Internal Audit - Process Clause Matrix / Audit Checklist

#1
Hi All,

I have a question regarding the internal audit process. Please see below background about the company I work for:
Our site is certified to ISO 13485:2016 and 21 CFR 820. We have an extensive audit checklist (13485 and 21 CFR 820) which is pretty much in the form of turning every clause into a question. To accompany this we also have a Process Clause Matrix, however the PCM does not reference any clauses, it simply details the process on the X axis and then has a list of “elements” on the Y axis. See example below:


PCM.png


My issue with this PCM is that the 13485:2016 and 21 CFR clauses are not specifically called out in this document. For example if an auditor were to complete an internal audit that involved the review of the change management process, The control of documents is called out as an element for review during this audit but no specific clauses are called out. Therefore the auditor needs to trawl through the audit checklist, find this element (and other applicable elements) and complete the audit.

What I would like to know if anyone has any advice or any examples of a PCM that has a list of process and a list of elements that cover all applicable clauses to that site (Ideally if you have an example that has 13485 and 21 CFR 820 that would be great, I more so just want to see how it is laid out). In my opinion the PCM should reference all clauses for all certification on site to prove that our audits are robust and all elements are taken into consideration during the internal audit process. For example, if control of documents is required the elements section should include reference to 13485:2016 4.2 and 820.40 21 CFR 820

Also I want to ultimately make it easier on the internal auditors to complete the internal audit checklist, if they can simply review the PCM, N/A the clauses which are not applicable to their audit and carry on this will save invaluable time.

If anyone’s mindset differs please let me know and describe why you do not prescribe to this method of internal auditing and what you would do differently.

Many thanks
COR
 
Elsmar Forum Sponsor

RoxaneB

Super Moderator
Super Moderator
#2
Hello, COR.

I actually like the way you have presented it, especially if you do integrated internal audits, especially if the horizontal axis is laid out in alignment with your organization's business system. When I first when down this road - years ago, to be honest and to different standards - my clause-based audit checklists included narrow columns (checkbox width) where I indicated if the clause was applicable to the standard(s) being audited.
 

Attachments

#3
Hi Roxane,

Many thanks for your feedback! The document that you attached looks great. I just have one question about it. You have broken this down by a list of requirements and you have identified which standards are applicable to those requirements. This is a great way for auditors to understand whether the requirement is applicable to their audit. But what I don't understand is how you know if the requirement is applicable to that audit in the first place? In your document example "Q1" is applicable to all your standards, but how do you know if the process you are auditing needs to be audited against that requirement?

That's were my dilemma there in lies, I am trying to match the relevant clauses to the process being audited in my PCM, therefore I want one document that an auditor can refer to and know which requirement are applicable. Then they will mark the requirements in their checklist as N/A that are not applicable and are left with the clauses that are required.

In my example I may need to create a separate PCM for each standard, rather than make it more complicated by trying to include both 13485 and 21 CFR in the same PCM

I hope that makes sense.

Regards
Cathal

Hello, COR.

I actually like the way you have presented it, especially if you do integrated internal audits, especially if the horizontal axis is laid out in alignment with your organization's business system. When I first when down this road - years ago, to be honest and to different standards - my clause-based audit checklists included narrow columns (checkbox width) where I indicated if the clause was applicable to the standard(s) being audited.
 

RoxaneB

Super Moderator
Super Moderator
#4
The question makes sense.

You could do a supporting matrix that shows your organization's elements on one axis and standard clauses along the other.

and/or

Your management rep(s) for the relevant standards reviews the internal audit checklists and determines the alignment.
 

RoxaneB

Super Moderator
Super Moderator
#6
To throw in an extra layer of complexity for you ( :notangel: ), why not use something other than 'X' to denote alignment between the clauses and your organization's elements?

We used something like:
D - Direct responsibility
U - User
- - Not Applicable (we didn't want to leave any blanks as a way to ensure that every possible combination was considered...a blank cell could mean that someone missed it)

From an internal audit perspective, this helped my team of internal auditors frame their questions based on the relationship with the clauses. For example, since my team OWNED the document control process, the questions were really clause-centric. Whereas, if an internal auditor was out in product, they'd ask questions like "So, how do you know what you need to do", "What if you forget how to do your job?", "What do you do if you realize that there's a better way to do something than what's documented?", etc.
 

GreatNate

Bareback Jack
#7
To throw in an extra layer of complexity for you ( :notangel: ), why not use something other than 'X' to denote alignment between the clauses and your organization's elements?

We used something like:
D - Direct responsibility
U - User
- - Not Applicable (we didn't want to leave any blanks as a way to ensure that every possible combination was considered...a blank cell could mean that someone missed it)

From an internal audit perspective, this helped my team of internal auditors frame their questions based on the relationship with the clauses. For example, since my team OWNED the document control process, the questions were really clause-centric. Whereas, if an internal auditor was out in product, they'd ask questions like "So, how do you know what you need to do", "What if you forget how to do your job?", "What do you do if you realize that there's a better way to do something than what's documented?", etc.
Hi Roxane

Do you have a copy of an ISO 9001 Audit schedule and Audit report? if you could share that would be really helpful thanks
 

RoxaneB

Super Moderator
Super Moderator
#8
Hi Roxane

Do you have a copy of an ISO 9001 Audit schedule and Audit report? if you could share that would be really helpful thanks
Hello, GreatNate.

An audit schedule depends upon your organization, how its management system is set-up, and the culture of your organization. Some spread their audits out over a period of time, such as one year. Others mirror an external audit and do it all in one shot at a defined frequency.

Using a Gantt chart or even just a tracker in Excel, you can indicate when an audit is scheduled, and then change the colour to show if it's in progress, on time, delayed, cancelled, etc. That can be a helpful visual aid to see if audits are being conducted on time - and if they're not, then it's time to have a discussion with senior leadership about why. Their involvement may be needed.

Your audit plan is more detailed and focuses on the scope of the audit that you're organization is about to conduct - processes, procedures, people to include, timing, agendas, etc.

Your audit report can also be based upon what your organization is looking for. Typically, it contains general information regarding the logistics of the audit (e.g., date, scope, applicable standard(s), auditor(s), and so on). Some include a section for strengths. Mine include a summary of the issued nonconformances, while I've seen others simply refer to the issued nonconformance reports.

All that being said, if you click on "Attachment List" at the top of the screen, you can do a search for 'internal audit schedule' and 'internal audit report.' That will hopefully give you some good examples which will allow you to develop something appropriate for your organization.
 
Thread starter Similar threads Forum Replies Date
U Internal Auditor not trained but done Audit for some process Nonconformance and Corrective Action 5
B Using Unreleased Documents & Process Maps for Internal Audit purposes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
N Small Company - Internal audit process - Who does the audit? Internal Auditing 16
V IATF 16949 9.2.2.1 Internal Audit Program - "Process Changes" IATF 16949 - Automotive Quality Systems Standard 11
V Process and Internal Audit Criteria matrix wanted Internal Auditing 8
E How do I create a FMEA for the Internal Audit process? Internal Auditing 11
R AS9100D Internal Audit Process Checklists ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
P Internal Audit Matrix Process Query ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 38
N Internal Process Audits - 7.1 Planning - How do YOU audit it? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
W Internal Audit of the Internal Audit Process Internal Auditing 15
L Request APQP Process Internal Audit checklist APQP and PPAP 2
K Process Owners signing Internal Audit Reports Internal Auditing 6
R On Auditing Internal Audit Process - How Independence can be Established Internal Auditing 4
R Auditing a process outside the realm of the formal Internal Audit ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
J Can I skip Payment Process audit for TS16949 Internal Audit? IATF 16949 - Automotive Quality Systems Standard 4
C ISO 17025 Internal Audit of an "Internal Audit Process" ISO 17025 related Discussions 6
N Internal Audit Process for small Medical Device company Internal Auditing 9
M Auditing the Internal Audit Process - 8.2.2 General Auditing Discussions 2
J Auditing the Internal Auditing Process - Audit Nonconformance General Auditing Discussions 3
P Company Conducted Internal Audit Offsite using a Document Review Process Internal Auditing 65
F Airport Internal Audit Checklist (Cleaning, Project Process, Maintenance, etc) Internal Auditing 3
P Internal Audit Corrective Actions - Can a CB write an NC on an in-process CA? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 27
B Can I use Internal Audit Checklist to do Process Audit? Process Audits and Layered Process Audits 9
K When is the best time to Audit the Internal Audit Process? Internal Auditing 25
R Process Internal Audit Checklist for Service Organizations wanted ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
P Internal ISO 9001 Audit - Process Audit Checklist Internal Auditing 31
G Performing an Internal Audit on the Cost Estimating Process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
J Internal Audit schedule & Process Audit Checklists Internal Auditing 3
T Internal Audit questions for Statistical Process Control and Process Control Internal Auditing 14
Casana How to document Internal Audits done via the "Process Audit" methodology Internal Auditing 9
P Problems with Internal Process Audit integration due to different CSR IATF 16949 - Automotive Quality Systems Standard 3
V Internal Audit - Process based vs. Procedure based AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
H Internal Audit Plan - Seperate audit plans for system, process, and for products IATF 16949 - Automotive Quality Systems Standard 4
M How to Internal Audit the Calibration Process Internal Auditing 12
tony s Let the Registrar audit the Internal Audit process Internal Auditing 45
A External Audit CAR when Internal Audit CAR is in process? General Auditing Discussions 34
T Internal audit checklists related to the software development process Internal Auditing 3
D Can Internal Auditors Audit the Internal Audit Process / System? How? General Auditing Discussions 12
M Showing the Effectiveness of the Internal Audit Process System - AS9100B Clause 8.2.2 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
A Need Example of Metrics for Internal Audit Process. Internal Auditing 6
K Defining Internal Audit Process Goals & Objectives Internal Auditing 49
C Audit Differences - Process, Product, Internal? (4 questions) - TS 16949 General Auditing Discussions 7
M Internal Auditing of our APQP Process - Who can audit APQP? IATF 16949 - Automotive Quality Systems Standard 5
T Process Internal Audit - Requirement on Monitoring Objectives & Improvement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Process Effectiveness Metric for the process ?Internal Audit? Internal Auditing 25
Joe Cruse Internal Audit format - Idea of the process approach to the audit Internal Auditing 16
E Internal Process Audit Sampling using MIL-STD-105-E - 500 operators on 3 shifts Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
I ISO 13485 Practical Internal Audit Checklist - Standard vs. Process Based Internal Auditing 26
Gman2 ISO 9001:2000 Internal Audit: Someone PLEASE find me the "Shall" on "Process Audits" Process Audits and Layered Process Audits 37
Claes Gefvenberg Internal Audit Process Flow Chart - Please Review Mine and Comment! Internal Auditing 27

Similar threads

Top Bottom