How do you Audit Internal Audits?

S

Sam4Quality

#11
Originally Posted by Michael T


Yep!! That's the way I read it... :agree:

As a member of the Quality Department, neither me nor the QA Manager can audit the internal audit process as we are directly involved in, and responsible for, the maintenance and upkeep of the QMS - part of which are internal audits.

However, my internal auditors are not part of the Quality Department but members of other departments throughout the organization. As such, when they audit the Internal Audit Process, they are not auditing their own work as they don't work for the Quality Department but provide a collateral duty (voluntarily) as Internal Auditors.

BTW... I've never had our Registrar or any other 3rd party auditors find anything amiss with this.

Cheers!!

Mike

I am seeing there is some confusion here. Mike, you are agreeing with Andy and at the same time disagreeing by saying that you cannot audit the Internal Audit process because you are part of the QA Dept, and I totally agree to the latter! I also agree that other auditors who are not part of the QA dept. can audit the Internal Audit Process. The process owner cannot!

Originally Posted by AndyN


I think you guys are a little off base here. Being the architect of the audit process and performing audits of it is perfectly ok! The problem comes if they audit their own audits - their 'work'. It doesn't say 'can't audit your process'......

If I designed the process, I might want to audit to see if my auditors were doing what I had designed them to do, so I can find out all kinds of things.....just as long as I didn't audit the audits I'd done.......

I believe you are making this too complicated. Someone can be objective and impartial about the others who are supposed to employ a process........

Andy, with due respect, I beg to differ here!

When an auditor performs an audit, he/she is supposed to audit the 'process', which means in this case the Auditor has to audit the Internal Audit process, not just the internal audits actually conducted by the other auditors. Furthermore, ISO 19011 Auditing guidelines states in 4d - "Auditors are independent of the activity being audited.......", thus putting to rest that a QMR or a QA Manager can audit the Internal Audit process. I would agree that the Internal Audit process owner can audit other auditors audits only, not his own audit or his own process, which includes the internal audit process.

Also, being the process owner, he may be able to see other auditors mistakes while auditing their audits, but may totally/partially ignore the internal audit design/structure, which is actually the nucleus of auditing Internal Audits.

Ciao. :cool:
 
Elsmar Forum Sponsor
#12
Sam, understood.

You are correct that the audit is of the process. However your reservations have nothing to do with 'auditing your own work' but are an indication of a bias - a lack of objectivity and impartiality! Once again, being the architect/designer of the process, doesn't automatically disbar someone from auditing it, particularly in a small organization.

I always had a problem with the idea that ISO 19011 is out of step with ISO 9001 in the 'independence' issue! Aprt from anything else, ISO 19011 isn't a good model for internal audits, a fact being addressed in the next issue, BTW.

Clearly, if you understand the use of the word, 'independence' can mean the same as 'not auditing your own work'.....not from 'another department' etc. - which was the traditional approach. This traditional 'wisdom' wasn't always correct, however, hence the word being dropped in ISO 9001:2000........
 
C

Chris Ford

#13
As I do every year I am coming to the point at which I need to assign somebody to audit internal audits. To the letter of the standard it should besomebody impartial to the process...... at the same time it needs to be somebody competant in auditing..... all "3" of the people I have onsite that are competant cannot be seen as impartial as they perform the audits.

I ask myself this same question every year, but never come up with an answer other than use the auditor who has performed the least audits to give them a chance at being impartial without avoiding half of the system audits already performed.

I have thought about getting all auditors to review the system and combining it into one big report?!?
I've worked with many small manufacturers that employed only one or two people in quality. In many of these cases, Quality was responsible not only for maintaining internal audits, but they were also responsible for CAPA, complaint handling, nonconforming material, etc.

If I'm responsible for establishing and maintaining an audit plan and schedule, and for conducting audits, it would be a conflict of interest and create a bias if I audited the audit program. The only options are to train someone internally to audit the audit program or hire a consultant.

A "competent" auditor doesn't necessarily need to be certified or formally trained by a third-party. You can train an internal auditor to verify items on a checklist to assure that the procedure has been followed and the plan executed. Unless the scope of your audit includes verification that systems have been established and are effective, you can keep this pretty simple.

You can essentially create a verification protocol for audits like this - write the protocol to a level of detail appropriate for the desired "competence" level and train an individual to the procedure.

Again, it all depends on the scope of your audit and the level of detail you want to provide in the checklist.
 

Stijloor

Staff member
Super Moderator
#14
<snip> I always had a problem with the idea that ISO 19011 is out of step with ISO 9001 in the 'independence' issue! Aprt from anything else, ISO 19011 isn't a good model for internal audits, a fact being addressed in the next issue, BTW.
I agree with Andy. ISO 19011 was not written with internal audits in mind. This changed somewhat when the American version was published which includes additional guidelines for internal audits.

Stijloor.
 
#15
Yep!! That's the way I read it... :agree:

As a member of the Quality Department, neither me nor the QA Manager can audit the internal audit process as we are directly involved in, and responsible for, the maintenance and upkeep of the QMS - part of which are internal audits.

However, my internal auditors are not part of the Quality Department but members of other departments throughout the organization. As such, when they audit the Internal Audit Process, they are not auditing their own work as they don't work for the Quality Department but provide a collateral duty (voluntarily) as Internal Auditors.

BTW... I've never had our Registrar or any other 3rd party auditors find anything amiss with this.

Cheers!!

Mike
Mike, thanks for the post. Your example isn't exacty what I was pointing to. The idea of coming from 'another department' is a very traditional one, so far as 'independence' or 'not auditing your own work' is perceived to mean. Indeed, many CB auditors accept that, as you say. After many years of training, consulting and reflecting on the ineffective audit systems I've seen etc. I have drawn a number of conclusions about what these concepts (independence, impartiality etc.) practically involve.

As long as you don't actually audit the records etc. of an audit performed by yourself, that's perfectly satisfactory - as long as you remain objective and impartial about the audit records that you do sample.

I've also found that it is undesirable to have someone from another 'dpartment' do the audit, since they often have only minimal experience of what that dept may actually do. Sure they can 'learn' but you won't get an effective audit!

Actually, I believe that a lot more care and effort has to be put into selection and assignement of auditors than has tradionally been done. Simply choosing someone from another dept. giving them a checklist and sending them off isn't going to get a really good audit result.....
 
C

Chris Ford

#16
Internal Audit Program is discussed within the Management Review Meeting, therefore it is not part of our Audit Plan.
I think it's pushing the limits to not include your audit program itself in the audit plan. 8.2.2 of the standard doesn't exclude any part of the quality system from internal audit requirements.
 
#17
I think it's pushing the limits to not include your audit program itself in the audit plan. 8.2.2 of the standard doesn't exclude any part of the quality system from internal audit requirements.
With a bit more information, I'd go as far as to say it's a major NC!:mg:
 
M

Michael T

#18
Mike, thanks for the post. Your example isn't exacty what I was pointing to. The idea of coming from 'another department' is a very traditional one, so far as 'independence' or 'not auditing your own work' is perceived to mean. Indeed, many CB auditors accept that, as you say. After many years of training, consulting and reflecting on the ineffective audit systems I've seen etc. I have drawn a number of conclusions about what these concepts (independence, impartiality etc.) practically involve.

As long as you don't actually audit the records etc. of an audit performed by yourself, that's perfectly satisfactory - as long as you remain objective and impartial about the audit records that you do sample.

I've also found that it is undesirable to have someone from another 'dpartment' do the audit, since they often have only minimal experience of what that dept may actually do. Sure they can 'learn' but you won't get an effective audit!

Actually, I believe that a lot more care and effort has to be put into selection and assignement of auditors than has tradionally been done. Simply choosing someone from another dept. giving them a checklist and sending them off isn't going to get a really good audit result.....
Hi Andy...

Well, I can certainly see your point. Unfortunately, as our Quality Department has only two individuals in it... and we both have way more work on our plates than we can handle (which is probably true for a vast majority of the folks here), it becomes necessary for us to have individuals from other departments as internal auditors.

I completely agree with your sentiment that training internal auditors is critical to getting good audits. That is why I have an 8 hour class (4 hours on the standard and 4 hours on conducting audits) prior to any internal auditor being allowed to participate in audits. Then, the auditor trainees watch and participate in internal audits with a fully trained and qualified auditor for a minimum of 4 audits. Then, the auditor trainee conducts 4 audits under the supervision of the trained auditor. At that point I am comfortable with the auditor trainee's skills and they are approved as an auditor capable of conducting a process audit on their own.

Some may see this as overkill... some may see this as underkill. I'm comfortable with the process.

Cheers!!

Mike
 
C

Chris Ford

#19
Mike, thanks for the post. Your example isn't exacty what I was pointing to. The idea of coming from 'another department' is a very traditional one, so far as 'independence' or 'not auditing your own work' is perceived to mean. Indeed, many CB auditors accept that, as you say. After many years of training, consulting and reflecting on the ineffective audit systems I've seen etc. I have drawn a number of conclusions about what these concepts (independence, impartiality etc.) practically involve.

As long as you don't actually audit the records etc. of an audit performed by yourself, that's perfectly satisfactory - as long as you remain objective and impartial about the audit records that you do sample.

I've also found that it is undesirable to have someone from another 'dpartment' do the audit, since they often have only minimal experience of what that dept may actually do. Sure they can 'learn' but you won't get an effective audit!

Actually, I believe that a lot more care and effort has to be put into selection and assignement of auditors than has tradionally been done. Simply choosing someone from another dept. giving them a checklist and sending them off isn't going to get a really good audit result.....
I agree with Andy, but these situations are generally budget decisions. If the OP's situation is similar to those I've seen, the company is probably not willing to hire a 3rd-party to conduct internal audits, nor is it willing to bear the cost of extensive training for other staff members who will perform audits as a "side-volunteer" task. They're going to pay for their registrar audits, they already employ a "Quality Person", and they aren't willing to take on the additional expense.

If you're left with only yourself or a very limited pool of trained auditors, you're not left with much else to work with. I think in most cases like this, the person responsible for the audit program is acting responsibly in asking other departments to conduct audits. As I said in my previous post here, I'd take into consideration the person's understanding of the requirements of the standard, his/her knowledge of the company's quality system, his/her ability to conduct verification activities, as well as the scope of the audit.

If need be, I'd create a step-by-step procedure for conducting an audit... essentially, an "internal audit for dummies" document. I may even increase a sample requirement.

Often, you'll find that the same person responsible for the internal audit program is responsible for CAPA like I said earlier. In these cases, that person audits then manages the corrective actions that result from the audit.

I've been the MR, responsible for the entire quality system with specific responsibilities overseeing CAPA, complaint handling, incoming inspection, document control, internal / supplier audits, etc. In cases where I didn't have a direct, day-to-day interaction with the system (i.e. document control run by a documentation specialist who reported to me), I'd conduct an audit. But where I was directly responsible for the day-to-day activities of a system (i.e. internal audit), I'd have someone audit it for me. If I couldn't find a person in the company with audit background, I'd be left with few options and I'd create a very detailed check list based on what I would look for if it were a 3rd party audit. I'd review the results of the auditor's findings with the auditor and provide guidance for documenting findings.

Most auditors I've worked with tend to want to look at the details of the audits conducted. They run through the audit procedures, verify the program and schedule are established and that it covers the entire quality system, they verify audits are conducted according to the schedule, then they want to dig in and go for the juicy details. They'll look at the scope and depth of the audits performed, review the checklists and notes, assess the final report, as well as corrective actions that result from the audit. If conducting a 3rd party audit, that's how I'd do it.
 
A

Arena

#20
For clarification, do you not audit your internal audits? Because talking about the audits in a mgmt review isn't the same.......
Thanks for your feedback; It's not just talking about audits; at the management review top management actually discuss the plan, review training needs, assign resources, etc.


I think it's pushing the limits to not include your audit program itself in the audit plan. 8.2.2 of the standard doesn't exclude any part of the quality system from internal audit requirements.
We are giving internal audit more visibility through the Management Review.
 
Thread starter Similar threads Forum Replies Date
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
F API Spec Q1 9th Edition Surveillance Audit - Questions about internal audits. Oil and Gas Industry Standards and Regulations 22
J Internal Audit clarification - How to perform the audits IATF 16949 - Automotive Quality Systems Standard 6
K No Internal Audits For Upcoming IATF Trans Audit IATF 16949 - Automotive Quality Systems Standard 5
J Internal Audits - Closing Audit Deficiency Reports (ISO 13485) Internal Auditing 4
S Is Audit Plan / Agenda required for Internal Audits? Internal Auditing 2
C ISO 9001:2008 Surveillance Audit - No Internal Audits Internal Auditing 9
dubrizo Internal Audit Value - What is the point of conducting internal audits to a checklist Internal Auditing 40
O New Job 1 Month from Recertification Audit - Missing Documents, no Internal Audits ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
N Internal Process Audits - 7.1 Planning - How do YOU audit it? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
F Changing the Frequency of Internal Audits - ISO/TS 16949 Internal Audit Requirements Internal Auditing 5
Q Reducing the Frequency of Audits - Internal Audit Programme 2012 Internal Auditing 13
K Internal Audits - Necessary before Stage 1 Audit? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 42
G Internal Audit Planning - We are not getting the best out of our Internal Audits ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
K ISO 13485 Audit Finding on Regulatory Issues - Internal Audits ISO 13485:2016 - Medical Device Quality Management Systems 8
S Internal Audits required before Registration Audit - Distributors ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
ScottK Using Customer Audits as part of the Internal Audit Plan for ISO9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
M Internal Audits - Audit Departments or Processes Internal Auditing 13
M Two situations where it is appropriate to add further Hazard Audits to Internal Audit Occupational Health & Safety Management Standards 8
E Internal Audits - Presenting Audit Findings to Upper Management General Auditing Discussions 19
P No Time to Audit? Becoming "leaner" - How do you make time for Internal Audits? Internal Auditing 36
E First external audit coming up, do I need to have performed Internal Audits already? Internal Auditing 15
C New to performing internal audits - Looking for audit questions Internal Auditing 5
A Audit Database that captures internal, external audits - Prime Part 21 manufacturer Quality Assurance and Compliance Software Tools and Solutions 12
Casana How to document Internal Audits done via the "Process Audit" methodology Internal Auditing 9
S Internal Audits not performed - Useful data from internal audit schedule Internal Auditing 31
B Internal audits 3 year plan? Internal audit frequency Internal Auditing 23
Y Internal Audits of All Facilities World Wide Before the Certification Audit Internal Auditing 9
D Internal Audits and Nonconformances - Clause 8.2.2 Internal Audit (paragraph 4) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
W Internal Audit Schedule - Seeking Examples - Quality Audits Internal Auditing 14
Crusader Your Internal Audit Team: Internal or Hired External? Outsourcing Internal Audits Internal Auditing 100
L Internal Audit Schedule - Frequency of internal audits Internal Auditing 9
C Changing Internal Audit Program - Regional Manager Online Audits Internal Auditing 2
C Who audits the internal audit system? Internal Auditing 32
I Seeking: Internal Audit Training Material - Practice Audits? Internal Auditing 14
Gman2 ISO 9001:2000 Internal Audit: Someone PLEASE find me the "Shall" on "Process Audits" Process Audits and Layered Process Audits 37
Gman2 Internal Audits - Who Can Audit Whom? Internal Auditing 7
Gman2 ISO 9001 Internal Audit Checklists and Process Audits Process Audits and Layered Process Audits 31
A ISO 14001 Clause 4.5.4 - Internal Audit - Must a company perform internal audits? ISO 14001:2015 Specific Discussions 5
A Management Review and Internal Audits Before Registration Audit Management Review Meetings and related Processes 2
Raffy The Role of the Process Audit in ISO 9000 Internal Audits Process Audits and Layered Process Audits 22
Raffy Internal Audit vs. Customer Audits - Can we count Customer Audits as IAs? Internal Auditing 25
J Self Audits - Internal Audits - Area supervisors to audit their own area Internal Auditing 22
C Internal Audit Schedule - Documentation requirements for Internal Audits Internal Auditing 10
A Internal Audits - Can we to perform audit just using process maps? Process Maps, Process Mapping and Turtle Diagrams 19
B Our QS9000 audit team has been using checklists to perform internal audits Internal Auditing 37

Similar threads

Top Bottom