AS9100D Internal auditing requirements

[fharland]

My AS auditor has stated my organization needs to audit every aspect and process in our QMS within the three year certification cycle. AS9100D, Section 9.2 does not state this as a requirement. We've defined five critical QMS processes that we plan to audit on a reqular basis. Based on the results of those audits, we may audit supportive processes in which issues were found.

Does anyone agree or disagree this approach meets the requirements of AS9100D, Section 9.2?

 

[John Broomfield]

Sure, some of your processes are much more important than others.

But system thinkers remember that for the want of a nail the kingdom was lost.

So, cover all parts of your system with your audits but some parts less frequently than others - according to risk of course.

That 3-year rule you may find in the terms and conditions of your contract with your registrar.

 

[NickV....]

Unfortunately the content that you may select to be reviewed during an internal audit may come under scrutiny from different auditors. You're correct in noting that the standard does not dictate this, however that in it self will lead to different opinions from different auditors. In my experience it's best to go above the requirements (if it's not too time consuming depending on time frame, company size, manpower etc...) and satisfy the auditor then to argue the point.

Do you perform these internal audits every year before your yearly review audit or only once before your re-cert audit?

 

[Kirby]

I think that I learn something everyday.

Sure, some of your processes are much more important than others.

But system thinkers remember that for the want of a nail the kingdom was lost.

So, cover all parts of your system with your audits but some parts less frequently than others - according to risk of course.

That 3-year rule you may find in the terms and conditions of your contract with your registrar.

Thanks for the heads-up regarding the T&Cs . We recently had an auditor react to the answer to his question "Why didn't you audit every requirement?" Now, to be honest the internal audit was not a shining example of superior auditing / reporting. But when we answered that we had attempted to get a reasonable sample from each area / process he was not happy and advised in no uncertain terms that we should never think in terms of "samples". As I said before, every day I learn something that I didn't know. My experience had been that you start with a schedule and, based on the results of the initial audits, you may revise the schedule to address areas / processes where you had noted "indicators" or actual weaknesses. Apparently we need to eure that we cover all elements of our QMS / AS9100 at least once a year. OK.

 

[paultyler]

I have been told by many auditors that audits must be done using a process approach. I understand the concept but can't find the clause that supports it in AS9100.

 

[John Broomfield]

Department auditing and clause-by-clause auditing used to be common but we have since found it was not the way to effectively audit a system of interacting processes.

So, sample the system and its processes to fulfill most if not all audit objectives.

What caused the auditor to make this comment?

 

[Sidney Vianna]

I understand the concept but can't find the clause that supports it in AS9100.

So, ask these "many auditors" who have told you so: "WHERE IS THE SHALL?"

For the audits that the CB auditors conduct, AS9101 stipulates the following:

The audit team should conduct quality management system audits using a method that focuses on process performance and effectiveness;

No reason why internal audits should not follow that guidance either, but, as many of us know, the vast majority of internal audits conducted out there are wasted efforts, with nothing of material significance being uncovered during the exercise.

 

[John Broomfield]

Perhaps our OP asked the auditor for advice.

 

[Kirby]

I understand the need of the process audit as opposed to strict departmental or "element" audits, but sometimes I'm at a loss of how to structure an internal audit without employing a "hybrid" approach. Our company is a small business (≈40 people), we have identified five major processes. The responsibility for these processes is largely departmental (Control of external suppliers / Supplier management is Purchasing, Design & Development / Design Management is Engineering, Control of Production and Service/ Production Management is Manufacturing, etc.) and the audits are conducted by asking questions and reviewing OE related to the specific requirements of the standard. Although we say "Process" it really seems like what we are doing is clause based. One of our challenges is that, while typically related to a particular industry, our products and services are never identical from one to the next so it's difficult to follow a given project from quote to delivery and ensure that we've covered all of the standard's requirements, so auditors end up reviewing documentation from multiple projects to identify evidence of compliance to specific requirements - again seems more clause based?
I'm certainly not defending what we do (or rather, how we do it), I'd really like to have that "AHA!" moment where I would really clearly understand the concept and be confident in an approach. It's true that I've been around since we audited 18 (or 21?) elements and maybe I'm still just not grasping the concept but I can't see how one could conduct an audit without some kind of checklist, and wouldn't that be more clause oriented?

 

[paultyler]

Department auditing and clause-by-clause auditing used to be common but we have since found it was not the way to effectively audit a system of interacting processes.

So, sample the system and its processes to fulfill most if not all audit objectives.

What caused the auditor to make this comment?

The audit schedule didn't list any of our core processes.