Company Conducted Internal Audit Offsite using a Document Review Process

#11
I am conducting an AS9100:2009 registration audit of this company. They conducted a remote/offsite internal audit of the entire QMS system. It may not meet the intent of the requirements in section 8.2.2 of the standard. It may be OK if there is adequate planning before the audit to use teleconference and ways to pick random samples. It will be difficult to conduct an effective audit to cover section 7.5.

Are you saying that it is OK for any company to conduct offsite audit whenever they like?

-Tony
Tony, it's simple. You - like many of us I suspect - are questioning how on earth an audit can be effective when conducted in the way you describe. So, you'll be able to test that won't you? Sure it walks like a duck and has webbed feet, but you will have to audit the system and determine if the internal audit duck actually quacks... shouldn't be a big deal, if you are a CB auditor...
 
Elsmar Forum Sponsor

Jim Wynne

Staff member
Admin
#12
I am conducting an AS9100:2009 registration audit of this company. They conducted a remote/offsite internal audit of the entire QMS system. It may not meet the intent of the requirements in section 8.2.2 of the standard. It may be OK if there is adequate planning before the audit to use teleconference and ways to pick random samples. It will be difficult to conduct an effective audit to cover section 7.5.

Are you saying that it is OK for any company to conduct offsite audit whenever they like?

-Tony
I know next to nothing about AS9100, so I think Andy's given a good response--you're going to do the audit, so you'll be able to see firsthand whether the audit program is effective or not.

In a general sense I do think it's OK for an audit to be conducted from a distance if it's effective. An auditor needs to leave her personal opinions and viewpoints in the car, and look at things objectively.
 
#13
I am auditing a company this week. The internal audit was conduct offsite by 2 other employees from another site of the company. The audit report does not mention that it was done offsite. The audit was not conducted to interview employees using video conference or Skype (with video capability). The internal auditors requested documents (Calibration, POs, contract review records ...), reviewed them and wrote the report.

It is a nonconformance. My questions are :

1) Is it a major or minor N/C

2) Can internal audits be conducted offsite if arrangements were made ahead of time to interview employees using phone, Skype video calls and other methods. Also arrangement made to obtain records picked by the Auditor instead of having the auditee just email some PDF files of records

Tony.
If you can let us know, in broad terms, what this company does, that would help. Certain products and services can be quite effectively audited remotely, software development, for example. I'd agree, if it is a metal cutting type enterprise, that it would be difficult to audit that from a ways away...but then it isn't going to be just records and you'll see that the thing goes south very rapidly! No sweat!
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#14
It is important to draw some confines around directions in guidance documents like the IAF's document, which (at least the link you provided) which is to be used for "consistent application" of ISO/IEC 17021:2006, which I should add has been superceded by ISO/IEC:2011.

That said, let's look on Page 4 of the document you very helpfully linked. 0.3 says
0.3. The objectives for the effective application of CAAT are:
a) To provide a methodology that is sufficiently flexible and non-prescriptive in nature to satisfy the needs of industry, by allowing client organizations and their respective certification bodies to use CAAT to enhance the conventional audit process, and

b) To ensure that adequate controls are in place with sufficient accreditation body oversight to avoid abuses and to prevent excessive commercial pressures that could compromise the integrity of the certification process.
...
1.2.1 In addition to the requirements in ISO/IEC 17021, clause 9.1.2, the audit plan shall identify any computer-assisted auditing techniques that will be utilized.
Regrettably I don't have a copy of ISO/IEC 17021 (which I intend to remedy) so I can't see what 9.1.2 says. However, I can point out that unless the standard to which the client is certifying to (in this case AS9100:2009) specifies computer use will be defined in audit plans, a nonconformity can't be raised because your client isn't certifying to IAF MD 4:2008; it is certifying to AS9100:2009.

The way I read the guidance document, these requirements are placed on the CB auditor although 0.3 infers CAAT is for client organizations too. But I reiterate that their QMS requirements are spelled out in AS9100, not CAAT.

So, it's the auditor's job to verify effectiveness of audits as my fellow Covers have described. Since you have questions about how on Earth they could have audited 7.5 remotely, although we're expected to audit using a sampling method I suppose you could examine their audit of the process working to requirements of 7.5 and see if its findings matched what you see. I do not feel sure experienced CB auditors here would reach a concensus that it's okay to target a specific process in their audit program like that though. I'll be interested to see the responses to such an idea.
 
R

Randy Lefferts

#15
Regrettably I don't have a copy of ISO/IEC 17021 (which I intend to remedy) so I can't see what 9.1.2 says. However, I can point out that unless the standard to which the client is certifying to (in this case AS9100:2009) specifies computer use will be defined in audit plans, a nonconformity can't be raised because your client isn't certifying to IAF MD 4:2008; it is certifying to AS9100:2009.
I googled ISO/IEC 17021 and good, bad or indifferent, found a copy online.

9.1.1.2 The audit programme shall include a two-stage initial audit, surveillance audits in the first and second years, and a recertification audit in the third year prior to expiration of certification. The three-year certification cycle begins with the certification or recertification decision. The determination of the audit programme and any subsequent adjustments shall consider the size of the client organization, the scope and complexity of its management system, products and processes as well as demonstrated level of management system effectiveness and the results of any previous audits.

NOTE 1 Annex E is a flowchart of a typical third-party audit and certification process.

NOTE 2 Annex F lists additional items that can be considered when developing or revising an audit programme.


Edit: This is ISO/IEC 17021:2011(E)
Randy
 
Last edited by a moderator:

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#16
I googled ISO/IEC 17021 and good, bad or indifferent, found a copy online.

9.1.1.2 The audit programme shall include a two-stage initial audit, surveillance audits in the first and second years, and a recertification audit in the third year prior to expiration of certification. The three-year certification cycle begins with the certification or recertification decision. The determination of the audit programme and any subsequent adjustments shall consider the size of the client organization, the scope and complexity of its management system, products and processes as well as demonstrated level of management system effectiveness and the results of any previous audits.

NOTE 1 Annex E is a flowchart of a typical third-party audit and certification process.

NOTE 2 Annex F lists additional items that can be considered when developing or revising an audit programme.


Edit: This is ISO/IEC 17021:2011(E)
Randy
Thank you so much Randy, did you find the section 9.1.2? You quoted 9.1.1.2.
 
R

Randy Lefferts

#17
Thank you so much Randy, did you find the section 9.1.2? You quoted 9.1.1.2.
Oops :eek:

If this section is too much of the standard to post I can remove it or a mod can remove it. Hopefully I get it right this time :)

9.1.2 Audit plan

9.1.2.1 General

The certification body shall ensure that an audit plan is established for each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities. This audit plan shall be based on documented requirements of the certification body.

9.1.2.2 Determining audit objectives, scope and criteria

9.1.2.2.1 The audit objectives shall be determined by the certification body. The audit scope and criteria, including any changes, shall be established by the certification body after discussion with the client.

9.1.2.2.2 The audit objectives shall describe what is to be accomplished by the audit and shall include the following:
a) determination of the conformity of the client's management system, or parts of it, with audit criteria;
b) evaluation of the ability of the management system to ensure the client organization meets applicable statutory, regulatory and contractual requirements;

NOTE A management system certification audit is not a legal compliance audit.

c) evaluation of the effectiveness of the management system to ensure the client organization is continually meeting its specified objectives;
d) as applicable, identification of areas for potential improvement of the management system.

9.1.2.2.3 The audit scope shall describe the extent and boundaries of the audit, such as physical locations, organizational units, activities and processes to be audited. Where the initial or re-certification process
consists of more than one audit (e.g. covering different locations), the scope of an individual audit may not cover the full certification scope, but the totality of audits shall be consistent with the scope in the certification
document.

NOTE Annex F lists additional items that can be considered when preparing or revising the audit scope.

9.1.2.2.4 The audit criteria shall be used as a reference against which conformity is determined, and shallinclude:
⎯ the requirements of a defined normative document on management systems;
⎯ the defined processes and documentation of the management system developed by the client.

9.1.2.3 Preparing the audit plan
The audit plan shall be appropriate to the objectives and the scope of the audit. The audit plan shall at least include or refer to the following:
a) the audit objectives;
b) the audit criteria;
c) the audit scope, including identification of the organizational and functional units or processes to be audited;
d) the dates and sites where the on-site audit activities are to be conducted, including visits to temporary sites, as appropriate;
e) the expected time and duration of on-site audit activities;
f) the roles and responsibilities of the audit team members and accompanying persons.

NOTE 1 The audit plan information can be contained in more than one document.

NOTE 2 Annex F lists additional items that can be considered when preparing or revising the audit plan.
 
#18
I think we may in danger of getting too far off the OP's question. He's the CB auditor, asking about the internal audit practices at a company wishing to be AS9100 registered. In which case ISO 17021 has little/no relevance...
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#19
I think we may in danger of getting too far off the OP's question. He's the CB auditor, asking about the internal audit practices at a company wishing to be AS9100 registered. In which case ISO 17021 has little/no relevance...
That's my point, I am now satisfied that we have established there's no requirement against which a nonconformance can be written.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#20
That's my point, I am now satisfied that we have established there's no requirement against which a nonconformance can be written.
I think it depends on how creative the CB auditor wants to be. For example, 8.2.2 of AS9100C refers to an internal audit. What is the ISO 9000:2005 (normative) definition of audit?
systematic, independent and documented process (3.4.1) for obtaining audit evidence (3.9.4) and evaluating it objectively to determine the extent to which audit criteria (3.9.3) are fulfilled
So, a CB auditor can question if the virtual/remote approach to internal auditing allows the auditor to obtain audit evidence or not.

Another route is to question the effectiveness (4.1.c) of the internal audit process. One more creative route is to create a PEAR against the internal audit process (going beyond the AS9101D minimum) and deem the internal audit process not effective.

But without knowing exactly what were the processes audited remotely, how impacting, how critical, etc. they are, we would be doing a lot of speculation.
 
Thread starter Similar threads Forum Replies Date
M Transferring ISO 17025 from one company to another ISO 17025 related Discussions 1
P Audit check for IT company (ISO 9001) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
F IVD registration in EU - Northern Ireland based company EU Medical Device Regulations 0
W Where does a coatings and paint company fall in IATF? IATF 16949 - Automotive Quality Systems Standard 5
A AS9100D - Clause 8.1 Operation - Coating service company AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
O Informational Ford Motor Company Customer Specific Requirements for IATF 16949:2016 - 08 Jan 2021 Customer and Company Specific Requirements 0
L Have been purchased by a corporate company ISO 13485:2016 - Medical Device Quality Management Systems 7
R Advice needed: Shall I report my not complying company to NB / competent Authority (Europe) EU Medical Device Regulations 6
lanley liao What shoud i do if our company top management has been changed. Oil and Gas Industry Standards and Regulations 8
S Malcolm Baldrige Company Dashboard Quality Tools, Improvement and Analysis 3
T IATF Rules for sharing production space with another company IATF 16949 - Automotive Quality Systems Standard 10
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
R MDEL and company affiliate Canada Medical Device Regulations 0
E Our company is planning to file MDD not MDR next month. Do we require to show chemical characterization report ? CE Marking (Conformité Européene) / CB Scheme 2
S Is QMS like a set of rules and regulations that a company follows? ISO 13485:2016 - Medical Device Quality Management Systems 10
E Contract manufacturer FDA requirements foreign company US Food and Drug Administration (FDA) 6
J How much to charge for helping a startup company with initial ISO 13485 certification? Consultants and Consulting 3
J Sister-company providing parts is only ISO 9001 registered IATF 16949 - Automotive Quality Systems Standard 7
D IATF 16949 Requirement for CMMI in a Global Company Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 0
T Help to Suggest name for a new certification and inspection company Coffee Break and Water Cooler Discussions 7
M Address change for a company with CE/ISO13485 EU Medical Device Regulations 2
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
M QMS for a repair/servicing company ISO 13485:2016 - Medical Device Quality Management Systems 2
C Internal Audits in a tiny Dx Company Internal Auditing 33
T ISO 13485 - 5.5.1 Responsibility and authority - Small Company Independence ISO 13485:2016 - Medical Device Quality Management Systems 13
F Quality manual for trading company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
L Implementing the PRRC role in a company EU Medical Device Regulations 7
BeaBea ISO 9001 Customer Feedback Methods - What has worked for your company? Service Industry Specific Topics 17
M Customers Request AS9100 certification - Small Company (less than 20 employees) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
U Document Approval - Software company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
T EQMS for small medical device company ISO 13485:2016 - Medical Device Quality Management Systems 18
qualprod Corona virus Contingency plan - What have you done in your company? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
Q Must product name be listed the same name in FURLS, UDI, GUDID and Company Website? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
E Sharepoint for ISO 13485 QMS for small IVD company ISO 13485:2016 - Medical Device Quality Management Systems 11
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
Z 510(k) usage - Company has 2 physically similar products Medical Device and FDA Regulations and Standards News 2
Q Company Ownership Change ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
L Contracted Manufacture Company wanting to be able to design and manufacture own product. 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
D ISO9001 for one man company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
T Client Communication - SaaMD company Misc. Quality Assurance and Business Systems Related Topics 3
R Notified Body for MDD 1Q20 - Florida Company Registrars and Notified Bodies 4
E In need of a new TGA sponsor - Small software company Other Medical Device Regulations World-Wide 4
F ISO 17025 8.8 Internal Audits in a segmented company ISO 17025 related Discussions 5
E Company A supplies pharmaceuticals to the MOI - Who is responsible? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
J Quality Assurance in China - Developing a quality management system for a California company Misc. Quality Assurance and Business Systems Related Topics 9
S How to determine & document Organizational Knowledge of a company Document Control Systems, Procedures, Forms and Templates 4
U IT Process is Taken From company and Added to Corporate Structure ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
G Is ISO 9001:2015 certification worth it for a company that does only contract manufacturing? Quality Management System (QMS) Manuals 14
N Non traumatic edge - Remark in some of my company drawings EU Medical Device Regulations 1

Similar threads

Top Bottom