I have a question about auditing (ISO and QS9000) that I so far haven't been able to get a good answer to, so I'm hoping one of you'se folks in the auditing field can help me out.
Why is it that a small company (we have a total of 18 people, including management) needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?
Since registering to ISO & QS9000 is in internal business decision, with the audit hired, paid for, and reported to top management, it seems to me that the registrar's work already qualifies as an internal audit. Why do it again? More work for auditors?
One main consideration is that personnel within an organisation are more likly to devulge information to internal auditors rather than external ones. The employees are more open and understand that this information is used to help the company meet its quality policy or objectives (they're supossed to anyway)... in other words - they don't hide stuff!
Simply put: an internal audit (first party audit)is not the same as a third party audit (an external audit performed by a Registrar).
Every Audit is comprised of three players. Sometimes a player plays two roles.
An Auditor may be either Internal (a member of the organization)or External (not part of the immediate organization, generally a second or third party organization).
The Auditee is the person who is the ricipient of the audit. The Auditee may also be the Client.
The Client is the requester of the audit. The client may request the audit to be performed on themselves, and thus become both the Auditee and Client.
In some companies, the Internal Quality Auditing is sometimes sourced to a consultant, who on behalf of the organization, checks the System. There is debate on whether this is in keeping with the intent of the standard, but I have asked several auditors for a few Registrars and so far, none have found this to be an issue. To decide for yourself, please review past threads in this forum which address this at greater length (much greater!).
Trying to use your Third Party Audit as a First Party Audit is in conflict. The standard is looking for those intimate with the business details to independently and objectively review the Quality Program and System. Third Party folks understand the standard very well. But they couldn't possibly understand your System as well as those working in it (hopefully this is the case).
Thanks to you both for taking the time and trouble to try to explain all this to me. I don't know, though, whether middle-age has wrapped its flatulent grip around my brainstem, or if I learned just enough business law in college to be dangerous, but I'm still not seeing what the problem is with letting the registrar's audit serve as the basic ISO9000 Internal Audit.
The semantics of quality may be part of my problem, for in business law, the question of whether a function is "Internal" or "External" is easily answered: Who signed the check? If we, the supplier, requested the audit, hired the auditor, paid the auditor's invoice, and received the auditor's report, then the audit was "internal", no matter whether the legwork was done by first-party, second-party, or third-party auditors. Likewise, if a customer or other outside entity requests the audit, pays for the auditor's services (either using their own staff, our people, or a consulting service), and receives the final report, the audit is "external".
If you flip open your ISO or QS9000 manual to Element 4.17, you'll find this section on Internal Quality Audits to be quite short and sweet, with no mention of "first-party", "third-party", or any other party. And if you open your "ISO Standards Compendium" to ISO 10011-1, Section 4.1, you'll see where it says that "Audits are normally designed for ONE OR MORE of the following purposes:", followed by a list of audit types which includes conformity of the system with specified requirements, AND to permit the listing of the organization's quality system in a register. And to top it off, Note 13 states that "Quality audits should not lead to an increase in the scope of quality functions over and above those necessary to meet quality objectives." This all says to me that it's permissible, even encouraged, to have the registering auditor's system audit serve for the internal audit as well.
Your logic or as you infer, lawyerism, makes sense to me, however, the group that you have to convince is your registration body. Without their buy-in you will be required to perform internal audits IAW 4.17. (QS9000)
1) External audits by Registrations folks basically is a broad based view giving us confidence that our procedures
A)are actually implemented, authorized controlled etc.
B) match/satisfy the requirement needs of written standards?
2) Internal based audits "now that we know" the procedures are handeled properly and satisfy the standards. As a "CLOSER LOOK" Give us confidence that
A) Yes we are doing/matching all tasks we said we would.
B)What we have decided to do (In all detailed documents) is in fact working IE Effective) for our needs.
The suggestion of the audit type is in the title of the element.
An annual or semi-annual third party audit is probably not be enough to ensure continued suitability of the Quality Program or compliance to it by the organization. As such, it is necessary to schedule internal Quality Audits to help ensure a healthy, functioning Quality System. It is but one of the many Check tools.
Are there any genuine card-carrying ISO- or QS-9000 auditors out there who can explain why the auditors I've suggested this to find the idea so ridiculous? It always seemed like it made good sense to use the registrar's audit as the cornerstone of the Interal Audit program, as though that's what the authors of 4.17 had in mind from the start. (Then a company would only have to do their own if they wanted to be fully compliant, but weren't seeking registration through a registrar.) Top it off with some focused audits of functions unique to the company, and you've got it done without waste or redundancy.
Originally posted by W. Kindel: If we, the supplier, requested the audit, hired the auditor, paid the auditor's invoice, and received the auditor's report, then the audit was "internal", no matter whether the legwork was done by first-party, second-party, or third-party auditors. Likewise, if a customer or other outside entity requests the audit, pays for the auditor's services (either using their own staff, our people, or a consulting service), and receives the final report, the audit is "external".
I think you've got a small problem in this thinking due to who gets the "final report" in the registrar's audit.
You do not.
You get a copy of the report of what is found in the audit, but the original will remain with the registrar. What you're paying for is not an audit, but a shot at registration/continuing registration.
You get the same thing with regulatory bodies such as UL. They'll send folks in to see if rules are being followed. You're not paying for an audit, but they are auditing.
I know that the consultant as internal auditor/Management Representative has been covered in other posts in this forum, and the consensus seems to be that it's okay if the consultant is considered a "temporary employee".
I don't think any registrar out there is going to consent to it's auditors being considered your "temporary employees".