Can someone explain why?

[W. Kindel]

Thanks for the two cents' worth - easily worth more than that, for certain!

The question of what you're specifically buying from a registrar no doubt varies from one registration firm to the next, but in our case, we're buying audit services, sold to us in units of "auditor-days" required to perform the audit. In addition, the registrar is careful to be sure that we understand that the registration certificates haven't been sold to us, but remain the property of the registrar, presumably so that he can legally take them back if we don't keep our quality system together properly.

Since he's selling us audit services, why not let them do "double duty", and serve as the portion of our internal audit program that verifies our continuing conformance to ISO- and QS-9000? We're a small outfit, and try to always get the most "bang for the buck" that we can!

W. Kindel

 

[Jim Biz]

IMHO - Can't say I totally disagree with your thoughts but how it works here is that our upkeep surveliance audits simply do not cover our "total system". They come in and focus on 4 or 5 elements each visit and do not begin to address the remaining 15-16 elements - which Is what I believe to be the normal mode of surveilance auditing.

I'm sure that there might be some registration firms willing to preform "double duty" for you - If you were willing to pay for the double service" - increase the visit time to a minimum of 6-8 mandays per year - tell them you want them to audit the entire system according to your internal procedures each visit -- and go the "Double cost" + travel/meals/housing/car rental/pencils/paper/ postage /long distance phone charges / laundry cleaning /shoe shines etc. etc.

We get the "bigger bang for the buck" - by relying on our own internal folks doing audits without the need for paying XXX.XX per hour for hired in auditors

Regards
Jim

[This message has been edited by Jim Biz (edited 10 November 2000).]

 

[W. Kindel]

I appreciate everyone's observations, comments and input on this topic - if nothing else, it makes for some lively Forum chit-chat! What pleases me most, though, is the fact that no one was able to pull up a paragraph from any of the ISO- or QS-9000 official literature which specifically forbids using the registrar's work as part of the internal audit program. And it is, after all, what's contained in the official standard that really counts, not the opinions of auditors, registrars, consultants, etc.

Many thanks for your suggestions and ideas - most appreciated!

W. Kindel

 

[John C]

W. Kindel,

You asked; ‘Why is it that a company needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?’

Well, the fact is, you haven’t hired a registrar to come in and do the same thing. All you have done is asked a registrar to come in and do his own thing, whatever that is. I don’t know the registrar’s plan and objectives and I doubt whether you do. All we know is that, when it is over, he will registrar or refuse to registrar, based on his own rules. We have some knowledge of what he won’t do, though;
We expect that the decision will bear some relationship to our compliance with ISO 9001/2 although it will not guarantee full compliance, even at the time of the audit. What we do know, for sure, is that it will not have been run according to our established and maintained documented procedures for planning and implementing internal audit and that, in this, it fails to meet the requirements of ISO 9001/2. Other requirements it normally fails to meet are our need to; identify the responsibilities of persons who will carry out the internal audit; provide the necessary resources including personnel and be responsible to ensure they have adequate training; initiate the audits according to our own audit schedule, etc. We will also have to audit the internal audit function with independent auditors, ie, auditors not from the registrar. Finally, we will have to review the implementation and effectiveness and take corrective action as necessary, through management review, getting committment from the registrar to put right any failures in his conformance with our procedures and objectives. We will have to record these failures, report them to his management and follow up on corrective action within his process.***

I don’t see any reason, within ISO 9001/2 why you can’t go ahead and do this, given that you get the agreement of your registrar, of course. (this might not be easy and I wouldn’t be surprised if the fee went up by about 1000%, or 10,000% when the registrar saw what you were expecting to do to him)

It’s not looking so good so far, is it? But there’s more, though it's pretty mundane stuff; No doubt there is another set of requirements relating to what registrars can and can not do, which will scupper your plan completely. I’ve never looked at these requirements but I would be very surprised if there isn’t an ‘independance’ clause in the rules handed down to them, just as there is in our clause 4.17, which will say that the people doing the work cannot make the call on whether the work is in compliance, ie; the registrar cannot award registration to his own organisation or to any organisation to which that registrar is answerable. I can’t say for certain that this is the case but if you do want an authoritive answer then you should ask your registrar and see what they say.

Thanks for the question - it's an interesting one. More interesting than at first glance when you think about the implications of the requirements it imposes on contracted auditors (see my *** above) and the can of worms this could open. I never thought about this before and I doubt if many people have. Being a contracted internal auditor myself, I prefer to say no more for the present. Keep the lid on the can.
rgds, John C



[This message has been edited by John C (edited 21 November 2000).]

 

[Marilyn]

Hello everyone:

I highly recommend reading The Quality Audit Handbook, Second Ed. ASQ Quality Audit Division.

In addition to being a requirement (our third party registrar would not conduct the registration audit until one cycle of internal audits had been completed) here are some of the benefits:

1) Internal audits uncover opportunities for improvement before a third party audit.

2) An audit is an ideal time to identify training needs.

Why not find problems yourself before the third party audit and fix them? Unless you want nonconformances during the audit.

I have been the administrator of the internal audit program where I work for almost 5 years and this is based on past experience.


Internal auditors

 

[W. Kindel]

Hello again!

While we don't audit our suppliers, we do examine everything they send to us via a documented Incoming Materials Inspection.

And while we don't call our registrar to return for more frequent ISO system audits if a customer has a problem, we do perform a number of additional internal audits of our manufacturing and business functions at intervals chosen by management, and which may be done more frequently if circumstances suggest would be the wise thing to do.

What I'm questioning is the apparent need for us to go through all twenty chapters of ISO ourselves, only to have our registrar come out and do the same thing again. (And yes, if our registrar spots a nonconformance in the system, he does return to verify that it has been fixed.) While I can appreciate that many good, sound reasons for extra auditing can be put forth, I'm just not seeing the requirement for it anywhere in the standard.

Thanks for your thoughts and opinions!

 

[Aaron Lupo]

Originally posted by W. Kindel:
Hello, one and all,

I have a question about auditing (ISO and QS9000) that I so far haven't been able to get a good answer to, so I'm hoping one of you'se folks in the auditing field can help me out.

Why is it that a small company (we have a total of 18 people, including management) needs to perform its own internal quality system audit, when we've already hired a registrar to come in and do the same thing?

Since registering to ISO & QS9000 is in internal business decision, with the audit hired, paid for, and reported to top management, it seems to me that the registrar's work already qualifies as an internal audit. Why do it again? More work for auditors?

Many thanks,

W. Kindel

Why do it again? Well lets see, if you are having you registrar come back more frequently when you have nonconformances or complaints occur, then I would say you are safe (unless of course your company receives no complaints and there are never any non-conformances). Internal audits from my understanding are "to be scheduled on the basis of status and importance", so as non-conformance's or complaints from customers increase, I would have to say your internal audits of that area should increase also. Sounds logical to me.

Let me ask you a question do you audit your suppliers?

 

[awk]

Here is a test. Do not complete an internal audit. Have the registrar of your choice come in and complete their audit. Even at the doc audit they will ask whether an audit and a management review have been conducted. If you answer no this is a major nonconformance. At this point it is merely on paper. This is stipulated in their guidelines that they answer to.

If by the time you get to your final audit, either the auditors will call off the audit or they will complete it and you still receive a major. Part of their criteria is that they audit your results and objective evidence.

If you cannot provide this evidence you're through. This isn't very cost effective for any company, since the registrars will not provide a refund.

awk

 

[W. Kindel]

Yes, you are quite correct - if I do as you describe, I will most certainly get written up for a Major nonconformity. But my question is "Why?"

Our registrar returns at six-month intervals (checking approximately half of the elements with each visit), and we could certainly show him his past work, as evidence of an ongoing internal ISO9000 system audit program.

And if you flop your big blue ISO Compendium book open to ISO10011-1:1990 section 4.1, you'll see that audits can be performed for one OR MORE of the purposes therein described, which include not only conformance to the standard, but also for the listing of the organization in a register.

That's why I opened this particular Forum topic for discussion - it just seems that a small organization should be able to get "double duty" out of the registrar's work, which would be more efficient that having to do the whole thing twice every year.

Thanks for your observations and ideas!

 

[SteelMaiden]

Why?

Because the registrar is there to assess your company's conformance to the standard. An internal auditor is there to assess your company's conformance to to your quality management system, your quality policy, your way of doing business etc., etc.

Do your hire temps in your business? They do work at your place of business, and money goes from your company to their wallet. BUT, you are actually paying a temp agency to furnish you with suitable help. (see the comparison? You pay the "Registrar" the pay the auditor.) You don't have to pay that temp the same benifits as a full time employee because they are not actually employed by you. So it goes with the registrar's auditors. Even though you are paying for an audit, those auditors do not work for you, therefore you cannot consider their work as an internal audit.

Does that make sense? Don't fall into the trap of thinking just because you paid for it, their agenda is the same as yours should be.