Internal Audit - How to define the Importance of Departments and Processes

T

tomate

Hi,

i am new here, so please have a little patience with me.

I am a student of medical engeneering and i am working on a new internal audit schedule for a medical device company (ISO 13485 & 21 CFR 820 certified). At this time the company audits every department/process once a year. I want to create a new schedule based on status and importance.

I found many usefull informations in this cove, but i m still not shure how to understand "importance".

For the Status I will regard the findings of the previous internal and external audits and if there are any new or significantly changed processes.

But which criteria can i use to define which department/process is more or less important!? Of course the Management Review is more risky as the sales department, but how can i justify it seriously?

My last question: is it conform to audit some less important processes (sales?) only every 2 years, if there are no findings in the last internal/external Audits? There is no requirement for annual planing in 13485 or CFR 820, but it's recommended in QSIT...

Thank you for your aid!
 

Mikishots

Trusted Information Resource
Hi,

i am new here, so please have a little patience with me.

I am a student of medical engeneering and i am working on a new internal audit schedule for a medical device company (ISO 13485 & 21 CFR 820 certified). At this time the company audits every department/process once a year. I want to create a new schedule based on status and importance.

I found many usefull informations in this cove, but i m still not shure how to understand "importance".

For the Status I will regard the findings of the previous internal and external audits and if there are any new or significantly changed processes.

But which criteria can i use to define which department/process is more or less important!? Of course the Management Review is more risky as the sales department, but how can i justify it seriously?

My last question: is it conform to audit some less important processes (sales?) only every 2 years, if there are no findings in the last internal/external Audits? There is no requirement for annual planing in 13485 or CFR 820, but it's recommended in QSIT...

Thank you for your aid!

I normally start by examining the processes that have an immediate and direct effect on the quality or functionality of the product itself, or on the ability to provide the product on time (after all, you have to sell them to make anything else worthwhile). Where I work, it's the production process and the manufacturing/engineering process. Next down is order handling, followed closely with controlling nonconforming parts, inspection and production planning. There are more, but they aren't as critical.

Over the past few years, we've been able to identify where the risks are in the company. As such, some processes get a lot more attention and are examined more thoroughly than others.

I can't really answer the last question, as I'm not too familiar with 13485. I'm in the aerospace industry, and we can conduct them on a progressive or segmented basis, provided that we verify the entire organizational system within our stated interval (defined in our quality manual).
 
S

Sean Kelley

For us risk is based on our FMEA scores which you likely do not have as it is an automotive document used for risk analysis and reduction. There should be some manner to identify higher risk areas and then those should be done more frequently. Also areas that are prone to having more problems and customer complaints are often audited more often to identify potential weaknesses. Lastly, all areas within our automotive world are required to be audited at least once per year. I would think this is true for most sector specific standards and I would try to find that out before I schedule something once per 2 years.
 

John Broomfield

Leader
Super Moderator
Hi,

i am new here, so please have a little patience with me.

I am a student of medical engeneering and i am working on a new internal audit schedule for a medical device company (ISO 13485 & 21 CFR 820 certified). At this time the company audits every department/process once a year. I want to create a new schedule based on status and importance.

I found many usefull informations in this cove, but i m still not shure how to understand "importance".

For the Status I will regard the findings of the previous internal and external audits and if there are any new or significantly changed processes.

But which criteria can i use to define which department/process is more or less important!? Of course the Management Review is more risky as the sales department, but how can i justify it seriously?

My last question: is it conform to audit some less important processes (sales?) only every 2 years, if there are no findings in the last internal/external Audits? There is no requirement for annual planing in 13485 or CFR 820, but it's recommended in QSIT...

Thank you for your aid!

tomate,

Focus on processes. You could start out by auditing the processes that directly serve the customer at twice the frequency of the support processes.

The actual frequency depends on the effectiveness of process monitoring per 8.2.3. Assess this by the proportion of CARs raised as a result of monitoring and other non-audit activities.

You may find the organization waits for an auditor to issue a CAR before improving anything. This is a common but serious problem for which you will need the leaders to lead before backing off on auditing.

Aim for 80:20 ratio of non-audit to audit sources of CARs.

I would however, stop auditing departments except perhaps when conducting the occasional system audit.

John
 

somashekar

Leader
Admin
But which criteria can i use to define which department/process is more or less important!? Of course the Management Review is more risky as the sales department, but how can i justify it seriously?
A very good first up question from you tomate...
Welcome to the COVE
Criteria are not fixed as business is never ever constant.
What are the business criteria that are focused in a period.
Increase customer base / new products as you may have capacity
Increase capacity as you have more orders or potential customers approach with orders or existing cutomers increase offtake
Control rejection / scrap as the company sees this to increase the cost to company
Whan you look into the company present focus areas, you will get to know which processes are vital and this criteria defines the importance.
With the three examples that I listed, I am sure you can identify important processes where audits can be planned to see effective performance.
 
Last edited:
T

tomate

Thanks for all your answers!


A small addition for a better comprehension: We dont audit only our departments, for example our service department is splitted into 3 process audits: general service activities(1), complaint management (2) and safety advisor for occurences (national requirement) (3).


1)
Someone knows a guideline or an other source to define the importance of the processes / departments? An example how ist handled in the own Company could be usefull too.


2)
I checked some of our processes: they work effectiv, there are no internal or external findings and they arnt part of any CARs. Can i Audit them with a lower frequency as 1/year? Of course i would Change the schedule if there is a significant Change or a new finding.
The 13485 just requirts "planned Intervalls". Someone of you just handle it like this? The reason for this attention is that our personal ressources for internal audits arnt enaugh in the last time, so we want to Focus on the important processes.
I think we can justify it at an external Audit, because its better to focus on important things as some canceled audits because of ill auditors etc.
What do you think?
 

John Broomfield

Leader
Super Moderator
Thanks for all your answers!


A small addition for a better comprehension: We dont audit only our departments, for example our service department is splitted into 3 process audits: general service activities(1), complaint management (2) and safety advisor for occurences (national requirement) (3).


1)
Someone knows a guideline or an other source to define the importance of the processes / departments? An example how ist handled in the own Company could be usefull too.


2)
I checked some of our processes: they work effectiv, there are no internal or external findings and they arnt part of any CARs. Can i Audit them with a lower frequency as 1/year? Of course i would Change the schedule if there is a significant Change or a new finding.
The 13485 just requirts "planned Intervalls". Someone of you just handle it like this? The reason for this attention is that our personal ressources for internal audits arnt enaugh in the last time, so we want to Focus on the important processes.
I think we can justify it at an external Audit, because its better to focus on important things as some canceled audits because of ill auditors etc.
What do you think?

tomate,

By their nature processes are usually cross-departmental.

For example, the Human Resources Department may own the processes for:

  • Recruiting and hiring
  • Training and developing
  • Evaluating personnel performance
...but these processes involve other departments. When you audit these processes, the processes are your focus not the department.

Of the three departmental activities you identify as processes:

  1. General services
  2. Managing complaints
  3. Advising on safety

1 is too general to advise. 2 is a process that involves other departments to address the causes of complaints. 3 could be a cross-functional process if the advisor follows up on his or her advice to ensure safety management is improved.

Your organization has the authority to manage its monitoring and auditing resources. This has to be based on your assessments of risk (including your risk assessments from product and process designs) not an external guideline.

Of course you can reduce audits where processes are stable and capable to release resources for new or shaky processes where increased monitoring and auditing is necessary to assure quality.

This and our previous advice is how to define the importance of processes. These processes are served to a varying degree by your departments.

Your risk assessment should be product and process-led not department-led.

And process auditing should not replace process monitoring.

John
 

Peter Fraser

Trusted Information Resource
Some questions to ask about a process:
i) has it been changed recently?
ii) have the people working in the process changed recently, and if so do the new staff have the same level of competency as before?
iii) have there been any significant recent "issues" with the performance of the process?
iv) has the organisational / departmental structure changed in a way that would impact on the process?
v) have external factors changed (eg new key customer, change of supplier, revised business objectives...)?
vi) how significant would a process failure be?

Any of these factors might mean that you need to give a higher priority to the process.
 

John Broomfield

Leader
Super Moderator
Some questions to ask about a process:
i) has it been changed recently?
ii) have the people working in the process changed recently, and if so do the new staff have the same level of competency as before?
iii) have there been any significant recent "issues" with the performance of the process?
iv) has the organisational / departmental structure changed in a way that would impact on the process?
v) have external factors changed (eg new key customer, change of supplier, revised business objectives...)?
vi) how significant would a process failure be?

Any of these factors might mean that you need to give a higher priority to the process.

Peter,

:agree:

An excellent list of adverse risk factors.

:applause:
John
 
Top Bottom