Audit of Exclusions et.al. - Quality Policy, Planning (including objectives), Etc.

E

e006823

#1
“ISO Std. 8.2.2requires “the organization to conduct internal audits at planned intervals to determine whether the QMS conforms to planned arrangements to the requirements of this international standard and to the QMS”. The Audit plan/schedule are set up to audit the QMP’s and the Quality Manual. Although the manual audit may pick up the areas not covered by the QMP, the results are more likely to be a desk audit. Items such as Quality policy, Planning (including objectives), Analysis of Data, etc. are to be included in the audit schedule and audited. “

The above is finding we received from our last periodic audit. Our registrar seems to believe that we are required to schedule audits of our “Quality policy, Planning (including objectives), Analysis of Data “ and any exclusion we have taken to the standard. My belief is that the quality policy and analysis of data are not auditable (is this a word?) processes and as long as they exist and we are doing what we say we do we are covered. During our audits we ask what are quality policy is and the 4 items in Analysis of Data section 8.4 is reviewed during the management team meetings are the planning requirements of section 5.4. As far as the “audit” of exclusions is concerned, I believe this is a ludicrous idea. How are we going to audit something that does not exist?

So tell me am I way out in left field here? Any ideas on how I should handle this situation?

Thanks,
Bob
 
Elsmar Forum Sponsor

Randy

Super Moderator
#2
You're way out in left field....everything in and about your QMS is auditable.

The very 1st thing to audit is the policy itself. The policy is the key document of the whole system. Everything an organization does is done to fulfill the committments made in the policy. The policy is essentually a "theory" that the organization brings into "reality"...all the system gibberish is the evidence of that equation.

As for exclusions, you can only claim them in clause 7 and then you have to support your reasoning and state so in your manual.

trust me when I say you'll be getting more feed back ;)
 
E

e006823

#3
Randy said:
You're way out in left field....everything in and about your QMS is auditable.

The very 1st thing to audit is the policy itself. The policy is the key document of the whole system. Everything an organization does is done to fulfill the committments made in the policy. The policy is essentually a "theory" that the organization brings into "reality"...all the system gibberish is the evidence of that equation.

As for exclusions, you can only claim them in clause 7 and then you have to support your reasoning and state so in your manual.

trust me when I say you'll be getting more feed back ;)

Randy,

I understand everything in our manual is auditable. What I don't understand is how I can perform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis. This is the 6th time our registrar has audited our current system, never before was this a problem.

An audit of our exclusions serves what purpose? Nothing has changed since our initial certification. If our business needs determine that we no longer need to exclude a portion of the standard we will then document our new process.

I guess my real issue is that I don't believe that the standard requires us to schedule a separate audit for our quality policy, data analysis and exclusions since we address these requirements as a part of other QMS process audits or in the case of the exclusions when we developed our QMS. To me as throw back to the times of auditing by element.

Any suggestions on how to handle this or a compelling argument for me to actually schedule an audit of my exclusions etc..

Bob
 
Last edited by a moderator:

Al Rosen

Holed-up in a Hotel in South Florida
Staff member
Super Moderator
#4
e006823 said:
Randy,

I understand everything in our manual is auditable. What I don't understand is how I can peform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis. This is the 6th time our registrar has audited our current system, never before was this a problem. Any suggestions

Bob
That's interesting. Maybe if you say you don't do something, verify that it is not being done. What exclusions do you take? Maybe with specifics, we can come up with some ideas.
 

Randy

Super Moderator
#5
You have just audited your exclusions based upon the evidence presented here. "Nothing has changed".

Basically just be able to show that there has been no change in the exclusions you claim. Have a review (or conduct a review) of your processes performed that specifically looks for evidence that the exclusions are still valid.

On a regular basis...ie annual or so, review the policy and see if it is still valid. Are you meeting it's intent? Can you provide the necessary evidence that the policy is being fulfilled? Nothing says that this can't be part of the management review process (we'll probably get some comments on this one :rolleyes: )
 

RoxaneB

Super Moderator
Super Moderator
#6
e006823 said:
I understand everything in our manual is auditable. What I don't understand is how I can perform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis.
As Al pointed out, verify that it's not being done. When our Quality Manual is audited during our Internal Audit, my Management Committee is questioned about the exclusions. They are asked to demonstrate that they understand what the exclustions pertain to and why the exclusions are exclusions.

The Quality Policy is audited via several methods:

  • Do people understand the Quality Policy?
  • Are people able to demonstrate how their job impacts our ability to meet Customer requirements?
  • Is it suitable to us?
  • How is it reviewed? Frequency? Evidence of review?
  • Methods of communication?
  • Etc.

e006823 said:
This is the 6th time our registrar has audited our current system, never before was this a problem.
Without knowing your organization or your previous external audit results, and no insult is intended here, perhaps your auditor had bigger fish to fry? Just because it wasn't a finding before, doesn't mean it wasn't noticed...but perhaps the auditor had other issues s/he wished to focus on?

Just because my organization has yet to receive a finding on Internal Audits, that does not mean my IA process is perfect. But we've had, for example, some rough spots in our Purchasing area and this has been the focus of our Auditor and will be until we can show that have a pretty good handle on the whole concept of buying stuff.

e006823 said:
An audit of our exclusions serves what purpose? Nothing has changed since our initial certification. If our business needs determine that we no longer need to exclude a portion of the standard we will then document our new process.
Really? How? How will you show that you have considered the the application of the exclusions? How will you show that changes to the business needs have impacted (or not impacted) the exclusions? The verification of the exclusions and the verification that you have considered the exclusions demonstrates that your organization has validated your existing Management System.

4.1 General requirements "...identify the processes needed for the quality management system and their application throughout the organization (see 1.2)..."

which leads us to

4.2.2 Quality manual "....including details of and jusrication for any exclusions (see 1.2), ..."

which leads us to

5.6.1 General (management review) "...to ensure its continuing sutiability, adequacy and effectiveness......and the need for changes to the quality management system..."

which leads us to

5.6.2 Review input "...changes that could affect the quality management system..."

which leads us to

5.6.3 Review output "...improvement of the effectiveness of the quality management system..."

which leads us to

8.2.2 Internal audit "...conforms...to the quality management system requirements established by the organization...is effectively implemented and maintained."

Sooo.....Bob, prove to the us, prove to the auditors, but most importantly, prove to yourself, that you have validated your exclusions. No organization remains stagnant if it wishes to compete in today's economy. Business needs, business processes...businesses in general....are constantly changing and adapting. Demonstrate that you are acknowledging this and show that your exclusions still hold true. :)

e006823 said:
I guess my real issue is that I don't believe that the standard requires us to schedule a separate audit for our quality policy, data analysis and exclusions since we address these requirements as a part of other QMS process audits or in the case of the exclusions when we developed our QMS. To me as throw back to the times of auditing by element.
Is the auditor saying that you are not demonstrating that you are auditing 4.1 (a), 4.2.2 (a), 5.3 and 8.4 or that you are not demonstrating that you have the processes in place (which is done via audits)? Simply put, I do not schedule an audit for 8.4. You will not see that in my audit schedule...EVER. What you will see, however, when I audit say, a production process, 8.4 is scheduled to be audited then. Why? Because Production analyzes data. You'll see 5.3 on the production process audit, too. Why? Because Production personnel need to understand the Quality Policy and how their job impacts our ability to meet Customer requirements.

And a successful audit of 4.2 - 8.5.3 means that 4.1 is met and has been audited...it's like the executive summary clause.

What I have is matrix that shows all the clauses and sub-clauses along one axis and all of our processes along the other. I show if there is a (D)irect, (S)support, or (N)o relationship between the process and the (sub)clause. So, when I audit a process, all of the direct links are audited and a sample of the support links....for "kicks", I occasionally through in a No link clause. This helps to see if my Internal Auditors are paying attention and verifies that No link remains.

e006823 said:
Any suggestions on how to handle this or a compelling argument for me to actually schedule an audit of my exclusions etc..
It's your system, Bob. It works for your organization...not your auditor. Let me ask you these questions though...perhaps your "compelling argument" lies within your own answers:

  • How do you know that the exclusions hold true?
  • If you know, what is the objection to providing the evidence demonstrating your knowledge?
  • How do you audit your Quality Manual?
  • How do you audit the justifications for exclusions? Just as we do not accept a response of "Yes, I schedule Internal Audits" as proof that audits are schedule, why should an auditor accept a statment of exclusion at face value?
 
Last edited:

RoxaneB

Super Moderator
Super Moderator
#7
Randy said:
Nothing says that this can't be part of the management review process (we'll probably get some comments on this one :rolleyes: )
Comment!!!! Oooh! Oooh! Comment!!! :D

.....I agree with you, Randy.

You're right...who says it can't be done then? Who says it can't be done during an internal audit? Who says it can't be done during beer and wing nite at the local pool hall where management routinely gets together to talk about us? What we need is simply evidence that the exclusions were validated...and...ooooooh....management review has RECORDS! Hmmmm.....records = objective evidence = Bob's external auditor no longer having an issue! :D
 
E

e006823

#9
First off I’d like to thank everyone for the help.

RCBeyette said:
It's your system, Bob. It works for your organization...not your auditor. Let me ask you these questions those...perhaps your "compelling argument" lies within your own answers:

  • How do you know that the exclusions hold true?
  • If you know, what is the objection to providing the evidence demonstrating your knowledge?
  • How do you audit your Quality Manual?
  • How do you audit the justifications for exclusions? Just as we do not accept a response of "Yes, I schedule Internal Audits" as proof that audits are schedule, why should an auditor accept a statment of exclusion at face value?

We are a wafer fab, what is excluded in our QMS is design and development section 7.3. Our customers provide all of our designs. We may develop a process from that design and we do address our process development process.

Our quality manual is audited by ensuring: 1) all requirements from ISO9001 or other standard have been addressed. 2) That we have then implemented the requirements in a lower level procedure/process. 3) The relevant sections of the Quality manual along with all other requirements are referenced in our audit report

I have no objection to providing any evidence, in this particular instance this finding was never discussed with me, I found out about it after it was written. As part of an Audit we routinely address the quality policy with during interviews. All of our people have a good grasp of the policy, what it means to them and the role their function plays within the system.


RCBeyette said:
Is the auditor saying that you are not demonstrating that you are auditing 4.1 (a), 4.2.2 (a), 5.3 and 8.4 or that you are not demonstrating that you have the processes in place (which is done via audits)? Simply put, I do not schedule an audit for 8.4. You will not see that in my audit schedule...EVER. What you will see, however, when I audit say, a production process, 8.4 is scheduled to be audited then. Why? Because Production analyzes data. You'll see 5.3 on the production process audit, too. Why? Because Production personnel need to understand the Quality Policy and how their job impacts our ability to meet Customer requirements.

[/list]

This is basically how we schedule perform our audits. Our auditor is looking for a schedule that lists 8.4 etc. as separate audits, to me this is not value added.

I like the idea of a matrix as a tool/aid (Thanks Roxane).


Randy said:
This may be a case of the auditor making his own stuff up,…:
This was my initial reaction to the finding.

Thank,
Bob
 
G

Greg B

#10
Randy said:
On a regular basis...ie annual or so, review the policy and see if it is still valid. Are you meeting it's intent? Can you provide the necessary evidence that the policy is being fulfilled? Nothing says that this can't be part of the management review process (we'll probably get some comments on this one :rolleyes: )
:agree1: I agree with Randy. We do not audit the Policy or even the manual (per se) we Review them both thru the Management Review Procedure. 'Management' review both documents and make recommendations for change. I like to think that a Review and an Audit are fairly interchangeable. Although, a Review may be conducted by people directly related to the procedure and an Audit is conducted by people NOT directly related to the procedure. Our Policy and Manual are AUDITED by our registrar. As Randy stated we prove to the auditor that we meet the INTENT by the MR.
PS. I also agree with everything Roxane said but if I went thru it point by point I may be here all day. :lmao: Very good answer.

Greg B
 
Thread starter Similar threads Forum Replies Date
N Permissible Exclusions for QM ISO9001:2008 Audit and Consultancy Services Company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
Q Internal audit plan template Internal Auditing 2
G Self Assessment Audit from a new potential customer General Auditing Discussions 3
L Internal audit during COVID-19 restrictions ISO 13485:2016 - Medical Device Quality Management Systems 5
M OEM asking for NC report after certification audit. IATF 16949 - Automotive Quality Systems Standard 3
Ooi Yew Jin Customer E audit preparation Quality Manager and Management Related Issues 2
N Audit non-compliance API Q1 - Use of External Documents 4.4.4 in Product Realization Oil and Gas Industry Standards and Regulations 4
J Remote Audit Experiences - June 2020 General Auditing Discussions 17
F Product audit sampling plans IATF 16949 - Automotive Quality Systems Standard 3
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
M Supplier Audit Report - Template for second party audit wanted Lean in Manufacturing and Service Industries 1
Stefan Mundt AS9100D Major nonconformity due to recurrence of a NC during a subsequent CB audit. AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
B Using Unreleased Documents & Process Maps for Internal Audit purposes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
Q ISO 9001:2015 man days for surveillance audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
F ISO 13485 - EU countries that could request another audit ISO 13485:2016 - Medical Device Quality Management Systems 2
H Layered audit updates after COVID-19 shutdowns Process Audits and Layered Process Audits 0
L How to deal with an ISO 13485 Supplier Audit nonconformance ISO 13485:2016 - Medical Device Quality Management Systems 17
M Description of the requirements of clause 9.2.2.3 manufacturing process audit- needs your feedback IATF 16949 - Automotive Quality Systems Standard 0
Armen Conflict of Interest if I audit the QC department? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
V Generic IATF 16949 Audit Checklist wanted IATF 16949 - Automotive Quality Systems Standard 3
A NB (Notified Body) Audit of Standards ISO 13485:2016 - Medical Device Quality Management Systems 3
N Audit non-compliance - API Spec Q1 9th Ed 5.6.1.2 b Oil and Gas Industry Standards and Regulations 10
M Any way to execute VDA 6.3 audit remotely? VDA Standards - Germany's Automotive Standards 2
D Audit for ISO and AS 91XX and mitigating exposure to COVID-19 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 14
D Postpone IATF 16949 audit due to COVID-19 IATF 16949 - Automotive Quality Systems Standard 33
JoCam Certified Body Audit of MDR requirements EU Medical Device Regulations 4
D Do non-IATF customers need to be included in audit scope? IATF 16949 - Automotive Quality Systems Standard 23
Ajit Basrur Track audit findings on Excel tracker Excel .xls Spreadsheet Templates and Tools 9
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
J Does anyone have an excel IATF 16949 Internal Audit checklist I could use? IATF 16949 - Automotive Quality Systems Standard 7
Watchcat Anyone had an MDR technical file review/audit yet? EU Medical Device Regulations 13
G Addressing Non-Conformances from an Internal Audit that are not product related ISO 13485:2016 - Medical Device Quality Management Systems 11
M Has anyone has been through an MDR audit? (3/2020) EU Medical Device Regulations 1
J Audit Finding For Not Retaining Test Results ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 0
D API Spec Q1 9th Edition # Re-audit - Disputing with API AARs Oil and Gas Industry Standards and Regulations 2
Ajit Basrur Withdrawal of Audit Report Supplier Quality Assurance and other Supplier Issues 3
M Definition Open Audit - What does an Open Audit mean? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
I What kind of wine best complements the Friday that you close out your external audit findings? Opinions are welcome. Coffee Break and Water Cooler Discussions 12
A IAF MD 5 - Audit Days calculator General Auditing Discussions 2
Jacquie Collins Stage 2 Audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
A FDA and NB audit of Engineering Drawings in DHF and DMR. Medical Device and FDA Regulations and Standards News 1
K Counterfeit parts prevention - Audit Nonconformance - AS9100 8.2.2 AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 25
classical_quality AS9100 Surveillance Audit - advice on drafting strong responses AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 11
V Iso13485 certification vs CE technical audit ISO 13485:2016 - Medical Device Quality Management Systems 3
M MSDS process audit - Can any one give idea for checklist of the same Occupational Health & Safety Management Standards 14
shimonv Rigid rules for handling supplier audit findings ISO 13485:2016 - Medical Device Quality Management Systems 11
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
W Non-Conformance from recent Audit carried out on Purchasing AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 11
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
Similar threads


















































Top Bottom