Corrective Action from Internal Audits not performed

[Jim Wynne]

Personally, I've never truly been a fan of multiple (mini) audits throughout the year. I prefer full-blown system audits. It does require a commitment from internal resources for a larger chunk of time (instead of small chunks over a space of time), but I find it provides a much better picture as to the state and health of the management system.

CBs are being paid a significant amount of money to do full system audits, and if you find that periodic well-targeted audits don't provide useful information as to the state of the system, there's something wrong with the periodic audits or the review of the results.

As for the CB requiring makeups, I think it's questionable and unless it's an explicit contractual requirement I might push back. If it is an explicit contractual requirement, you have a contract review problem.

 

[Sidney Vianna]

As for the CB requiring makeups, I think it's questionable and unless it's an explicit contractual requirement I might push back. If it is an explicit contractual requirement, you have a contract review problem.

Would you think the same if, instead of unperformed internal audits, the nonconformity was due to unperformed product inspection and tests? I.e., the organization shipped products without inspecting and testing them, according to the product quality plan.

If the CB doesn’t enforce any containment for the organization lack of adherence to an internal audit plan, the organization, which very likely believes internal audits are a waste of time and effort, will be “rewarded” for not doing something they are supposed to do.

 

[Jim Wynne]

Would you think the same if, instead of unperformed internal audits, the nonconformity was due to unperformed product inspection and tests? I.e., the organization shipped products without inspecting and testing them, according to the product quality plan.

If the CB doesn’t enforce any containment for the organization lack of adherence to an internal audit plan, the organization, which very likely believes internal audits are a waste of time and effort, will be “rewarded” for not doing something they are supposed to do.

I don't think it is or should be a system of rewards and punishments. In the example you cite, do you think it would be reasonable to make the organization redo whatever it was that was missed in shipping NC product? I'm not going to make any hard-and-fast judgments in the present case, but I think that the normal CA route--here's what we did wrong and here's what we're going to do about it--should suffice. This is especially so if the CB can't point to any evidence that the system was truly compromised by the omissions.

 

[Sidney Vianna]

In the example you cite, do you think it would be reasonable to make the organization redo whatever it was that was missed in shipping NC product?

Without a question in that example, part of the containment would require recall of the products for proper conformity verification.

As for the case in this thread, it is clear that the organization themselves don't see the benefit in the internal audit program. Otherwise, they would have "made them up" before the situation being uncovered by the CB.

That is the biggest issue at hand. Internal audits are perceived as a waste by most certified organizations. And the reality is: they are right, as the vast majority of internal audits performed out there are poorly planned, terribly executed, by auditors who have not been made competent and have zero value to the organization's management. And CB's are accomplices in letting this sad state of affairs with totally ineffective internal audits being perpetuated.

 

[AndyN]

Without a question in that example, part of the containment would require recall of the products for proper conformity verification.

As for the case in this thread, it is clear that the organization themselves don't see the benefit in the internal audit program. Otherwise, they would have "made them up" before the situation being uncovered by the CB.

That is the biggest issue at hand. Internal audits are perceived as a waste by most certified organizations. And the reality is: they are right, as the vast majority of internal audits performed out there are poorly planned, terribly executed, by auditors who have not been made competent and have zero value to the organization's management. And CB's are accomplices in letting this sad state of affairs with totally ineffective internal audits being perpetuated.

Amen, bro...

 

[jgreen39]

I typically perform one full system audit per year that covers all of my processes. I put together a 3 person team, and it typically takes 2 days. We have an opening meeting prior to, and a closing meeting with the entire management team when we are finished.

We are very good about completing LPA's and Control Plan Audits throughout the year, and data from these audits drive any additional Internal Audits that may be required.

Auditing done correctly and used for more than paperwork compliance can be a great tool.

 

[AndyN]

I typically perform one full system audit per year that covers all of my processes. I put together a 3 person team, and it typically takes 2 days. We have an opening meeting prior to, and a closing meeting with the entire management team when we are finished.

We are very good about completing LPA's and Control Plan Audits throughout the year, and data from these audits drive any additional Internal Audits that may be required.

Auditing done correctly and used for more than paperwork compliance can be a great tool.

Could you help me understand how this meets the requirement (under ISO 9001:2008 8.2.2) to have an audit program based on "status and importance"? Or on 2015 importance and considering changes? Are all processes equally important? Do they all perform to expectations? Have there been zero changes?

If you emulate the CB audits, you will please your CB - "Imitation is the sincerest form of flattery", as they say. But what benefit is one audit to your management? Are you doing audits to make them smile?

 

[jgreen39]

Could you help me understand how this meets the requirement (under ISO 9001:2008 8.2.2) to have an audit program based on "status and importance"? Or on 2015 importance and considering changes? Are all processes equally important? Do they all perform to expectations? Have there been zero changes?

If you emulate the CB audits, you will please your CB - "Imitation is the sincerest form of flattery", as they say. But what benefit is one audit to your management? Are you doing audits to make them smile?

For processes that have not changed, or processes that do not produce NC's, I believe 1 audit per year is adequate. As I mentioned in my original post, we perform LPA's daily, weekly, monthly and also perform CP audits on a regular basis. All of these combined with a full-system internal audit once per year more than meet the requirement. As I also mentioned, if we have customer concern, Internal Audit finding, or a repeated NC from an LPA we will increase the Internal Audit frequency for that process.

 

[AndyN]

For processes that have not changed, or processes that do not produce NC's, I believe 1 audit per year is adequate. As I mentioned in my original post, we perform LPA's daily, weekly, monthly and also perform CP audits on a regular basis. All of these combined with a full-system internal audit once per year more than meet the requirement. As I also mentioned, if we have customer concern, Internal Audit finding, or a repeated NC from an LPA we will increase the Internal Audit frequency for that process.

Who conducts the LPAs? If they are done by manufacturing (per the guidance) then how do you ensure the objectivity and impartiality requirement of 9.2.2 is met? Audits aren't simply scheduled based on creating ncs or changes. Do you have any process (not just manufacturing processes) which don't perform? For example, how often does Purchasing handle requests which they can't process due to the input not being sufficient? Is equipment breaking down because of ineffective maintenance? There's much more to a QMS than auditing control plans, doing LPAs and considering changes or generating ncs. The process may not change, but other factors do and they influence the process...

 

[Randy]

Just from curious, what does your contract with your CB say? You've got to have a contract and it does have to have special requirements or stipulations in it that you are contractually bound to meet to acquire and maintain your management system certification from them.

What you are being told may be nothing more than a "Condition of Contract" and those conditions have to be approved by your CB's Accreditation Body (most likely ANAB in the USA) and you have no choice but to meet them once that contract is accepted and signed.

Other than Andy or Sidney most people are unaware of the contractual side of the system certification business