Internal Audit Checklists - Using the standard itself replace any checklist

[Mark Smith]

During a previous ISO surveillance audit a nonconformance was identified for the fact that the checklist for internal audits did not cover the requirements in enough depth.
As a corrective action I stopped using the checklist and changed the auditing procedure to require that the ISO 9001 standard itself replace any checklist so that each element is addressed where appropriate.
Last week I had another surveillance audit and the auditor wrote a non-conformance because there was no way for him to verify that I was auditing all applicable elements of the standard (the checklist used to offer this verifiable evidence). What are some possible solutions people might have?
This is a small (20 person) company and people are getting audited fairly regularly. I currently audit each department twice during the year. Would it be wiser to audit by element appropriate departments and personnel or continue to audit each department for all applicable elements?

 

[Aaron Lupo]

That is exactly how I do my audits. I break it down by Department, then I audit each Department to all the applicable elements. It shows on my audit schedule what elements have been audited. I think this should be able to allow you to eliminate the "checklist".

 

[Claes Gefvenberg]

Hi,

I'd be very wary about not using a checklist when auditing. It's too good a tool...

Just like ISO GUY I usually audit by department, but I guess there is no right or wrong there.. It rather depends on the nature of your buissness and how it's set up.

I put a unique cheklist together for every audit by going from the standard ( to avoid missing any gaps ), to the Quality Manual and the written procedures and records. I also refer every single question to one or a number of std elements.

/Claes

 

[Rick Goodson]

You might consider a checklist that has a column for the ISO element reference, company procedure reference/requirement, and the method of audit (what you are going to do) in addition to the other boiler plate 'stuff' on the form. Typically when I teach internal auditing I want students to learn to reference to the ISO element first, the company documentation second. This will more closely replicate what the third party will do.

 

[Jim Triller]

Mark,
A tool I have succesfully used has been an audit plan - a one page sheet that defines when & what locations/areas are going to be audited and what elements are to be covered. Senior management approves the plan and it is retained as a quality record. The audit report reiterates what was covered in the audit (per the plan) and lists any nonconformances to the ISO standard and/or the organization's procedures. This approach has worked well at seven companies I assisted in the registration process.

 

[Al Dyer]

I also lead the internal audits for our company. We have broken the audit process down to two functions, product and process.

Process audits are verification of effectiveness to the elements of QS-9000. We had a checklist that was determined to be non-compliant so I requested that our auditor give us a copy of the checklists he used to audit us. He did and now there are no questions as to the validity of the checksheets.

Product audits are scheduled to determine the effectiveness of individual work stations. These checksheets cover all work station requirements as stated in procedures. In addition to the checksheet, all cell personnel are monitored using applicable control charts and instructions as guides. This type of product audit has proven very effective as it really gets cell personnel aware and involved. It also keeps the auditor happy when we show the review of these audits during management review.

ASD...

 

[Gary Manion]

Stuck between a Registrar and a Consultant.

A few months ago during a surveillance audit we had a finding stating "Some audits do not audit the entire element," with a few examples as evidence. The Auditor wrote it was “due to an inadequate checklist” and that we did not audit the entire element to the standard.

The checklist I am using came from a registrar (not the one we are using). It covers ISO-9000, QS-9000 and AS9000. I was using this as a starting point and would generate additional questions based on our written system on a separate work sheet. After further reviewing the checklist item by item to all three standards I verified it is verbatim of all three. (It is easy to determine which item is ISO, QS or AS since one is Normal text, one Bold and the other Italics.)

Today I just talked to our consultant (QMS-LA) who has been involved in ISO/AS for some time and he said the role of the Internal Auditor is to audit the system (Manual, Procedures and Work Instructions including product etc…) only, not to see if the system meets the standard. He said that it is Management’s responsibility as part of Management Review to make sure that the system meets the standard. He said it is the registrars job also since they do the doc review and assessment audit, meaning they already said our written system meets the standard less any changes that may have been made of course.

What are your thoughts?
I would like to hear your opinions.

 

[Alf Gulford]

Gary-
IMHO - I think that's right, but only in theory.

The reality that I see is that we have to make the decisions about conformance, investigate possibilities, suggest paths to take, write procedures and train people. This may not be in our job description (although it's usually there as 'other duties as required') but that's the only way it gets done.

I hear a few stories about management being 'wildly enthusiastic' about ISO, or compliance teams, but mostly it's just us.

No big deal. Just an observation about my job.

Alf



[This message has been edited by Alf Gulford (edited 18 October 2000).]

 

[Marc]

> Today I just talked to our consultant (QMS-LA) who has been involved
> in ISO/AS for some time and he said the role of the Internal Auditor
> is to audit the system (Manual, Procedures and Work Instructions
> including product etc...) only, not to see if the system meets the
> standard. He said that it is Management's responsibility as part of
> Management Review to make sure that the system meets the standard. He
> said it is the registrars job also since they do the doc review and
> assessment audit, meaning they already said our written system meets
> the standard less any changes that may have been made of course.

This is my 'opinion' as well. I'm too lazy right now to look up the threads, but I have argued this long and hard for several years (at least). The QS-9000 folks are, however, pushing this to the limit. They are the ones who started the "...lets certify internal auditors..." crusade.

There are lots of goofy-*** auditors who need some help. I do internal audits for several local companies. One auditor came into a client facility about a year ago (surveliance audit) and cited my client for 'ineffedctive internal audits' because I had found no problems at all for 2 years. Needless to say my client was upset. But -- luckily my client was well trained -- the Mgmt Rep pointed out that the registrar's auditors had themselves found no nonconformances and no 'opportunities for improvement' (used to be called 'minors') in 2 years. The auditor mumbled (my client's Mgmt Rep said he really enjoyed watching the little pr__k squirm on that one) and withdraw the finding prior to leaving with -- as you may have guessed by now - no findings!

Internal auditing has transmuted into a game.

Also see:

http://Elsmar.com/ubb/Forum13/HTML/000000.html and
http://Elsmar.com/ubb/Forum13/HTML/000005.html and
http://Elsmar.com/ubb/Forum13/HTML/000031.html

(to name a few found in a SEARCH for "internal audit".