Help needed on clauses identification

[Jared]

Hi everyone,

I've been auditing a data process where I think some automation is needed for a small part which will eliminate some user manual editing. I think there is a risk to the validity of the data when a human needs to make a change. I'm thinking a built in macro can be implemented to eradicate risk.

I have identified this as an OFI rather than a NC and below are the 2 9001 clauses I feel fit the audit finding

6.1 of ISO 9001 - Actions to Address Risks and Opportunities

10.3 Continuous Improvement
Obviously 6.1 covers the risk element but do you think 10. 3 covers the automation (macro) suggestion?

Also I feel there could be a section from clause 8 noted here too.

I would be interested to know what people here think.

Thanks
Jared

 

[Jen Kirley]

Hello Jared,

Would this macro be used for one part or for the system?

If it was for a single part I would think of it as an innovation in design of part or process involved with producing that part.

If the macro was to be used widely, I think 10.3 applies better because I consider that to be a system-related clause.

 

[Jim Wynne]

Hi everyone,

I've been auditing a data process where I think some automation is needed for a small part which will eliminate some user manual editing. I think there is a risk to the validity of the data when a human needs to make a change. I'm thinking a built in macro can be implemented to eradicate risk.

I have identified this as an OFI rather than a NC and below are the 2 9001 clauses I feel fit the audit finding

6.1 of ISO 9001 - Actions to Address Risks and Opportunities

10.3 Continuous Improvement
Obviously 6.1 covers the risk element but do you think 10. 3 covers the automation (macro) suggestion?

Also I feel there could be a section from clause 8 noted here too.

I would be interested to know what people here think.

Thanks
Jared

Was this an internal audit? How did you come about finding the potential weakness? Why do you feel a need to link it to ISO 9001 clauses?

 

[Jared]

Hi Jen

Thanks very much for the reply.
The macro is for a single part. Yes I think what you suggest about design makes sense.

I get very overwhelmed with the number of clauses and sub-clauses. Do you think 6.1 fits into my audit finding here?

Thanks
Jared

 

[Jared]

Was this an internal audit? How did you come about finding the potential weakness? Why do you feel a need to link it to ISO 9001 clauses?

Hi Jim

Thanks for the reply. Yes this is an internal audit. I discovered this weakness by interviewing the auditee. The reason why I want to link my findings to clauses is more for my own learning and also I think if I documented the clauses in the internal audit report it will also help upcoming auditors in my company as we are hoping to grow audit team which at the moment is basically just me.

Thanks
Jared

 

[Jim Wynne]

Hi Jim

Thanks for the reply. Yes this is an internal audit. I discovered this weakness by interviewing the auditee. The reason why I want to link my findings to clauses is more for my own learning and also I think if I documented the clauses in the internal audit report it will also help upcoming auditors in my company as we are hoping to grow audit team which at the moment is basically just me.

Thanks
Jared

It sounds like you did a good job on the audit. Discovering system weaknesses is always a good thing. If you base your internal requirements on the clauses of the standard, then you only need to reference your internal requirements in internal audits. In the present case, since there doesn't appear to be a nonconformity, you should document what you found and what's ultimately done about it. If you document continual improvement efforts, that's the place to do it. In other words, your internal audit report should invoke the continual improvement effort.

 

[Jared]

It sounds like you did a good job on the audit. Discovering system weaknesses is always a good thing. If you base your internal requirements on the clauses of the standard, then you only need to reference your internal requirements in internal audits. In the present case, since there doesn't appear to be a nonconformity, you should document what you found and what's ultimately done about it. If you document continual improvement efforts, that's the place to do it. In other words, your internal audit report should invoke the continual improvement effort.

Thanks for the encouraging words Jim.
What you say about continual improvement makes sense.

 

[Tagin]

I get very overwhelmed with the number of clauses and sub-clauses. Do you think 6.1 fits into my audit finding here?

I do not think 6.1 is the clause to use. You did not find an issue or OFI in your organization's system of finding and addressing risks.

Instead, you found a process that had a potential to create an error due to human data entry. Therefore, I think he appropriate clause is 8.5.1g:

g) the implementation of actions to prevent human error;

Certainly, 6.1 should be ever present in your mind, as should 10.3, but they are not the clauses specific to this issue/opportunity.

If you thought that your organization's system of finding and addressing risks should have already found this issue (e.g., it should have been in a PFMEA), yet it hadn't, then that would be a different matter, and 6.1 would be more central to the issue.

 

[Jen Kirley]

I want to understand this better.

Did you know of this macro while the auditee did not? If that is the case, it does sound like an OFI.

I can offer that I have conveyed many ideas that did not end up in the audit report. Simply because the fact that I knew about idea XYZ did not mean they ended up reported as a system weakness. It just means I have something to offer. Is there a reason they shoud have known/heard about idea XYZ? If so, it sounds like a recordable OFI to me. If not, it seems like you just offered a good idea.

This can make auditing very confusing. It can be be very difficult to know when to call out something officially, and when to just convey an idea as the walking benchmark machines that we very often become.

I think the Internal Auditor's question of "What to do?" becomes one of "What will serve my organization?" primarily. We can certainly discuss clauses but this thread has eventually come down to what sort of finding (if any) this would be.

 

[Jared]

I do not think 6.1 is the clause to use. You did not find an issue or OFI in your organization's system of finding and addressing risks.

Instead, you found a process that had a potential to create an error due to human data entry. Therefore, I think he appropriate clause is 8.5.1g:


Certainly, 6.1 should be ever present in your mind, as should 10.3, but they are not the clauses specific to this issue/opportunity.

If you thought that your organization's system of finding and addressing risks should have already found this issue (e.g., it should have been in a PFMEA), yet it hadn't, then that would be a different matter, and 6.1 would be more central to the issue.

Hi Tagin,

Okay what you say there makes sense to me, 8.5.1g fits perfectly.
In terms of addressing risk, top management do look at risk but I discovered this risk on a more micro level and when I see the word risk I tend to jump straight to clause 6.1.