SBS - The best value in QMS software

Audit of Exclusions et.al. - Quality Policy, Planning (including objectives), Etc.

E

e006823

#1
“ISO Std. 8.2.2requires “the organization to conduct internal audits at planned intervals to determine whether the QMS conforms to planned arrangements to the requirements of this international standard and to the QMS”. The Audit plan/schedule are set up to audit the QMP’s and the Quality Manual. Although the manual audit may pick up the areas not covered by the QMP, the results are more likely to be a desk audit. Items such as Quality policy, Planning (including objectives), Analysis of Data, etc. are to be included in the audit schedule and audited. “

The above is finding we received from our last periodic audit. Our registrar seems to believe that we are required to schedule audits of our “Quality policy, Planning (including objectives), Analysis of Data “ and any exclusion we have taken to the standard. My belief is that the quality policy and analysis of data are not auditable (is this a word?) processes and as long as they exist and we are doing what we say we do we are covered. During our audits we ask what are quality policy is and the 4 items in Analysis of Data section 8.4 is reviewed during the management team meetings are the planning requirements of section 5.4. As far as the “audit” of exclusions is concerned, I believe this is a ludicrous idea. How are we going to audit something that does not exist?

So tell me am I way out in left field here? Any ideas on how I should handle this situation?

Thanks,
Bob
 
Elsmar Forum Sponsor

Randy

Super Moderator
#2
You're way out in left field....everything in and about your QMS is auditable.

The very 1st thing to audit is the policy itself. The policy is the key document of the whole system. Everything an organization does is done to fulfill the committments made in the policy. The policy is essentually a "theory" that the organization brings into "reality"...all the system gibberish is the evidence of that equation.

As for exclusions, you can only claim them in clause 7 and then you have to support your reasoning and state so in your manual.

trust me when I say you'll be getting more feed back ;)
 
E

e006823

#3
Randy said:
You're way out in left field....everything in and about your QMS is auditable.

The very 1st thing to audit is the policy itself. The policy is the key document of the whole system. Everything an organization does is done to fulfill the committments made in the policy. The policy is essentually a "theory" that the organization brings into "reality"...all the system gibberish is the evidence of that equation.

As for exclusions, you can only claim them in clause 7 and then you have to support your reasoning and state so in your manual.

trust me when I say you'll be getting more feed back ;)

Randy,

I understand everything in our manual is auditable. What I don't understand is how I can perform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis. This is the 6th time our registrar has audited our current system, never before was this a problem.

An audit of our exclusions serves what purpose? Nothing has changed since our initial certification. If our business needs determine that we no longer need to exclude a portion of the standard we will then document our new process.

I guess my real issue is that I don't believe that the standard requires us to schedule a separate audit for our quality policy, data analysis and exclusions since we address these requirements as a part of other QMS process audits or in the case of the exclusions when we developed our QMS. To me as throw back to the times of auditing by element.

Any suggestions on how to handle this or a compelling argument for me to actually schedule an audit of my exclusions etc..

Bob
 
Last edited by a moderator:

Al Rosen

Staff member
Super Moderator
#4
e006823 said:
Randy,

I understand everything in our manual is auditable. What I don't understand is how I can peform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis. This is the 6th time our registrar has audited our current system, never before was this a problem. Any suggestions

Bob
That's interesting. Maybe if you say you don't do something, verify that it is not being done. What exclusions do you take? Maybe with specifics, we can come up with some ideas.
 

Randy

Super Moderator
#5
You have just audited your exclusions based upon the evidence presented here. "Nothing has changed".

Basically just be able to show that there has been no change in the exclusions you claim. Have a review (or conduct a review) of your processes performed that specifically looks for evidence that the exclusions are still valid.

On a regular basis...ie annual or so, review the policy and see if it is still valid. Are you meeting it's intent? Can you provide the necessary evidence that the policy is being fulfilled? Nothing says that this can't be part of the management review process (we'll probably get some comments on this one :rolleyes: )
 

RoxaneB

Super Moderator
Super Moderator
#6
e006823 said:
I understand everything in our manual is auditable. What I don't understand is how I can perform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis.
As Al pointed out, verify that it's not being done. When our Quality Manual is audited during our Internal Audit, my Management Committee is questioned about the exclusions. They are asked to demonstrate that they understand what the exclustions pertain to and why the exclusions are exclusions.

The Quality Policy is audited via several methods:

  • Do people understand the Quality Policy?
  • Are people able to demonstrate how their job impacts our ability to meet Customer requirements?
  • Is it suitable to us?
  • How is it reviewed? Frequency? Evidence of review?
  • Methods of communication?
  • Etc.

e006823 said:
This is the 6th time our registrar has audited our current system, never before was this a problem.
Without knowing your organization or your previous external audit results, and no insult is intended here, perhaps your auditor had bigger fish to fry? Just because it wasn't a finding before, doesn't mean it wasn't noticed...but perhaps the auditor had other issues s/he wished to focus on?

Just because my organization has yet to receive a finding on Internal Audits, that does not mean my IA process is perfect. But we've had, for example, some rough spots in our Purchasing area and this has been the focus of our Auditor and will be until we can show that have a pretty good handle on the whole concept of buying stuff.

e006823 said:
An audit of our exclusions serves what purpose? Nothing has changed since our initial certification. If our business needs determine that we no longer need to exclude a portion of the standard we will then document our new process.
Really? How? How will you show that you have considered the the application of the exclusions? How will you show that changes to the business needs have impacted (or not impacted) the exclusions? The verification of the exclusions and the verification that you have considered the exclusions demonstrates that your organization has validated your existing Management System.

4.1 General requirements "...identify the processes needed for the quality management system and their application throughout the organization (see 1.2)..."

which leads us to

4.2.2 Quality manual "....including details of and jusrication for any exclusions (see 1.2), ..."

which leads us to

5.6.1 General (management review) "...to ensure its continuing sutiability, adequacy and effectiveness......and the need for changes to the quality management system..."

which leads us to

5.6.2 Review input "...changes that could affect the quality management system..."

which leads us to

5.6.3 Review output "...improvement of the effectiveness of the quality management system..."

which leads us to

8.2.2 Internal audit "...conforms...to the quality management system requirements established by the organization...is effectively implemented and maintained."

Sooo.....Bob, prove to the us, prove to the auditors, but most importantly, prove to yourself, that you have validated your exclusions. No organization remains stagnant if it wishes to compete in today's economy. Business needs, business processes...businesses in general....are constantly changing and adapting. Demonstrate that you are acknowledging this and show that your exclusions still hold true. :)

e006823 said:
I guess my real issue is that I don't believe that the standard requires us to schedule a separate audit for our quality policy, data analysis and exclusions since we address these requirements as a part of other QMS process audits or in the case of the exclusions when we developed our QMS. To me as throw back to the times of auditing by element.
Is the auditor saying that you are not demonstrating that you are auditing 4.1 (a), 4.2.2 (a), 5.3 and 8.4 or that you are not demonstrating that you have the processes in place (which is done via audits)? Simply put, I do not schedule an audit for 8.4. You will not see that in my audit schedule...EVER. What you will see, however, when I audit say, a production process, 8.4 is scheduled to be audited then. Why? Because Production analyzes data. You'll see 5.3 on the production process audit, too. Why? Because Production personnel need to understand the Quality Policy and how their job impacts our ability to meet Customer requirements.

And a successful audit of 4.2 - 8.5.3 means that 4.1 is met and has been audited...it's like the executive summary clause.

What I have is matrix that shows all the clauses and sub-clauses along one axis and all of our processes along the other. I show if there is a (D)irect, (S)support, or (N)o relationship between the process and the (sub)clause. So, when I audit a process, all of the direct links are audited and a sample of the support links....for "kicks", I occasionally through in a No link clause. This helps to see if my Internal Auditors are paying attention and verifies that No link remains.

e006823 said:
Any suggestions on how to handle this or a compelling argument for me to actually schedule an audit of my exclusions etc..
It's your system, Bob. It works for your organization...not your auditor. Let me ask you these questions though...perhaps your "compelling argument" lies within your own answers:

  • How do you know that the exclusions hold true?
  • If you know, what is the objection to providing the evidence demonstrating your knowledge?
  • How do you audit your Quality Manual?
  • How do you audit the justifications for exclusions? Just as we do not accept a response of "Yes, I schedule Internal Audits" as proof that audits are schedule, why should an auditor accept a statment of exclusion at face value?
 
Last edited:

RoxaneB

Super Moderator
Super Moderator
#7
Randy said:
Nothing says that this can't be part of the management review process (we'll probably get some comments on this one :rolleyes: )
Comment!!!! Oooh! Oooh! Comment!!! :D

.....I agree with you, Randy.

You're right...who says it can't be done then? Who says it can't be done during an internal audit? Who says it can't be done during beer and wing nite at the local pool hall where management routinely gets together to talk about us? What we need is simply evidence that the exclusions were validated...and...ooooooh....management review has RECORDS! Hmmmm.....records = objective evidence = Bob's external auditor no longer having an issue! :D
 
E

e006823

#9
First off I’d like to thank everyone for the help.

RCBeyette said:
It's your system, Bob. It works for your organization...not your auditor. Let me ask you these questions those...perhaps your "compelling argument" lies within your own answers:

  • How do you know that the exclusions hold true?
  • If you know, what is the objection to providing the evidence demonstrating your knowledge?
  • How do you audit your Quality Manual?
  • How do you audit the justifications for exclusions? Just as we do not accept a response of "Yes, I schedule Internal Audits" as proof that audits are schedule, why should an auditor accept a statment of exclusion at face value?

We are a wafer fab, what is excluded in our QMS is design and development section 7.3. Our customers provide all of our designs. We may develop a process from that design and we do address our process development process.

Our quality manual is audited by ensuring: 1) all requirements from ISO9001 or other standard have been addressed. 2) That we have then implemented the requirements in a lower level procedure/process. 3) The relevant sections of the Quality manual along with all other requirements are referenced in our audit report

I have no objection to providing any evidence, in this particular instance this finding was never discussed with me, I found out about it after it was written. As part of an Audit we routinely address the quality policy with during interviews. All of our people have a good grasp of the policy, what it means to them and the role their function plays within the system.


RCBeyette said:
Is the auditor saying that you are not demonstrating that you are auditing 4.1 (a), 4.2.2 (a), 5.3 and 8.4 or that you are not demonstrating that you have the processes in place (which is done via audits)? Simply put, I do not schedule an audit for 8.4. You will not see that in my audit schedule...EVER. What you will see, however, when I audit say, a production process, 8.4 is scheduled to be audited then. Why? Because Production analyzes data. You'll see 5.3 on the production process audit, too. Why? Because Production personnel need to understand the Quality Policy and how their job impacts our ability to meet Customer requirements.

[/list]

This is basically how we schedule perform our audits. Our auditor is looking for a schedule that lists 8.4 etc. as separate audits, to me this is not value added.

I like the idea of a matrix as a tool/aid (Thanks Roxane).


Randy said:
This may be a case of the auditor making his own stuff up,…:
This was my initial reaction to the finding.

Thank,
Bob
 
G

Greg B

#10
Randy said:
On a regular basis...ie annual or so, review the policy and see if it is still valid. Are you meeting it's intent? Can you provide the necessary evidence that the policy is being fulfilled? Nothing says that this can't be part of the management review process (we'll probably get some comments on this one :rolleyes: )
:agree1: I agree with Randy. We do not audit the Policy or even the manual (per se) we Review them both thru the Management Review Procedure. 'Management' review both documents and make recommendations for change. I like to think that a Review and an Audit are fairly interchangeable. Although, a Review may be conducted by people directly related to the procedure and an Audit is conducted by people NOT directly related to the procedure. Our Policy and Manual are AUDITED by our registrar. As Randy stated we prove to the auditor that we meet the INTENT by the MR.
PS. I also agree with everything Roxane said but if I went thru it point by point I may be here all day. :lmao: Very good answer.

Greg B
 
Thread starter Similar threads Forum Replies Date
N Permissible Exclusions for QM ISO9001:2008 Audit and Consultancy Services Company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
Q Audit report template ISO 9001/14001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
Q ISO 9001-2015 Internal audit finding Internal Auditing 12
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
D Supplier audit Medical Device and FDA Regulations and Standards News 2
M Go Live With New ERP System before Recertification Audit General Auditing Discussions 6
A Add MDSAP to Internal Audit Schedule Medical Device Related Regulations 0
A Define timeline for Major and Miner Audit finding General Auditing Discussions 4
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
A API Monogram audit review process Oil and Gas Industry Standards and Regulations 4
S IATF 16949 Internal Audit Example IATF 16949 - Automotive Quality Systems Standard 7
B Remote IATF 16949 audit preparation General Auditing Discussions 10
M AS9100D Registrar pre-audit requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 15
I Do I need to sign off my annual audit calendar? Internal Auditing 2
R AS9100D internal audit checklist or ISO 9001 2015 to AS9100 D AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
M Nice and simple invitation email to an audit kickoff meeting Internal Auditing 1
M IATF 16949 - Audit of Remote Location/Support Site and IT IATF 16949 - Automotive Quality Systems Standard 4
Q IATF audit - Root Cause Analysis results IATF 16949 - Automotive Quality Systems Standard 5
Q Self-assessment audit information Quality Management System (QMS) Manuals 6
Le Chiffre Online training available for ISO/IEC 17021-1: Requirements for bodies providing audit and certification of management systems Training - Internal, External, Online and Distance Learning 3
xfngrs NIOSH Audit for N95 respirators US Food and Drug Administration (FDA) 1
Sidney Vianna IATF 16949 News Risked Based Audit Day Calculation IATF 16949 - Automotive Quality Systems Standard 2
T AS9100 audit due to facility move AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 5
A Internal Audit Questions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
B SAP Audit trail Periodic Review EU Medical Device Regulations 1
N What are the software audit and control steps Reliability Analysis - Predictions, Testing and Standards 2
R Gap Audit Aerospsace and Rail QMS Quality Manager and Management Related Issues 0
salaheddine96 Internal audit planning Internal Auditing 2
A MDSAP Audit Questionnaire Medical Device and FDA Regulations and Standards News 7
H Obligations as a contract manufacturer during an MDSAP audit ISO 13485:2016 - Medical Device Quality Management Systems 5
M What are the basics of Medical Device Single Audit Program (MDSAP)? ISO 13485:2016 - Medical Device Quality Management Systems 7
Sidney Vianna IATF 16949 News Update on the IATF CARA Project (“Common Audit Report Application”) - 12/2020 IATF 16949 - Automotive Quality Systems Standard 1
R ISO 17025 vertical audit checklist wanted Document Control Systems, Procedures, Forms and Templates 2
Z Rapid audit template for plastic parts manufacturing process Manufacturing and Related Processes 12
M ISO 9001 Major Nonconformance Internal Audit Schedule/COVID-19 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
S Quality Audit Training Activities Quality Manager and Management Related Issues 2
G IATF Rules for COVID 5th revision - Re-certification audit timing IATF 16949 - Automotive Quality Systems Standard 3
E MDR internal audit Internal Auditing 1
Ed Panek Remote Audit GOTOMEETING thoughts Coffee Break and Water Cooler Discussions 22
B ISO 9001 - "Remote Audit Fee" Registrars and Notified Bodies 13
L IATF external audit virtual (remote) IATF 16949 - Automotive Quality Systems Standard 13
M Audit Criteria Training Materials Internal Auditing 1
K New supplier audit as per V3.1 by French Automotive OEM General Auditing Discussions 2
S Complexity Rating - CB adding another audit day for "high complexity" AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
U Internal Auditor not trained but done Audit for some process Nonconformance and Corrective Action 5
B Looking for 10 Internal Audit Online Training Participants ISO 17025 related Discussions 2
K MDSAP Audit Approach 2020 for Brazil Other Medical Device Regulations World-Wide 1
K MDSAP Audit Approach 2020 ISO 13485:2016 - Medical Device Quality Management Systems 3

Similar threads

Top Bottom