Can we do audit in "VERY CONFIDENTIAL DEPARTMENTS"?

A

AdamEve

#1
Ladies and Gentlemen,

Good day.

Let me introduce you to our two departments within the organization;

1) Quality Assurance Department (QA) implementing the QMS under ISO 9001:2008 and has an Internal Quality Auditors doing the Internal Quality Audits.


2) Internal Audit Department (IA) in which they are performing the "audits" of almost the same scope as of the QA Dept.
  • They are auditing ALL the departments including the conformance of the departments based on their "departmental procedures" and other subject based on their IIA requirements.
  • Their audit is governed by Institute of Internal Auditors (IIA) and the manager of the department claims that their department is mandated by the Board of Directors of the organization.
  • The IA Dept claims that they are reporting directly to the "highest" authority in the organization which is the Board of Directors and only reporting "administratively" to the CEO.
  • They claim that they have "CONFIDENTIAL DOCUMENTS/RECORDS" which should not be revealed to any employee (including the IQA Auditors). That is why they should NOT BE AUDITED by IQA Auditors.
Based on the facts about this department, they claim that they are NOT TO BE AUDITED by the IQA Auditors (QMS based on ISO 9001:2008) since it will be a "scrutinizing" auditing. They claim that the IQA Auditors may just "fight back" against them instead of properly auditing. (Note: IA is performing audits to the QA departments including the IQA auditors).



MY QUESTION:
  1. DOES THE ISO 9001:2008 HAS THE "RIGHT" TO CONDUCT AUDIT TO THIS DEPARTMENT?
Similarly;
  1. DOES THE ISO 9001:2008 SHOULD PERFORM THE AUDIT TO "ALL" DEPARTMENTS INCLUDING THE "LEGAL DEPARTMENT", FINANCE DEPARTMENT", and even those departments which they claim that they have "VERY CONFIDENTIAL DOCUMENTS/RECORDS/PROCESSES"?
Thank you and hope to hear your comments, suggestions, remarks, etc.

Regards.
 
Elsmar Forum Sponsor

insect warfare

QA=Question Authority
Trusted Information Resource
#2
Sounds like overkill and unnecessary competition at work here. Why are there two audit systems in place with different objectives when surely there seem to be more than enough auditing resources to establish a unified audit program with unified objectives?

Brian :rolleyes:
 

John Broomfield

Leader
Super Moderator
#3
Adam,

No audit should be a fishing expedition. Every auditor should know what they want to see and why they want to see it and they should be able to explain this to the auditee.

Auditors avoid going places or examining evidence they do not need to see to fulfill the audit objective. They make this clear to the auditee.

Having agreed the audit objective with the auditee you will determine the security clearance requirements.

You then can bring someone onto the audit team who has the necessary clearances or engage the auditee in describing/confirming the required evidence.

If you are unable to fulfill the audit objective, as lead auditor you are obliged to inform the auditee.

Usually, depending on the auditor's manner, the auditee is willing to help out.

Forgive me for saying this, but it appears to me that you need to stop insisting on "your rights" as an auditor.

John
 

normzone

Trusted Information Resource
#4
It would be interesting to know the history of the two audit groups. Merely speculating, but how old is the organization, and which one came first?

I'll guess that the audit group answering to the board of directors was developed to reassure them regarding the functions of the company, and the QA audit group was developed as part of becoming certified to an ISO standard.

If I was the QA audit group, I'd be tempted to ignore the board's auditors. You may add additional scoffing or scorn to your ignoring if it makes you feel better. They're outside the scope of my interest and requirements.

Legal and finance are largely outside as well, unless you have a clear requirement from the standard or your internal process documentation that drags you into those arenas.
 
#5
1) Quality Assurance Department (QA) implementing the QMS under ISO 9001:2008 and has an Internal Quality Auditors doing the Internal Quality Audits.


2) Internal Audit Department (IA) in which they are performing the "audits" of almost the same scope as of the QA Dept.
They are auditing ALL the departments including the conformance of the departments based on their "departmental procedures" and other subject based on their IIA requirements.
Their audit is governed by Institute of Internal Auditors (IIA) and the manager of the department claims that their department is mandated by the Board of Directors of the organization.
The IA Dept claims that they are reporting directly to the "highest" authority in the organization which is the Board of Directors and only reporting "administratively" to the CEO.
They claim that they have "CONFIDENTIAL DOCUMENTS/RECORDS" which should not be revealed to any employee (including the IQA Auditors). That is why they should NOT BE AUDITED by IQA Auditors.


Why was the QA group given responsibility for internal QMS audits when there's a group doing them already? (or vice versa)
 
A

AdamEve

#6
Adam,

No audit should be a fishing expedition. Every auditor should know what they want to see and why they want to see it and they should be able to explain this to the auditee.

Auditors avoid going places or examining evidence they do not need to see to fulfill the audit objective. They make this clear to the auditee.

Having agreed the audit objective with the auditee you will determine the security clearance requirements.

You then can bring someone onto the audit team who has the necessary clearances or engage the auditee in describing/confirming the required evidence.

If you are unable to fulfill the audit objective, as lead auditor you are obliged to inform the auditee.

Usually, depending on the auditor's manner, the auditee is willing to help out.

Forgive me for saying this, but it appears to me that you need to stop insisting on "your rights" as an auditor.

John
Thanks.

I may have used the wrong word "rights".

However, your input is well appreciated.

Thanks again.
 
S

Sarah Stec

#7
In my experience, the "Internal Audit Department" and the QA department have different roles and purposes within the organization, sort of like the difference between the Quality and Legal departments. The way I understand it, the Internal Audit Department is there to ensure the company complies with all the different corporate regulations that the company has to comply with, whereas QA is there to ensure the company complies with all the different procedures the company creates for its QMS. IA doesn't specifically audit the QMS as the QMS, but rather the company's procedures with respect to its practices with respect to the laws and regulations with which it complies. In other words, it's not Quality's job to link a missing calibration record with a series of payments for $9,998 to a bank account in an opaque bank account - it's IA's job.

So to answer your questions, I don't think this department is within the scope of ISO 9001, and neither would legal or finance unless they're brought in through another function.
 
#9
<In my experience, the "Internal Audit Department" and the QA department have different roles and purposes within the organization, sort of like the difference between the Quality and Legal departments. The way I understand it, the Internal Audit Department is there to ensure the company complies with all the different corporate regulations that the company has to comply with, whereas QA is there to ensure the company complies with all the different procedures the company creates for its QMS.>

This may be the case in larger companies, but in smaller ones these issues tend to overlap. My 'QA' department oversees compliance with Dodd-Frank, contract review, building codes, 'Buy-American', and a host of other 'legal' and 'HR' issues as well.
However, IA does not audit these functions, maybe that is an oversight, but it has worked so far. Third party auditors have never asked to see anything related to these issues either.
 
T

Taliesyn

#10
A quick internet search for the "Institute of Internal Auditors" reveals that they are concerned with risk management, corporate governance, etc. Strictly speaking these are outside the current scope of ISO9001... until the 2015 version arrives! That could be quite an interesting bun fight if you were a bystander!!
For the moment, my judgement is that the IQA people are correct.
 
Thread starter Similar threads Forum Replies Date
M Inputs on definition of very similar processes for multi site audit sample - IAF MD1 2018 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
J ISO/TS 16949 Pre-assessment Audit last week and it went very well! General Auditing Discussions 7
D A VERY Small Company - Internal Audit Internal Auditing 62
T Company AS9100D External Audit Preparation AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 17
T AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
Crusader Missed Annual Audit… Registrars and Notified Bodies 8
S Minimum Retention Time for Records of internal audit results as per AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
B Establishing topics for IATF internal audit processes Internal Auditing 9
I API Q1 5.7.1.5.a and API 6A10.4.2.12.2 AAR in API audit Oil and Gas Industry Standards and Regulations 0
D Unannounced Audit - Remote ISO 13485:2016 - Medical Device Quality Management Systems 6
L 3rd party audit issues - No audit agenda received a week before the audit Registrars and Notified Bodies 7
T Calculate FPY for Audit Results AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
D Critical Supplier will not allow us to audit Plant floor US Food and Drug Administration (FDA) 12
E Calibration Records during AS9100 Audit AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
Q Three year audit program template excel Internal Auditing 1
Q Evaluate a process audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
N Audit work documents Internal Auditing 3
S AS9100 Supplier Audit Checklist example AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
Kevin Walters IAQG Required Audit Days Needed (Please help) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
S Initial Audit FDA US Medical Device Regulations 3
F Surveillance Audit for AS9100D and new ERP system incorporated Document Control Systems, Procedures, Forms and Templates 4
bryan willemot Looking for NADCAP audit Excel spreadsheets template for vendors, specifically heat treat (Vacuum Furnace) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
D Dock audit IATF 16949 - Automotive Quality Systems Standard 9
S Is MDSAP Audit Required? ISO 13485:2016 - Medical Device Quality Management Systems 3
T Robust internal audit program AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
J Average number of Nonconformances during internal quality audit for Medical Device Manufacturers Internal Auditing 3
Q AS9100:D Counterfeit internal audit questions AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
D ISO 9001:2015 Internal Audit Check Sheet ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
B Audit checklist for Sterilization Vendors ISO 13485:2016 - Medical Device Quality Management Systems 1
Ed Panek MDR Audit Comment EU Medical Device Regulations 9
R Simple tool to establish an audit schedule? General Auditing Discussions 12
P 9.2.2.2 & 9.2.2.3 Audit Cycle alignment required? IATF 16949 - Automotive Quality Systems Standard 1
R Disruptions that happen prior to surveillance audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
B Cycle Count Audit Discrepancy Supplier Quality Assurance and other Supplier Issues 1
R Audit from Customer - concerned with IP protection ISO 13485:2016 - Medical Device Quality Management Systems 4
I MDR Audit: NC per MDR Annex IX Administrative provisions 8. EU Medical Device Regulations 6
L Documenting internal audit of customer specific requirements IATF 16949 - Automotive Quality Systems Standard 7
GStough Audit Nonconformances (?) for Suppliers Not Registered to ISO and No Supplier Quality Agreement Exists General Auditing Discussions 24
E Audit Finding - Measurement of Process - Continuous Improvement - Trend Analysis Oil and Gas Industry Standards and Regulations 22
C Supplier Audit - Looking for a quality audit checklist General Auditing Discussions 3
E Opening meeting for Third-Party Audit--Who should say what? General Auditing Discussions 22
R EU MDR Remote vs In-Person Audit EU Medical Device Regulations 1
F Attendance possibility for a certification audit ISO 13485:2016 - Medical Device Quality Management Systems 7
D Audit Report details when ISO 13485:2016 and cGMP 21 CFR 820 are applicable ISO 13485:2016 - Medical Device Quality Management Systems 6
R Looking for ISO 13485 Internal Audit Checklist ISO 13485:2016 - Medical Device Quality Management Systems 8
G IATF Remote Location audit timing IATF 16949 - Automotive Quality Systems Standard 3
G During internal audit - finding poor action plans ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
C Need help in determining applicable clause for an audit finding (based on AS9120B) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
G Opening meeting - internal audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
Ed Panek Audit Protocol? Simultaneous surveillance and recertification audits. ISO 13485:2016 - Medical Device Quality Management Systems 11

Similar threads

Top Bottom