Conflict of Interest if I audit the QC department?

[Sidney Vianna]

Do you have customer complaints? Regulatory notices of violation? Product returns? Recalls?

You never answered that question, but the TRUE measure of an effective quality system and internal audit process is their ability to prevent negative events. Anytime you have a significant negative event, you should ask yourself: what could we have done, as an organization, to prevent this? Where is the weakness in our system that allowed for that to happen? In other words: a robust root cause analysis leading to proper corrective action. Internal audits are, for the most part, wasted efforts, because they really don't delve into aspects of materiality for the system and barely skim the surface. The symptoms of superficial audits are findings that, even when fixed, will not really make an impact on the robustness of the system. Findings, such as:

• wrong revision level of form XYZ used
• missing signature on record WTF
• Quality policy not signed by CEO

One more thing: this thread is under ISO 9001, but you mentioned your organization being a small medical device company. The ISO standard that would be more appropriate for a medical device company is ISO 13485. That standard, differently from ISO 9001 clearly states the following: "...Auditors shall not audit their own work..."

 

[Big Jim]

One more thing: this thread is under ISO 9001, but you mentioned your organization being a small medical device company. The ISO standard that would be more appropriate for a medical device company is ISO 13485. That standard, differently from ISO 9001 clearly states the following: "...Auditors shall not audit their own work..."

Yes, an interesting difference. That's because 13485 has not moved up to the high level outline like everyone else. 13485 is still based on ISO 9001:2008.

Would it be appropriate the administrators of 13485 are behind the times?

 

[Sidney Vianna]

Yes, an interesting difference. That's because 13485 has not moved up to the high level outline like everyone else. 13485 is still based on ISO 9001:2008.

Would it be appropriate the administrators of 13485 are behind the times?

The fact that an ISO Management System Standard follows the High Level Structure, does not mean they cannot add requirements in order to make their document more prescriptive, as they see fit, to deal with the risks they have in their context. As an example, ISO 37001:2016 (Anti-bribery Management System) follows the ISO HLS document. In the section that deals with Internal Audits, it requires the following, way above and beyond the requirements from the HLS:

9.2.4 To ensure the objectivity and impartiality of these audit programmes, the organization shall ensure that these audits are undertaken by one of the following:
a) an independent function or personnel established or appointed for this process; or
b) the anti-bribery compliance function (unless the scope of the audit includes an evaluation of the anti-bribery management system itself, or similar work for which the anti-bribery compliance function is responsible); or
c) an appropriate person from a department or function other than the one being audited; or
d) an appropriate third party; or
e) a group comprising any of a) to d).
The organization shall ensure that no auditor is auditing his or her own area of work.
NOTE See Clause A.16 for guidance.

As I said, just one example of an ISO HLS-based standard that EXPLICITLY prohibits people from auditing their own work. Very likely, the ISO TC 210 will keep a similar stance in the future version of ISO 13485.

 

[Dr. IJ Arora]

Hello All,

I appreciate your responses to my question. Recently, I have been promoted to be the QA manager of a small medical device company. I'll be responsible QC department as well. I'd like to know if it would be a conflict of interest if I audit the QC department since I am responsible for activities at this department.
Thank you

ISO 9001 Clause 9.2 has expectations particularly in clause 9.2.2 c to ensure objectivity and impartiality. By audit definition in ISO 19011 3.1 talks of auditor independence. Clause 4 of ISO 19011:2018 should be your guideline and if you see sub clause e on independence, it requires freedom from conflict etc (which you can read), but does say if practicable. That "if practicable" needs to be interpreted by you. Technically you could audit. Or audit with an observer from another department. You have to ensure objectivity.
So is there a clear answer. No. And Yes! the last paragraph in sub clause e says and gives you the allowance in a small organization to do this audit.
Trust this helps you in making the decision.

 

[mmasiddiqui]

A fish in the water, will not see water around her. Similarly, an auditor in a noncompliant environment may not see the non compliance. Always better to have cross functional auditor to see the same process with a fresh perspective.

 

[Big Jim]

The fact that an ISO Management System Standard follows the High Level Structure, does not mean they cannot add requirements in order to make their document more prescriptive, as they see fit, to deal with the risks they have in their context. As an example, ISO 37001:2016 (Anti-bribery Management System) follows the ISO HLS document. In the section that deals with Internal Audits, it requires the following, way above and beyond the requirements from the HLS:

9.2.4 To ensure the objectivity and impartiality of these audit programmes, the organization shall ensure that these audits are undertaken by one of the following:
a) an independent function or personnel established or appointed for this process; or
b) the anti-bribery compliance function (unless the scope of the audit includes an evaluation of the anti-bribery management system itself, or similar work for which the anti-bribery compliance function is responsible); or
c) an appropriate person from a department or function other than the one being audited; or
d) an appropriate third party; or
e) a group comprising any of a) to d).
The organization shall ensure that no auditor is auditing his or her own area of work.
NOTE See Clause A.16 for guidance.

As I said, just one example of an ISO HLS-based standard that EXPLICITLY prohibits people from auditing their own work. Very likely, the ISO TC 210 will keep a similar stance in the future version of ISO 13485.

I'm well aware that each group can and does add requirements depending on the perceived needs. That's why they are different.

It will be interesting to see what 13485 does next time. They may or may not move to the high level outline and if they do they may or may not retain the auditors shall not audit their own work. Keep in mind that AS9100 and others didn't.

 

[Big Jim]

ISO 9001 Clause 9.2 has expectations particularly in clause 9.2.2 c to ensure objectivity and impartiality. By audit definition in ISO 19011 3.1 talks of auditor independence. Clause 4 of ISO 19011:2018 should be your guideline and if you see sub clause e on independence, it requires freedom from conflict etc (which you can read), but does say if practicable. That "if practicable" needs to be interpreted by you. Technically you could audit. Or audit with an observer from another department. You have to ensure objectivity.
So is there a clear answer. No. And Yes! the last paragraph in sub clause e says and gives you the allowance in a small organization to do this audit.
Trust this helps you in making the decision.

Keep in mind the wording from ISO 9002:2016 on the subject:

"When assigning persons to conduct audits, the organization should ensure objectivity and impartiality of the audit process. In some cases, particularly smaller organizations or areas of the organization where specific job knowledge is required, it can be necessary for a person to audit their own work."

It then goes on to provide examples of how to maintain objectively and impartiality.

What I want to point out is the wording immediately after noting smaller organizations: "or areas of the organization where specific job knowledge is required . . ."

Effectively there is no limit to organization size when job specific job knowledge is required.