review meetings and present the findings with the action plan.
This way, we thought we were meeting the requirements of the standard as well as our our own QSP.
Still, the aexternal auditor NCR is on record.
By theway, I have had the opportunity of participating in nearly half-a-dozen external auditors. My observation is that there is always an element of subjective interpretation by these individuals and it puts lot of doubts in our various clients whether the Standard is really a 'Standard at all'.
One example is the way the Master List of documents is maintained.
As long as the evidence is provided that there is a master list(document list, status, ID, holder details etc), the auditor should not mind 'how' it is maintained?
Is it true that individual REgistrars provide guidelines for thier auditors(!)
Is this problem only in India or others also face similar problems?