Company Conducted Internal Audit Offsite using a Document Review Process

phxsun2001

Involved - Posts
#1
I am auditing a company this week. The internal audit was conduct offsite by 2 other employees from another site of the company. The audit report does not mention that it was done offsite. The audit was not conducted to interview employees using video conference or Skype (with video capability). The internal auditors requested documents (Calibration, POs, contract review records ...), reviewed them and wrote the report.

It is a nonconformance. My questions are :

1) Is it a major or minor N/C

2) Can internal audits be conducted offsite if arrangements were made ahead of time to interview employees using phone, Skype video calls and other methods. Also arrangement made to obtain records picked by the Auditor instead of having the auditee just email some PDF files of records

Tony.
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
Re: Conduct internal audit offsite

I am auditing a company this week. The internal audit was conduct offsite by 2 other employees from another site of the company. The audit report does not mention that it was done offsite. The audit was not conducted to interview employees using video conference or Skype (with video capability). The internal auditors requested documents (Calibration, POs, contract review records ...), reviewed them and wrote the report.

It is a nonconformance. My questions are :

1) Is it a major or minor N/C

2) Can internal audits be conducted offsite if arrangements were made ahead of time to interview employees using phone, Skype video calls and other methods. Also arrangement made to obtain records picked by the Auditor instead of having the auditee just email some PDF files of records

Tony.
I question if this is a nonconformance. Against which element shall it be written - where is the "shall" that says there must be personal contact, even in phone, email or video, to do an audit?

Please understand me, I do not especially like the idea, but I have done several audits of records - I call them "desk audits." When a review of records raises questions I ask them by phone, email, in person etc.

Some of my most important findings were based on records review. But there should be verification of some kind before doing a writeup of a nonconformance; maybe there is background information that would render the NC a non-issue.

However, there are certain elements that would be quite a challenge to audit via records alone. Awareness is one; a person needs to talk with employees to verify awareness. So I was wondering if the audits you are referring to were for complete system or individual processes?
 

phxsun2001

Involved - Posts
#3
Re: Conduct internal audit offsite

This was a complete audit of the QMS of section 4.0 through 8.0, to satisfy the annual internal audit requirement of section 8.2.2.

The standard requires internal audit to be effectively implemented. The audit criteria, scope, frequency and method shall be defined.

The company's internal audit procedure does not say that offsite audits are allowed. The procedure does not established ways to conduct offsite audit using phone, video-phone to meet the intent of the AS9100 requirement for conducting internal audit. The audit report does not mention that the audits were conducted offsite.

Another problem is the sampling of records. The auditor may not be able to pick records at random. Records were picked by the auditees and emailed to the auditors. If I were the auditee, I would have a chance to review and make sure that the records that I send are all error free.....

-Tony
 
Last edited:

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#4
Re: Conduct internal audit offsite

This was a complete audit of the QMS of section 4.0 through 8.0, to satisfy the annual internal audit requirement of section 8.2.2.

The standard requires internal audit to be effectively implemented. The audit criteria, scope, frequency and method shall be defined.

The company's internal audit procedure does not say that offsite audits are allowed. The procedure does not established ways to conduct offsite audit using phone, video-phone to meet the intent of the AS9100 requirement for conducting internal audit. The audit report does not mention that the audits were conducted offsite.

Another problem is the sampling of records. The auditor may not be able to pick records at random. Records were picked by the auditees and emailed to the auditors. If I were the auditee, I would have a chance to review and make sure that the records that I send are all error free.....

-Tony
I think that your concerns of effectiveness are well founded, but I haven't seen anywhere a stipulation of how audits are to be conducted, save the "auditors shall not audit their own work" clauses. What standard are we dealing with? What does the standard say about how audits are to be conducted?

If you want to cite ineffectiveness, which I would enthusiastically support, it seems to me you would need to exhibit evidence of what important issue the audit failed to capture, and why the problem was lack of contact.
 

phxsun2001

Involved - Posts
#5
Re: Conduct internal audit offsite

CAAT may be used under straight guidelines. If it is used, it has to be defined in the company's Internal Audit procedure and follow the guidelines.

=================================================

IAF Mandatory Document for the use of Computer Assisted Auditing Techniques (“CAAT”) for Accredited Certification of Management Systems

http://www.compad.com.au/cms/iafnu/workstation/upFiles/232846.IAF-MD4-2008-CAAT_Pub.pdf

-Tony
 
Last edited:

harry

Super Moderator
#6
Re: Conduct internal audit offsite

CAAT may be used under straight guidelines. If it is used, it has to be defined in the company's Internal Audit procedure and follow the guidelines.

=================================================

IAF Mandatory Document for the use of Computer Assisted Auditing Techniques (“CAAT”) for Accredited Certification of Management Systems ..........
I think the name of the documents is very clear - it is for "Accredited Certification of Management Systems".

If it is used, it has to be defined in the company's Internal Audit procedure and follow the guidelines.
Looks like this is your personal opinion - I did not see it anywhere in that IAF document!

I think organizations can mimic or copy these kind of practices in whole or part for internal audit purpose and the auditors job is to (if there are evidence) determine its effectiveness. As an agent of the CB isn't it your duty to consult them in cases (of uncertainty) like this?

I am giving my opinion from the ISO 9001 perspective and AS could be different.
 

phxsun2001

Involved - Posts
#7
Re: Conduct internal audit offsite

Office or remote audit may be OK for auditing some sections of the standard like 5.0 (Management) by performing desk audit of the management reviews and reports. You may be able to to audit Internal audit. It is almost impossible to conduct an effective audit of 7.5 without actually perform an onsite audit.
If you audit a SMT process of a company, can you tell me how you can verify that the reflow oven settings were set to the process sheet ? How can you tell that all the assemblers in the SMT areas have their wrist straps on while handling loaded PCBs. How can you verify that all the products in the production area or in the warehouse are identified? You have to be there to verify conformance.

You simply cannot conduct a remote audit as effective as an onsite audit. You cannot verify the effectiveness on a lot of activities.

Tony
 

Jim Wynne

Staff member
Admin
#8
I am auditing a company this week. The internal audit was conduct offsite by 2 other employees from another site of the company. The audit report does not mention that it was done offsite. The audit was not conducted to interview employees using video conference or Skype (with video capability). The internal auditors requested documents (Calibration, POs, contract review records ...), reviewed them and wrote the report.

It is a nonconformance. My questions are :

1) Is it a major or minor N/C

2) Can internal audits be conducted offsite if arrangements were made ahead of time to interview employees using phone, Skype video calls and other methods. Also arrangement made to obtain records picked by the Auditor instead of having the auditee just email some PDF files of records

Tony.
What sort of audit are you doing? Is this a supplier that you're auditing? If so, and your company chooses to use major/minor classifications, don't you also have clear guidelines as to classification criteria? Whether or not what the supplier did is a nonconformity is wholly dependent on the documented requirements.

8.2.2 of ISO 9001:2008 says, in part, "A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results." There's nothing there that prohibits what the supplier did. As far as the standard is concerned, audits may be done telepathically so long as the method is demonstrably effective.
 

phxsun2001

Involved - Posts
#9
I am conducting an AS9100:2009 registration audit of this company. They conducted a remote/offsite internal audit of the entire QMS system. It may not meet the intent of the requirements in section 8.2.2 of the standard. It may be OK if there is adequate planning before the audit to use teleconference and ways to pick random samples. It will be difficult to conduct an effective audit to cover section 7.5.

Are you saying that it is OK for any company to conduct offsite audit whenever they like?

-Tony
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#10
I am conducting an AS9100:2009 registration audit of this company. They conducted a remote/offsite internal audit of the entire QMS system. It may not meet the intent of the requirements in section 8.2.2 of the standard. It may be OK if there is adequate planning before the audit to use teleconference and ways to pick random samples. It will be difficult to conduct an effective audit to cover section 7.5.

Are you saying that it is OK for any company to conduct offsite audit whenever they like?

-Tony
Thank you for clarifying this was an AS9100:2009 audit.

I have more questions. What does your accreditation agency say - have you asked them this question? What guidance have they given you on what they consider valid? Are you doing this entire registration audit alone?

What does AS9104 say? Regrettably I don't have this "Requirements for Aerospace Quality Management System Certification/Registrations Program."
 
Thread starter Similar threads Forum Replies Date
M Transferring ISO 17025 from one company to another ISO 17025 related Discussions 1
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
F IVD registration in EU - Northern Ireland based company EU Medical Device Regulations 0
W Where does a coatings and paint company fall in IATF? IATF 16949 - Automotive Quality Systems Standard 5
A AS9100D - Clause 8.1 Operation - Coating service company AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
O Informational Ford Motor Company Customer Specific Requirements for IATF 16949:2016 - 08 Jan 2021 Customer and Company Specific Requirements 0
L Have been purchased by a corporate company ISO 13485:2016 - Medical Device Quality Management Systems 7
R Advice needed: Shall I report my not complying company to NB / competent Authority (Europe) EU Medical Device Regulations 6
lanley liao What shoud i do if our company top management has been changed. Oil and Gas Industry Standards and Regulations 8
S Malcolm Baldrige Company Dashboard Quality Tools, Improvement and Analysis 3
T IATF Rules for sharing production space with another company IATF 16949 - Automotive Quality Systems Standard 10
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
R MDEL and company affiliate Canada Medical Device Regulations 0
E Our company is planning to file MDD not MDR next month. Do we require to show chemical characterization report ? CE Marking (Conformité Européene) / CB Scheme 2
S Is QMS like a set of rules and regulations that a company follows? ISO 13485:2016 - Medical Device Quality Management Systems 10
E Contract manufacturer FDA requirements foreign company US Food and Drug Administration (FDA) 6
J How much to charge for helping a startup company with initial ISO 13485 certification? Consultants and Consulting 3
J Sister-company providing parts is only ISO 9001 registered IATF 16949 - Automotive Quality Systems Standard 7
D IATF 16949 Requirement for CMMI in a Global Company Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 0
T Help to Suggest name for a new certification and inspection company Coffee Break and Water Cooler Discussions 7
M Address change for a company with CE/ISO13485 EU Medical Device Regulations 2
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
M QMS for a repair/servicing company ISO 13485:2016 - Medical Device Quality Management Systems 2
C Internal Audits in a tiny Dx Company Internal Auditing 33
T ISO 13485 - 5.5.1 Responsibility and authority - Small Company Independence ISO 13485:2016 - Medical Device Quality Management Systems 13
F Quality manual for trading company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
L Implementing the PRRC role in a company EU Medical Device Regulations 7
BeaBea ISO 9001 Customer Feedback Methods - What has worked for your company? Service Industry Specific Topics 17
M Customers Request AS9100 certification - Small Company (less than 20 employees) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
U Document Approval - Software company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
T EQMS for small medical device company ISO 13485:2016 - Medical Device Quality Management Systems 18
qualprod Corona virus Contingency plan - What have you done in your company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
Q Must product name be listed the same name in FURLS, UDI, GUDID and Company Website? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
E Sharepoint for ISO 13485 QMS for small IVD company ISO 13485:2016 - Medical Device Quality Management Systems 11
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
Z 510(k) usage - Company has 2 physically similar products Medical Device and FDA Regulations and Standards News 2
Q Company Ownership Change ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
L Contracted Manufacture Company wanting to be able to design and manufacture own product. 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
D ISO9001 for one man company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
T Client Communication - SaaMD company Misc. Quality Assurance and Business Systems Related Topics 3
R Notified Body for MDD 1Q20 - Florida Company Registrars and Notified Bodies 4
E In need of a new TGA sponsor - Small software company Other Medical Device Regulations World-Wide 4
F ISO 17025 8.8 Internal Audits in a segmented company ISO 17025 related Discussions 5
E Company A supplies pharmaceuticals to the MOI - Who is responsible? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
J Quality Assurance in China - Developing a quality management system for a California company Misc. Quality Assurance and Business Systems Related Topics 9
S How to determine & document Organizational Knowledge of a company Document Control Systems, Procedures, Forms and Templates 4
U IT Process is Taken From company and Added to Corporate Structure ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
G Is ISO 9001:2015 certification worth it for a company that does only contract manufacturing? Quality Management System (QMS) Manuals 14
N Non traumatic edge - Remark in some of my company drawings EU Medical Device Regulations 1

Similar threads

Top Bottom