Internal Audit Difficulties - Am I headed in the right direction?

[JaneB]

Thank you for your input! That's great to get feedback!!!

That's one of the reasons the Cove exists

This thread seems to be pulling in various directions and I'd like to get a little clearer about the situation.

Questions:

1. Are you certified to ISO 9001? Or, if not, are you intending to achieve certification?
2. What is the purpose of the current audit?
3. What does your company do?

If the answer to 1 is yes, then you can solve at least one argument by referencing the appropriate clause/s in the Standard. And that, by the way, is also a very good indicator of the need to be clear about what the benchmark is against which you are auditing.

Your training procedure says

“Department supervisors shall determine the need for retraining according to the requirements established for each process” and my finding is “There is no training requirements established for each process”.

Points that stand out for me are:

• Only RE training is mentioned (nothing about initial training) which is odd to say the least
• The way I read it, I don't see any requirement to set training requirements! So a manager could indeed argue 'we haven't set any, so I don't need to train' and/or, 'it says nothing about having them in writing' - and both would be a bit hard to argue against

I do feel for you - you're finding out, at first hand, how difficult internal audit can be. And that's an awfully difficult position to be in and I'm not surprised you're confused.

Please give the answer to Questions (esp 1), because further advice will be different if the answer to that is Yes or No.

PS 'Just reading' is inadequate training for any auditor. That's not a reflection on you, but on whoever put you in that invidious position. Ineffective, unfair and downright awful. One of the most basic requirements in any quality system is to have people who have the competencies required for their work, and it is a fundamental responsibility of management to ensure that that is provided. Which includes providing training to acquire the competencies if that is needed, as it is for auditors.

 

[ElenKa]

Questions:

1. Are you certified to ISO 9001? Or, if not, are you intending to achieve certification?
2. What is the purpose of the current audit?
3. What does your company do?

1. No, we aren't certified yet. And Yes, we are intended to achieve it
   The ideal "date" according to my boss is ASAP, because we lost several big orders since we are not ISO 9001 certified.
2. The purpose of the audit is to get ready for the certification and find our weak spots. And while we are doing that to train personnel and management team on procedures and WI.
   We do have bulk of the "paper side"" of QMS ready, but it's just on paper and system isn't running yet.
3. We have engineering department to design electronic devices and facilities to manufacture circuit boards. Company is small (about 20 people, including hand assembling line)

Points that stand out for me are:

• Only RE training is mentioned (nothing about initial training) which is odd to say the least

You do not see anything about initial training, because we have a separate section for it in our training procedure.

Points that stand out for me are:

• The way I read it, I don't see any requirement to set training requirements! So a manager could indeed argue 'we haven't set any, so I don't need to train' and/or, 'it says nothing about having them in writing' - and both would be a bit hard to argue against

And I've found a lot of places like that in our procedures. My boss explains it as a "good procedures are written with very precise wording to intentionally create requirements in some places and intentionally not create requirements in others". So when we face a certification audit it's easier to defend it.

 

[qusys]

My boss explains it as a "good procedures are written with very precise wording to intentionally create requirements in some places and intentionally not create requirements in others". So when we face a certification audit it's easier to defend it.

Hi ElenKa,
Only to give a small suggestion from my side.
I have only left as quote what your boss said about good procedures.
My suggestion is to have "quality documents", not burden for the organization.
In my experience don't exist good procedures or what else.
Procedures, records, work instructions etc. should be finalized to improve QMS processes and better serve the customer, without thinking to defend position during the certification audit.

 

[ElenKa]

My suggestion is to have "quality documents", not burden for the organization.
In my experience don't exist good procedures or whatelse.
Procedures, records, work instructions etc. should be finalized to improve QMS processes and better serve the customer, without thinking to defebd position during the certification audit.

I agree with you 100%! But my manager thinks he knows better and I'm still learning More I know - more chances I have to change his mind by explaining why and how. I obviously don't know enough to talk about it (yet)

 

[JaneB]

OK, now I'm clearer.

[*]The purpose of the audit is to get ready for the certification and find our weak spots. And while we are doing that to train personnel and management team on procedures and WI.

In that case, your organisation appears to be somewhat misunderstanding of the internal audit requirements. Suggest you go back and closely re-read the relevant clause - and 'getting ready for certification' is not among them

Trying to audit AND train at the same time? Big ask and not a great idea. At all. Sounds like muddy thinking on behalf of whoever came up with that idea. Separate them out - eg, do training /coaching /whatever. Then verify whether it's working/worked via audit.

We do have bulk of the "paper side"" of QMS ready, but it's just on paper and system isn't running yet.

And that is a Big Problem. The system needs to be a "happening thing" not a bunch of paper. What's written should be what is being done, and what has been agreed as the organisation worked through the build/revise our system. If it's all new and not happening, you have bigger problems which go back to.... top management.


I second the advice from previous post - write a system that helps you achieve your defined goals and objectives, satisfy customers, and constantly improve! Not something you can 'defend' in an audit! That way lies madness and frustration, not to mention wasted opportunity.

Suggest you focus very, very hard on what is in your documented system, and tread a careful and extremely fact-based, objective path during audit. Look at what the system says. Then look for evidence that the system is being followed and that it is effectively implemented.
Now, don't get bogged down in the minutiae of wording (if possible) - focus on processes, and issues of risk and importance. So if something isn't being done, report that as objectively as you can, citing the actual evidence for your finding. Note possible risks and consequences. But avoid giving opinion or recommendations to fix.

Also, if the procedures/whatever do not appear to meet ISO 9001 requirements, then report that too - and again, reference the actual requirement/s not met.

By the way, when you closely re-read the competency requirements in 6.2... naturally your system should have defined the competency required for internal auditors as well. And be able to provide suitable evidence/records to demonstrate that the auditor/s have the required competencies. What does management plan to do there?

 

[JaneB]

Our department manager says that there is no necessity for requirements to be written and we do have them, he just knows them by heart.

He's wrong about 'no necessity'.

He may well 'know them by heart'. But that is not a system and it sure as hell doesn't meet ISO 9001.

Let's review the Standard:

6.2.1 General
Personnel performing work affecting conformity to product requirements shall be competent on the basis of appropriate education, training, skills and experience.
NOTE Conformity to product requirements can be affected directly or indirectly by personnel performing any task within the quality management system.
6.2.2 Competence, training and awareness
The organization shall
a) determine the necessary competence for personnel performing work affecting conformity to product requirements,
b) where applicable, provide training or take other actions to achieve the necessary competence,
c) evaluate the effectiveness of the actions taken,
d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and
e) maintain appropriate records of education, training, skills and experience (see 4.2.4).

For a start, stop talking about 'training' and start talking about competency. Training may or may not be required to achieve this.

Has your department manager done a)? Where is some evidence of this? eg, is it in a job description, a competency matrix, a training needs analysis? Something else? Where IS it? And 'in my head' is not acceptable.
And has this been done for internal auditors? Same questions.

Has s/he done b)? Where is the evidence? Same for internal auditor.

What records for e) are kept? Are they acceptable? Ditto for internal auditor.

I’m convinced that people are trained with no system in mind. Is it a finding?

Only if you have objective and factual evidence - or lack of any! Are things going wrong? Are errors being made? Are things being returned/failing inspections/generating complaints etc? If not, what IS the evidence of this?

How do we know that I am (or he is) wrong?

Focus on objective factual data and evidence. It's not about opinion or belief.

 

[Helmut Jilling]

I agree with you 100%! But my manager thinks he knows better and I'm still learning More I know - more chances I have to change his mind by explaining why and how. I obviously don't know enough to talk about it (yet)

It sounds like some well grounded training would help you understand the system and intent of the requirements better. I and others here on the forum provide training to help management teams have a good understanding of where ISO 9001 wants you to go. Some of what you say is correct, and some of what the other managers said is also correct. Good training would help you focus more on what is good for your organization and a little less on what is good for certification. That comes along automatically, if the system is good for the organization.

 

[ElenKa]

Here is what I ended up with. I made a second revision of my audit report and It looks like we are happy with it.
I added better description of the findings like some of you recommended

 

[Golfman25]

Here is what I ended up with. I made a second revision of my audit report and It looks like we are happy with it.
I added better description of the findings like some of you recommended

I don't think you are specific enough. For example, for item one you make no reference to who does not have documented eduction, training or experience.

Similarly in item 2, you make no reference as to whom did not have orientation training. As the department manager, how am I going to figure this out? Give me a lead here as to who you are talking about so I can verify you finding. Same with item 3.

Item 5, is the puzzle. Why are you looking at records from 2007? As I understand it, this is a relatively new system you are implementing. Is it possible that the records from 2007 didn't even apply to the current revision of your requirement?

Could the item 1,2 & 3 problems be similar -- your looking at old employees hired and trained before the system was in place. As a department manager, I would like to know what review of more recent records showed. If they were correct, then what happened in 2007 is irrelevant.

Good luck.

 

[ElenKa]

Could the item 1,2 & 3 problems be similar -- your looking at old employees hired and trained before the system was in place. As a department manager, I would like to know what review of more recent records showed. If they were correct, then what happened in 2007 is irrelevant.

The only training records we have are from 2007... :mg: And the original version of the procedure dated 2005. I don't think anybody knew it existed (other than the owner of the company) but that's what I have...

And I missed another finding which would make things easier to understand (Now I need to revise the report again).
Records of "appropriate education, training, and experience for the position being filled" are presented by resumes. We keep them locked. For some reasons I couldn't access them at the time of audit. A priory I know that we do not collect resumes for the production (assembly line) personnel. And I based my finding on that.

I know it sounds horrible, but we are still learning...