Internal Audit of the Internal Audit System

T

treesei

#31
In quite small organisations, I usually don't include audits of the audit process in the audit program itself. Why? Because there's usually little if any value in doing so.

And no, no other external auditor has ever considered it as a nonconformity nor raised a concern about it nor queried why it hasn't been done.

-------------------------------------------------------------------------
Jane,

This may be industry dependent. Last year, the US FDA cited failure to conduct internal audits in a number of warning letters for medical device cGMP violations. I don't think the size of the company was a consideration to the FDA.
 
Elsmar Forum Sponsor
J

JaneB

#33
I phrased the "waiting for the results to come in" wrong. As you mentioned we had our closing meeting and we received the auditors recommendation for the certification during that meeting (we had no findings - at least none he decided to write), however, through their organization the audit has to go through a peer review then on to their executives for final approval. I guess they have their procedures also.
Relieved to hear it.
Yes, they have internal requirements.
If you're still waiting for the report to come, that's a bit slow.
The certificate can take longer.
I regret having to say this, but a bit too often I've found the 'back office' functions of certifiers are anything but speedy and efficient. Would that they also had good, sound and effective quality management systems in place.
If you're chomping at the bit, it's often worth chasing it up, to make sure it hasn't got stuck somewhere in the system.
 
H

Hodgepodge

#34
In quite small organisations, I usually don't include audits of the audit process in the audit program itself. Why? Because there's usually little if any value in doing so.

This might horrify purists or those who are convinced you 'have' to audit every single process in the system. I used to do it routinely (tedious) and actually stopped doing it with smaller companies (with a big sigh of relief) when asked why it was being done by an auditor from one of the big external certifiers some years ago and what value it provided.

Now, this is based on: having a good sound audit program in place (scheduling audits on basis of importance and risk to business), a highly competent auditor at work (often me), very detailed records available of planning, doing & reporting audits, good audit reports (she says modestly, but external auditors have often commented favourably on them) and very close involvement of MD/CEO with all aspects of business & system, including audit and no evidence of problems that might be resolved by auditing said audit process.

In a larger organisation and/or a number of auditors at work, I probably would want to include some kind of audit of audit. But in a small one? No. :nope:

And no, no other external auditor has ever considered it as a nonconformity nor raised a concern about it nor queried why it hasn't been done.
Can others please offer their view points on this? Do all agree?

Jane, certainly the audit procedure must be audited for conformance to the applicable standard after its implementation or after changes have been made. Just trying to understand your rationale for not auditing the IQA process. In your example, (where you personally perform an audit) it seems that a low level of risk is involved. In this case an audit of the IQA would be on the bottom of the list for scheduling a process audit. Is this what you mean?
 
J

JaneB

#35
Jane, certainly the audit procedure must be audited for conformance to the applicable standard after its implementation or after changes have been made.
Maybe. Maybe not.

I thought I covered the various grounds of why not audit audit itself in reasonable detail, and yes of course low risk was a large part of it. I do apply the criteria listed in the standard: importance and status.

In this case an audit of the IQA would be on the bottom of the list for scheduling a process audit. Is this what you mean?
No. I meant it's not on "the list" at all. It is left off. Not done.

At a certain point - very rapidly reached in a small organisation with a small system and limited resources - auditing the audit process itself can be overkill.

I repeat: I am not blanket saying 'no need ever to audit internal audit'. (eg, I do audits of internal audits for some clients (including auditing areas they are directly responsible for).

I am saying: it is not always necessary to audit internal audit. I do say: consider whether it is necessary.

As always, and as I say so often, whether it is or not will depend on the context and situation.
 
L

LexieB

#36
Maybe. Maybe not.

I thought I covered the various grounds of why not audit audit itself in reasonable detail, and yes of course low risk was a large part of it. I do apply the criteria listed in the standard: importance and status.


No. I meant it's not on "the list" at all. It is left off. Not done.

At a certain point - very rapidly reached in a small organisation with a small system and limited resources - auditing the audit process itself can be overkill.

I repeat: I am not blanket saying 'no need ever to audit internal audit'. (eg, I do audits of internal audits for some clients (including auditing areas they are directly responsible for).

I am saying: it is not always necessary to audit internal audit. I do say: consider whether it is necessary.

As always, and as I say so often, whether it is or not will depend on the context and situation.
I just received a minor NC for not auditing the internal audit in my ISO9001 registration. The auditor said that per the standard, ALL processes must be audited, therefore internal auditing must be as well. I have had 4 or 5 previous audit and these were never a finding.
 
T

treesei

#37
I just received a minor NC for not auditing the internal audit in my ISO9001 registration. The auditor said that per the standard, ALL processes must be audited, therefore internal auditing must be as well. I have had 4 or 5 previous audit and these were never a finding.
---------------------------------------
Was it a different auditor? A typical example of the subjectiveness in the interpretation of standards. One reason to keep the same auditor as long as possible.

There is a truthful joke (or jokeful truth) in the FDA regulated industry I worked in: "Ask the same question to three FDA officers, and you will get three different answers." :)
 
L

LexieB

#38
---------------------------------------
Was it a different auditor? A typical example of the subjectiveness in the interpretation of standards. One reason to keep the same auditor as long as possible.

There is a truthful joke (or jokeful truth) in the FDA regulated industry I worked in: "Ask the same question to three FDA officers, and you will get three different answers." :)
They were different auditors, not by my choice.

I did mention that possibly the standard was interpreted differently, but the auditor said it was not a matter of opinion / interpretation but fact.
 
J

Jason PCSwitches

#39
I find it somewhat amusing that most of us on this site are auditors yet there seems to be a great consensus to not audit the audit process (devils advocate?). While it's not specifically outlined, the audit program is a process and should be audited to ensure the audit process is "effectively implemented and maintained". Also to ensure the process is adhering to planed arrangements, why not??

The internal audit process is a vital part of any QMS (importance). While you may not need to audit it regularly, it is not going to hurt anything to ensure procedures related to the process are being followed.
 
T

treesei

#40
I did mention that possibly the standard was interpreted differently, but the auditor said it was not a matter of opinion / interpretation but fact.
-----------------------------------------------
The auditor probably thought you implied that HIS/HER interpretation was different (in an unfavored way) from the other auditors and thus the remark was prompted. For a minor, I would not challenge him/her further. Similarly, I would not cite this "three officer, three answers" joke in front of an FDA officer.

Strictly speaking, the internal audit 8.2.2 is part of the QMS and needs to be periodically evaluated like other parts. One default concept is or should be: If something is not explicitly exempted from the system, it is included. However, often QMS audits skip this tiny aspect because of its relatively low risk. When there is no audit, there is no finding. Usually auditors have bigger fish to fry.
 
Thread starter Similar threads Forum Replies Date
Q ISO 9001-2015 Internal audit finding Internal Auditing 12
lanley liao How to understand this words that the planning of internal audit shall take into consideration the results of previous audits? Oil and Gas Industry Standards and Regulations 10
A Add MDSAP to Internal Audit Schedule Medical Device Related Regulations 0
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
S IATF 16949 Internal Audit Example IATF 16949 - Automotive Quality Systems Standard 7
R AS9100D internal audit checklist or ISO 9001 2015 to AS9100 D AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 5
A Internal Audit Questions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
salaheddine96 Internal audit planning Internal Auditing 2
M ISO 9001 Major Nonconformance Internal Audit Schedule/COVID-19 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
E MDR internal audit Internal Auditing 1
U Internal Auditor not trained but done Audit for some process Nonconformance and Corrective Action 5
B Looking for 10 Internal Audit Online Training Participants ISO 17025 related Discussions 2
H AS9100 Checklist for Internal Audit needed AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 7
F Internal Audit before Pre-Assessment ISO 17025 related Discussions 2
Q Internal audit plan template Internal Auditing 12
L Internal audit during COVID-19 restrictions ISO 13485:2016 - Medical Device Quality Management Systems 5
O ISO13485 implementation - Are internal audits expected before stage 1 audit? Design and Development of Products and Processes 3
B Using Unreleased Documents & Process Maps for Internal Audit purposes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
J Does anyone have an excel IATF 16949 Internal Audit checklist I could use? IATF 16949 - Automotive Quality Systems Standard 7
G Addressing Non-Conformances from an Internal Audit that are not product related ISO 13485:2016 - Medical Device Quality Management Systems 11
S Internal audit discrepancy - We missed a few audits that were scheduled Internal Auditing 12
Raffy ISO 14001 9.2.2 Internal Audit Programme Content Internal Auditing 10
N Internal Audit Schedule – Who gets to set the schedule? Internal Auditing 16
V IATF 16949 9.2.2.1 Internal Audit Program - "Process Changes" IATF 16949 - Automotive Quality Systems Standard 11
G Non Conformance During ISO 9001 Audit - Not All Internal Audits Completed General Auditing Discussions 19
B Using external FDA and ISO 13485 audit as internal audit Internal Auditing 6
T Internal Audit Schedule when Hiring Out Internal Auditing 7
D ISO 9001:2015 Internal Audit Training Advice Internal Auditing 10
M Internal audit consultant ISO 13485 (English speaker) Consultants and Consulting 3
S Implementing a 45001 Health & Safety standard - Internal audit plan wanted Internal Auditing 1
F Internal Audit - Procedure example Internal Auditing 5
C Internal Audit - Process Clause Matrix / Audit Checklist ISO 13485:2016 - Medical Device Quality Management Systems 7
CPhelan Internal audit - Combine similar nonconformities in one or keep separate? Internal Auditing 6
M Internal Audit Plan in Retail Internal Auditing 10
D Management of NC after internal system audit IATF 16949 - Automotive Quality Systems Standard 7
A Purchasing - Internal Audit Questions Internal Auditing 8
N Comprehensive Compliance Matrix for Internal Audit Checklist Other Medical Device Regulations World-Wide 1
W Where to begin with an ISO 9001:2015 internal audit Internal Auditing 13
D Internal audit forms or checklists for a medical/veterinary laboratory General Auditing Discussions 5
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 149
E ISO 9001:2015 - Internal Audit Plan Clauses General Auditing Discussions 8
S Internal Audit Checklist for Application/Software development IEC 27001 - Information Security Management Systems (ISMS) 1
S Internal Audit - Risk and Opportunity (ISO 9001:2015 ) Internal Auditing 1
F API Spec Q1 9th Edition Surveillance Audit - Questions about internal audits. Oil and Gas Industry Standards and Regulations 22
Ashland78 IATF 16949 Internal Audit Checklist Manufacturing and Related Processes 11
Ed Panek Root Cause CAPAs from internal audit ISO 13485:2016 - Medical Device Quality Management Systems 16
K Student wanting Case Study about Internal Audit Report Internal Auditing 1

Similar threads

Top Bottom