Audit of Exclusions et.al. - Quality Policy, Planning (including objectives), Etc.

[e006823]

“ISO Std. 8.2.2requires “the organization to conduct internal audits at planned intervals to determine whether the QMS conforms to planned arrangements to the requirements of this international standard and to the QMS”. The Audit plan/schedule are set up to audit the QMP’s and the Quality Manual. Although the manual audit may pick up the areas not covered by the QMP, the results are more likely to be a desk audit. Items such as Quality policy, Planning (including objectives), Analysis of Data, etc. are to be included in the audit schedule and audited. “

The above is finding we received from our last periodic audit. Our registrar seems to believe that we are required to schedule audits of our “Quality policy, Planning (including objectives), Analysis of Data “ and any exclusion we have taken to the standard. My belief is that the quality policy and analysis of data are not auditable (is this a word?) processes and as long as they exist and we are doing what we say we do we are covered. During our audits we ask what are quality policy is and the 4 items in Analysis of Data section 8.4 is reviewed during the management team meetings are the planning requirements of section 5.4. As far as the “audit” of exclusions is concerned, I believe this is a ludicrous idea. How are we going to audit something that does not exist?

So tell me am I way out in left field here? Any ideas on how I should handle this situation?

Thanks,
Bob

 

[Randy]

You're way out in left field....everything in and about your QMS is auditable.

The very 1st thing to audit is the policy itself. The policy is the key document of the whole system. Everything an organization does is done to fulfill the committments made in the policy. The policy is essentually a "theory" that the organization brings into "reality"...all the system gibberish is the evidence of that equation.

As for exclusions, you can only claim them in clause 7 and then you have to support your reasoning and state so in your manual.

trust me when I say you'll be getting more feed back

 

[e006823]

You're way out in left field....everything in and about your QMS is auditable.

The very 1st thing to audit is the policy itself. The policy is the key document of the whole system. Everything an organization does is done to fulfill the committments made in the policy. The policy is essentually a "theory" that the organization brings into "reality"...all the system gibberish is the evidence of that equation.

As for exclusions, you can only claim them in clause 7 and then you have to support your reasoning and state so in your manual.

trust me when I say you'll be getting more feed back

Randy,

I understand everything in our manual is auditable. What I don't understand is how I can perform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis. This is the 6th time our registrar has audited our current system, never before was this a problem.

An audit of our exclusions serves what purpose? Nothing has changed since our initial certification. If our business needs determine that we no longer need to exclude a portion of the standard we will then document our new process.

I guess my real issue is that I don't believe that the standard requires us to schedule a separate audit for our quality policy, data analysis and exclusions since we address these requirements as a part of other QMS process audits or in the case of the exclusions when we developed our QMS. To me as throw back to the times of auditing by element.

Any suggestions on how to handle this or a compelling argument for me to actually schedule an audit of my exclusions etc..

Bob

 

[Al Rosen]

Randy,

I understand everything in our manual is auditable. What I don't understand is how I can peform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis. This is the 6th time our registrar has audited our current system, never before was this a problem. Any suggestions

Bob

That's interesting. Maybe if you say you don't do something, verify that it is not being done. What exclusions do you take? Maybe with specifics, we can come up with some ideas.

 

[Randy]

You have just audited your exclusions based upon the evidence presented here. "Nothing has changed".

Basically just be able to show that there has been no change in the exclusions you claim. Have a review (or conduct a review) of your processes performed that specifically looks for evidence that the exclusions are still valid.

On a regular basis...ie annual or so, review the policy and see if it is still valid. Are you meeting it's intent? Can you provide the necessary evidence that the policy is being fulfilled? Nothing says that this can't be part of the management review process (we'll probably get some comments on this one )

 

[RoxaneB]

I understand everything in our manual is auditable. What I don't understand is how I can perform an internal audit of the exclusions, which are supported in our manual. What the auditor seems to want is for us to actually schedule an audit of our exclusions, quality policy etc. on a periodic basis.

As Al pointed out, verify that it's not being done. When our Quality Manual is audited during our Internal Audit, my Management Committee is questioned about the exclusions. They are asked to demonstrate that they understand what the exclustions pertain to and why the exclusions are exclusions.

The Quality Policy is audited via several methods:

• Do people understand the Quality Policy?
• Are people able to demonstrate how their job impacts our ability to meet Customer requirements?
• Is it suitable to us?
• How is it reviewed? Frequency? Evidence of review?
• Methods of communication?
• Etc.

This is the 6th time our registrar has audited our current system, never before was this a problem.

Without knowing your organization or your previous external audit results, and no insult is intended here, perhaps your auditor had bigger fish to fry? Just because it wasn't a finding before, doesn't mean it wasn't noticed...but perhaps the auditor had other issues s/he wished to focus on?

Just because my organization has yet to receive a finding on Internal Audits, that does not mean my IA process is perfect. But we've had, for example, some rough spots in our Purchasing area and this has been the focus of our Auditor and will be until we can show that have a pretty good handle on the whole concept of buying stuff.

An audit of our exclusions serves what purpose? Nothing has changed since our initial certification. If our business needs determine that we no longer need to exclude a portion of the standard we will then document our new process.

Really? How? How will you show that you have considered the the application of the exclusions? How will you show that changes to the business needs have impacted (or not impacted) the exclusions? The verification of the exclusions and the verification that you have considered the exclusions demonstrates that your organization has validated your existing Management System.

4.1 General requirements "...identify the processes needed for the quality management system and their application throughout the organization (see 1.2)..."

which leads us to

4.2.2 Quality manual "....including details of and jusrication for any exclusions (see 1.2), ..."

which leads us to

5.6.1 General (management review) "...to ensure its continuing sutiability, adequacy and effectiveness......and the need for changes to the quality management system..."

which leads us to

5.6.2 Review input "...changes that could affect the quality management system..."

which leads us to

5.6.3 Review output "...improvement of the effectiveness of the quality management system..."

which leads us to

8.2.2 Internal audit "...conforms...to the quality management system requirements established by the organization...is effectively implemented and maintained."

Sooo.....Bob, prove to the us, prove to the auditors, but most importantly, prove to yourself, that you have validated your exclusions. No organization remains stagnant if it wishes to compete in today's economy. Business needs, business processes...businesses in general....are constantly changing and adapting. Demonstrate that you are acknowledging this and show that your exclusions still hold true.

I guess my real issue is that I don't believe that the standard requires us to schedule a separate audit for our quality policy, data analysis and exclusions since we address these requirements as a part of other QMS process audits or in the case of the exclusions when we developed our QMS. To me as throw back to the times of auditing by element.

Is the auditor saying that you are not demonstrating that you are auditing 4.1 (a), 4.2.2 (a), 5.3 and 8.4 or that you are not demonstrating that you have the processes in place (which is done via audits)? Simply put, I do not schedule an audit for 8.4. You will not see that in my audit schedule...EVER. What you will see, however, when I audit say, a production process, 8.4 is scheduled to be audited then. Why? Because Production analyzes data. You'll see 5.3 on the production process audit, too. Why? Because Production personnel need to understand the Quality Policy and how their job impacts our ability to meet Customer requirements.

And a successful audit of 4.2 - 8.5.3 means that 4.1 is met and has been audited...it's like the executive summary clause.

What I have is matrix that shows all the clauses and sub-clauses along one axis and all of our processes along the other. I show if there is a (D)irect, (S)support, or (N)o relationship between the process and the (sub)clause. So, when I audit a process, all of the direct links are audited and a sample of the support links....for "kicks", I occasionally through in a No link clause. This helps to see if my Internal Auditors are paying attention and verifies that No link remains.

Any suggestions on how to handle this or a compelling argument for me to actually schedule an audit of my exclusions etc..

It's your system, Bob. It works for your organization...not your auditor. Let me ask you these questions though...perhaps your "compelling argument" lies within your own answers:

• How do you know that the exclusions hold true?
• If you know, what is the objection to providing the evidence demonstrating your knowledge?
• How do you audit your Quality Manual?
• How do you audit the justifications for exclusions? Just as we do not accept a response of "Yes, I schedule Internal Audits" as proof that audits are schedule, why should an auditor accept a statment of exclusion at face value?

 

[RoxaneB]

Nothing says that this can't be part of the management review process (we'll probably get some comments on this one )

Comment!!!! Oooh! Oooh! Comment!!!

.....I agree with you, Randy.

You're right...who says it can't be done then? Who says it can't be done during an internal audit? Who says it can't be done during beer and wing nite at the local pool hall where management routinely gets together to talk about us? What we need is simply evidence that the exclusions were validated...and...ooooooh....management review has RECORDS! Hmmmm.....records = objective evidence = Bob's external auditor no longer having an issue!

 

[Randy]

This may be a case of the auditor making his own stuff up, or.....smokin' some bad "home grown" :mg:

 

[e006823]

First off I’d like to thank everyone for the help.

It's your system, Bob. It works for your organization...not your auditor. Let me ask you these questions those...perhaps your "compelling argument" lies within your own answers:

• How do you know that the exclusions hold true?
• If you know, what is the objection to providing the evidence demonstrating your knowledge?
• How do you audit your Quality Manual?
• How do you audit the justifications for exclusions? Just as we do not accept a response of "Yes, I schedule Internal Audits" as proof that audits are schedule, why should an auditor accept a statment of exclusion at face value?

We are a wafer fab, what is excluded in our QMS is design and development section 7.3. Our customers provide all of our designs. We may develop a process from that design and we do address our process development process.

Our quality manual is audited by ensuring: 1) all requirements from ISO9001 or other standard have been addressed. 2) That we have then implemented the requirements in a lower level procedure/process. 3) The relevant sections of the Quality manual along with all other requirements are referenced in our audit report

I have no objection to providing any evidence, in this particular instance this finding was never discussed with me, I found out about it after it was written. As part of an Audit we routinely address the quality policy with during interviews. All of our people have a good grasp of the policy, what it means to them and the role their function plays within the system.

Is the auditor saying that you are not demonstrating that you are auditing 4.1 (a), 4.2.2 (a), 5.3 and 8.4 or that you are not demonstrating that you have the processes in place (which is done via audits)? Simply put, I do not schedule an audit for 8.4. You will not see that in my audit schedule...EVER. What you will see, however, when I audit say, a production process, 8.4 is scheduled to be audited then. Why? Because Production analyzes data. You'll see 5.3 on the production process audit, too. Why? Because Production personnel need to understand the Quality Policy and how their job impacts our ability to meet Customer requirements.

[/list]

This is basically how we schedule perform our audits. Our auditor is looking for a schedule that lists 8.4 etc. as separate audits, to me this is not value added.

I like the idea of a matrix as a tool/aid (Thanks Roxane).

This may be a case of the auditor making his own stuff up,…:

This was my initial reaction to the finding.

Thank,
Bob

 

[Greg B]

On a regular basis...ie annual or so, review the policy and see if it is still valid. Are you meeting it's intent? Can you provide the necessary evidence that the policy is being fulfilled? Nothing says that this can't be part of the management review process (we'll probably get some comments on this one )

I agree with Randy. We do not audit the Policy or even the manual (per se) we Review them both thru the Management Review Procedure. 'Management' review both documents and make recommendations for change. I like to think that a Review and an Audit are fairly interchangeable. Although, a Review may be conducted by people directly related to the procedure and an Audit is conducted by people NOT directly related to the procedure. Our Policy and Manual are AUDITED by our registrar. As Randy stated we prove to the auditor that we meet the INTENT by the MR.
PS. I also agree with everything Roxane said but if I went thru it point by point I may be here all day. Very good answer.

Greg B