Auditing Information Technology (IT) in the ISO 9001 workplace

J

JaneB

#11
Auditing IT in the workplace.

Is this a practice commonly used in an ISO 9001 environment.

I'm finding it difficult to audit IT as a horizontal as this department don't really fit within the ISO standard.

Does anyone else include auditing IT systems in their internal audits?
Yes to the last question.

As for how... audit processes, don't audit by area/department. Identify how and where 'IT' appears in your processes and audit those parts. Andy gives an excellent example of why this is important.

Another example: audit of a service consulting company followed an audit trail to IT who was responsible for backups of the whole company's data. Including a unique database, which they had a multimillion dollar contract with a seriously large client to build, operate and maintain. The audit was about a core business process, but went across to IT in the course of that process. And found that... oops, they hadn't been backing up that database (which changed daily) for oh, about 6 weeks after a new piece of data had been installed, and no one had noticed. The commercial implications? Horrendous (MD is reported to have turned white when it was reported to him).
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#12
Re: Auditing Information Technology in the ISO 9001 workplace

The requirements of §4.2.4 are broad, and therefore I think that they can indeed be met by Google docs or another cloud solution. The clause reads:

Records established to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.
The organization shall establish a documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention and disposition of records.
Records shall remain legible, readily identifiable and retrievable.
The key is "...a documented procedure to define the controls needed...". The organization defines which are the controls needed. If the software is proving useful to its users, then it is very likely that it is already meeting most of the controls needed, possibly except the retention and disposition (people tend not to think of these when the records are in process). These needed controls need only be documented.

If retention and disposition are not being met, one way meeting them might be to classify the records into two categories: active and inactive. Upon closeout of a contract/project, its records become inactive. At this time they are printed or exported to disk, deleted from gDocs, and filed locally for the required inactive period along with other records for the contract/project.

There is a risk of loss of data by Google during the active period. The standard allows you to define whether that risk is acceptable or not. For some critical records, it might not be, and then you may need some backup plan (say, exporting even when the record is active). But I suspect for most records such risk is indeed ok.

:2cents:
Pancho
Agree, Pancho. :agree1:

I have read a lot of sob stories about people whose Google Doc data disappeared and their travails trying to get it back. But the Google Doc offers so much interactive productivity and efficiency potential that I've been careful to clarify that my objection isn't about my personal opinion of Google Doc. It's about the lack of a plan to:
  • Provide accessibility to those who need it
  • Ensure read-only controls are in place and access is limited when appropriate (training and instructions)
  • Contact and retrieve data from last week if it got deleted by mistake this morning
  • Evaluate Google's "protections," perhaps not very differently as with another critical supplier through the Purchasing process.
In other words, don't just migrate to a new data management system, dust off your hands and congratulate yourself on all the money you saved by eliminating in-house software and processes. Make and execute a plan that would meet the needs of the organization and stakeholders, and evaluate the system's effectiveness. Then document the controls as required by 4.2.4.
 

Jim Wynne

Staff member
Admin
#13
Auditing IT in the workplace.

Is this a practice commonly used in an ISO 9001 environment.

I'm finding it difficult to audit IT as a horizontal as this department don't really fit within the ISO standard.

Does anyone else include auditing IT systems in their internal audits?
How do IT processes interact with other processes in the system? How are those intersections controlled? Simply describing a departmental function as "horizontal" will lead you away from interactions. Before any auditing can be done, the requirements have to be established, and the way to do this is by examining the interactions and determining what's really needed.
 
A

abd_sg

#14
Re: Auditing Information Technology in the ISO 9001 workplace

in our case ,we do simulation of server shutdown,then check if data can be easily retrieved.monitoring incoming and outgoing mails and checked all restricted incoming mails.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#15
Re: Auditing Information Technology in the ISO 9001 workplace

in our case ,we do simulation of server shutdown,then check if data can be easily retrieved.monitoring incoming and outgoing mails and checked all restricted incoming mails.
I have considered "exercising" the system when auditing the process: asking for a particular file from the backups that are said to be occurring. I would stop short of asking for a server shutdown simulation. But I would be pleased to hear such a test had been done by the IT guys when the system was installed, and record it in my notes as an example of evaluating process effectiveness.
 
W

whitey115

#16
We are a relatively small company and IT is becoming increasingly important to us to maintain our data systems and informations systems. The related hardware and software needed to make the IT function as efficient as possible is also a part of this system.
There are four facilities within our organization and each manages their own IT system.
So, in short, we have identified IT as a support process and we do include it in the QMS, in which this process is scheduled for regular internal audits.
 
Thread starter Similar threads Forum Replies Date
D Information Technology Process Audit - Suggestions for Auditing IT IATF 16949 - Automotive Quality Systems Standard 12
Richard Regalado ISO/IEC 27007:2011 (ISMS) Information Security Management Systems Auditing IEC 27001 - Information Security Management Systems (ISMS) 6
V Auditing TS 16949, Section 6.3 for information systems General Auditing Discussions 5
S ISO 9001:2015 Internal Auditing Internal Auditing 8
H Auditing Santa's workshop General Auditing Discussions 0
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 7
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 1
F AS9100D Internal auditing requirements Internal Auditing 11
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 7
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
qualprod Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Auditing support and management processes General Auditing Discussions 7
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16
G AS9101 Rev F - Worksheets for internal auditing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
N API Q2 clause 6.2.2.1 Auditing Outsourced Suppliers Oil and Gas Industry Standards and Regulations 5
M Auditing processes followed by employees placed on client's site Internal Auditing 4
S ISO 13485:2016 and MDSAP internal auditing ISO 13485:2016 - Medical Device Quality Management Systems 6

Similar threads

Top Bottom